Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7950COPY.exe

Overview

General Information

Sample name:7950COPY.exe
Analysis ID:1542909
MD5:366019444461914c99eca593e71a9a02
SHA1:5b5f155953bbc13bf852a673e4be088afc57dda9
SHA256:369c60a89a3351e62008c3f8014ebe5424a67ef020767f0d37b7939243d6e808
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Disables UAC (registry)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 7950COPY.exe (PID: 6908 cmdline: "C:\Users\user\Desktop\7950COPY.exe" MD5: 366019444461914C99ECA593E71A9A02)
    • powershell.exe (PID: 6188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5000 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • regedit.exe (PID: 2000 cmdline: "C:\Windows\regedit.exe" MD5: 999A30979F6195BF562068639FFC4426)
    • cmd.exe (PID: 916 cmdline: "C:\Windows\System32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • ilasm.exe (PID: 5332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" MD5: 2B2AE2C9C5D693D2306EF388583B1A03)
    • ilasm.exe (PID: 1732 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" MD5: 2B2AE2C9C5D693D2306EF388583B1A03)
    • WerFault.exe (PID: 3612 cmdline: C:\Windows\system32\WerFault.exe -u -p 6908 -s 1532 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • psr.exe (PID: 1360 cmdline: "C:\Windows\SysWOW64\psr.exe" MD5: 3117B8F9AF28E7E720739A2C13F919C2)
    • fltMC.exe (PID: 5796 cmdline: "C:\Windows\SysWOW64\fltMC.exe" MD5: 330E111C418797FC2E56F3F7E5FAAB9A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.ilasm.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              5.2.ilasm.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7950COPY.exe", ParentImage: C:\Users\user\Desktop\7950COPY.exe, ParentProcessId: 6908, ParentProcessName: 7950COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, ProcessId: 6188, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7950COPY.exe", ParentImage: C:\Users\user\Desktop\7950COPY.exe, ParentProcessId: 6908, ParentProcessName: 7950COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, ProcessId: 6188, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7950COPY.exe", ParentImage: C:\Users\user\Desktop\7950COPY.exe, ParentProcessId: 6908, ParentProcessName: 7950COPY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force, ProcessId: 6188, ProcessName: powershell.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 7950COPY.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: 7950COPY.exeReversingLabs: Detection: 63%
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 7950COPY.exeJoe Sandbox ML: detected

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 7950COPY.exe PID: 6908, type: MEMORYSTR
                Source: 7950COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: fltMC.pdb source: ilasm.exe, 00000005.00000002.2188442822.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: 7950COPY.exe, 00000000.00000002.2311713328.0000000015DDC000.00000004.80000000.00040000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601098295.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601717977.00000000039AC000.00000004.10000000.00040000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Windows.Forms.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: mscorlib.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: wntdll.pdbUGP source: ilasm.exe, 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.00000000034DE000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2188880100.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2190926695.0000000003199000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: wntdll.pdb source: ilasm.exe, ilasm.exe, 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, fltMC.exe, 0000000F.00000002.3601401909.00000000034DE000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2188880100.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2190926695.0000000003199000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: ilasm.pdb source: 7950COPY.exe, 00000000.00000002.2311713328.0000000015DDC000.00000004.80000000.00040000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601098295.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601717977.00000000039AC000.00000004.10000000.00040000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: fltMC.pdbGCTL source: ilasm.exe, 00000005.00000002.2188442822.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Core.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 4x nop then xor eax, eax15_2_00C59DD0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 4x nop then mov ebx, 00000004h15_2_032604E1
                Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Uses regedit.exe to modify the Windows registry
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0042C3D3 NtClose,5_2_0042C3D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED35C0 NtCreateMutant,LdrInitializeThunk,5_2_05ED35C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_05ED2DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_05ED2CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_05ED2C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_05ED2F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2B60 NtClose,LdrInitializeThunk,5_2_05ED2B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED4650 NtSuspendThread,5_2_05ED4650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED3090 NtSetValueKey,5_2_05ED3090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED3010 NtOpenDirectoryObject,5_2_05ED3010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED4340 NtSetContextThread,5_2_05ED4340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2DD0 NtDelayExecution,5_2_05ED2DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2DB0 NtEnumerateKey,5_2_05ED2DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED3D70 NtOpenThread,5_2_05ED3D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2D30 NtUnmapViewOfSection,5_2_05ED2D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2D00 NtSetInformationFile,5_2_05ED2D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2D10 NtMapViewOfSection,5_2_05ED2D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED3D10 NtOpenProcessToken,5_2_05ED3D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2CF0 NtOpenProcess,5_2_05ED2CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2CC0 NtQueryVirtualMemory,5_2_05ED2CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2C60 NtCreateKey,5_2_05ED2C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2C00 NtQueryInformationProcess,5_2_05ED2C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2FE0 NtCreateFile,5_2_05ED2FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2FA0 NtQuerySection,5_2_05ED2FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2FB0 NtResumeThread,5_2_05ED2FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2F60 NtCreateProcessEx,5_2_05ED2F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2F30 NtCreateSection,5_2_05ED2F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2EE0 NtQueueApcThread,5_2_05ED2EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2EA0 NtAdjustPrivilegesToken,5_2_05ED2EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2E80 NtReadVirtualMemory,5_2_05ED2E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2E30 NtWriteVirtualMemory,5_2_05ED2E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED39B0 NtGetContextThread,5_2_05ED39B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2BE0 NtQueryValueKey,5_2_05ED2BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2BF0 NtAllocateVirtualMemory,5_2_05ED2BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2BA0 NtEnumerateValueKey,5_2_05ED2BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2B80 NtQueryInformationFile,5_2_05ED2B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2AF0 NtWriteFile,5_2_05ED2AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2AD0 NtReadFile,5_2_05ED2AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2AB0 NtWaitForSingleObject,5_2_05ED2AB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B35C0 NtCreateMutant,LdrInitializeThunk,15_2_033B35C0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2B60 NtClose,LdrInitializeThunk,15_2_033B2B60
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_033B2BF0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2BE0 NtQueryValueKey,LdrInitializeThunk,15_2_033B2BE0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2AD0 NtReadFile,LdrInitializeThunk,15_2_033B2AD0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2F30 NtCreateSection,LdrInitializeThunk,15_2_033B2F30
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2FE0 NtCreateFile,LdrInitializeThunk,15_2_033B2FE0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2D10 NtMapViewOfSection,LdrInitializeThunk,15_2_033B2D10
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2DF0 NtQuerySystemInformation,LdrInitializeThunk,15_2_033B2DF0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2DD0 NtDelayExecution,LdrInitializeThunk,15_2_033B2DD0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2C70 NtFreeVirtualMemory,LdrInitializeThunk,15_2_033B2C70
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2C60 NtCreateKey,LdrInitializeThunk,15_2_033B2C60
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2CA0 NtQueryInformationToken,LdrInitializeThunk,15_2_033B2CA0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B4340 NtSetContextThread,15_2_033B4340
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B3010 NtOpenDirectoryObject,15_2_033B3010
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B3090 NtSetValueKey,15_2_033B3090
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B4650 NtSuspendThread,15_2_033B4650
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2BA0 NtEnumerateValueKey,15_2_033B2BA0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2B80 NtQueryInformationFile,15_2_033B2B80
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2AB0 NtWaitForSingleObject,15_2_033B2AB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2AF0 NtWriteFile,15_2_033B2AF0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B39B0 NtGetContextThread,15_2_033B39B0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2F60 NtCreateProcessEx,15_2_033B2F60
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2FB0 NtResumeThread,15_2_033B2FB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2FA0 NtQuerySection,15_2_033B2FA0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2F90 NtProtectVirtualMemory,15_2_033B2F90
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2E30 NtWriteVirtualMemory,15_2_033B2E30
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2EA0 NtAdjustPrivilegesToken,15_2_033B2EA0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2E80 NtReadVirtualMemory,15_2_033B2E80
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2EE0 NtQueueApcThread,15_2_033B2EE0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2D30 NtUnmapViewOfSection,15_2_033B2D30
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B3D10 NtOpenProcessToken,15_2_033B3D10
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2D00 NtSetInformationFile,15_2_033B2D00
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B3D70 NtOpenThread,15_2_033B3D70
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2DB0 NtEnumerateKey,15_2_033B2DB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2C00 NtQueryInformationProcess,15_2_033B2C00
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2CF0 NtOpenProcess,15_2_033B2CF0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B2CC0 NtQueryVirtualMemory,15_2_033B2CC0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C79070 NtReadFile,15_2_00C79070
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C79200 NtClose,15_2_00C79200
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C79370 NtAllocateVirtualMemory,15_2_00C79370
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C78F00 NtCreateFile,15_2_00C78F00
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03273520 NtSetContextThread,15_2_03273520
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0327453D NtMapViewOfSection,15_2_0327453D
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03273B42 NtResumeThread,15_2_03273B42
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03274908 NtUnmapViewOfSection,15_2_03274908
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03273830 NtSuspendThread,15_2_03273830
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03273E50 NtQueueApcThread,15_2_03273E50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004183835_2_00418383
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004029EB5_2_004029EB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004029F05_2_004029F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0042E9F35_2_0042E9F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004011A05_2_004011A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004022405_2_00402240
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040FC5B5_2_0040FC5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040FC635_2_0040FC63
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00402CD05_2_00402CD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004025605_2_00402560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004165C35_2_004165C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004165BE5_2_004165BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040FE835_2_0040FE83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00402F505_2_00402F50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040DF035_2_0040DF03
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3D5B05_2_05F3D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F605915_2_05F60591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F575715_2_05F57571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA05355_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4E4F65_2_05F4E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E914605_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F524465_2_05F52446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5F43F5_2_05F5F43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9C7C05_2_05E9C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5F7B05_2_05F5F7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA07705_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC47505_2_05EC4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBC6E05_2_05EBC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F516CC5_2_05F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F581CC5_2_05F581CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAB1B05_2_05EAB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F601AA5_2_05F601AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED516C5_2_05ED516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F1725_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6B16B5_2_05F6B16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E901005_2_05E90100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3A1185_2_05F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5F0E05_2_05F5F0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F570E95_2_05F570E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C05_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F0CC5_2_05F4F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F603E65_2_05F603E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE3F05_2_05EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EE739A5_2_05EE739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8D34C5_2_05E8D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5A3525_2_05F5A352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5132D5_2_05F5132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F412ED5_2_05F412ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD2F05_2_05EBD2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBB2C05_2_05EBB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA52A05_2_05EA52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F402745_2_05F40274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9ADE05_2_05E9ADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBFDC05_2_05EBFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB8DBF5_2_05EB8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F57D735_2_05F57D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA3D405_2_05EA3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F51D5A5_2_05F51D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAAD005_2_05EAAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5FCF25_2_05F5FCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E90CF25_2_05E90CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F40CB55_2_05F40CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F19C325_2_05F19C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0C005_2_05EA0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E92FC85_2_05E92FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5FFB15_2_05F5FFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1F925_2_05EA1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F14F405_2_05F14F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EE2F285_2_05EE2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC0F305_2_05EC0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5FF095_2_05F5FF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5EEDB5_2_05F5EEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA9EB05_2_05EA9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5CE935_2_05F5CE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB2E905_2_05EB2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0E595_2_05EA0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5EE265_2_05F5EE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA29A05_2_05EA29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6A9A65_2_05F6A9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB69625_2_05EB6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA99505_2_05EA9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBB9505_2_05EBB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA38E05_2_05EA38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE8F05_2_05ECE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E868B85_2_05E868B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA28405_2_05EA2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAA8405_2_05EAA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D8005_2_05F0D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EDDBF95_2_05EDDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F56BD75_2_05F56BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBFB805_2_05EBFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5FB765_2_05F5FB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5AB405_2_05F5AB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4DAC65_2_05F4DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EE5AA05_2_05EE5AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3DAAC5_2_05F3DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9EA805_2_05E9EA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F13A6C5_2_05F13A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F57A465_2_05F57A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5FA495_2_05F5FA49
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343A35215_2_0343A352
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343132D15_2_0343132D
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0336D34C15_2_0336D34C
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034403E615_2_034403E6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033C739A15_2_033C739A
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338E3F015_2_0338E3F0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0342027415_2_03420274
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033852A015_2_033852A0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034212ED15_2_034212ED
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339D2F015_2_0339D2F0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339B2C015_2_0339B2C0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0340815815_2_03408158
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0344B16B15_2_0344B16B
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0337010015_2_03370100
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0336F17215_2_0336F172
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033B516C15_2_033B516C
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0341A11815_2_0341A118
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338B1B015_2_0338B1B0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034381CC15_2_034381CC
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034401AA15_2_034401AA
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0342F0CC15_2_0342F0CC
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343F0E015_2_0343F0E0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034370E915_2_034370E9
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033870C015_2_033870C0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338077015_2_03380770
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033A475015_2_033A4750
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343F7B015_2_0343F7B0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0337C7C015_2_0337C7C0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_034316CC15_2_034316CC
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339C6E015_2_0339C6E0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338053515_2_03380535
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343757115_2_03437571
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0344059115_2_03440591
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0341D5B015_2_0341D5B0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343244615_2_03432446
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0337146015_2_03371460
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343F43F15_2_0343F43F
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0342E4F615_2_0342E4F6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343AB4015_2_0343AB40
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343FB7615_2_0343FB76
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03436BD715_2_03436BD7
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339FB8015_2_0339FB80
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033BDBF915_2_033BDBF9
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033F5BF015_2_033F5BF0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03437A4615_2_03437A46
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343FA4915_2_0343FA49
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033F3A6C15_2_033F3A6C
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0342DAC615_2_0342DAC6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033C5AA015_2_033C5AA0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0337EA8015_2_0337EA80
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0341DAAC15_2_0341DAAC
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339696215_2_03396962
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338995015_2_03389950
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339B95015_2_0339B950
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033829A015_2_033829A0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0344A9A615_2_0344A9A6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033ED80015_2_033ED800
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338A84015_2_0338A840
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338284015_2_03382840
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033668B815_2_033668B8
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033AE8F015_2_033AE8F0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033838E015_2_033838E0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033A0F3015_2_033A0F30
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033C2F2815_2_033C2F28
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343FF0915_2_0343FF09
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033F4F4015_2_033F4F40
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03381F9215_2_03381F92
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343FFB115_2_0343FFB1
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03372FC815_2_03372FC8
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03380E5915_2_03380E59
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343EE2615_2_0343EE26
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03389EB015_2_03389EB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343EEDB15_2_0343EEDB
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03392E9015_2_03392E90
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343CE9315_2_0343CE93
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03431D5A15_2_03431D5A
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03437D7315_2_03437D73
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0338AD0015_2_0338AD00
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03383D4015_2_03383D40
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03398DBF15_2_03398DBF
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0337ADE015_2_0337ADE0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0339FDC015_2_0339FDC0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033F9C3215_2_033F9C32
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03380C0015_2_03380C00
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0343FCF215_2_0343FCF2
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03370CF215_2_03370CF2
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_03420CB515_2_03420CB5
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C61B5015_2_00C61B50
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C651B015_2_00C651B0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C633EB15_2_00C633EB
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C633F015_2_00C633F0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C7B82015_2_00C7B820
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C5CA8815_2_00C5CA88
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C5CA9015_2_00C5CA90
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C5CCB015_2_00C5CCB0
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C5AD3015_2_00C5AD30
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0326E35315_2_0326E353
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0326E23815_2_0326E238
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0326D7B815_2_0326D7B8
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0326E6EC15_2_0326E6EC
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_0326CA6815_2_0326CA68
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: String function: 033FF290 appears 103 times
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: String function: 033B5130 appears 36 times
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: String function: 033C7E54 appears 93 times
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: String function: 0336B970 appears 250 times
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: String function: 033EEA12 appears 86 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: String function: 05F1F290 appears 103 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: String function: 05ED5130 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: String function: 05F0EA12 appears 84 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: String function: 05EE7E54 appears 85 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: String function: 05E8B970 appears 248 times
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 1532
                Source: 7950COPY.exeStatic PE information: No import functions for PE file found
                Source: 7950COPY.exe, 00000000.00000002.2311713328.0000000015DDC000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameilasm.exeT vs 7950COPY.exe
                Source: 7950COPY.exe, 00000000.00000000.1738544482.0000017095B06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNewStb.exe4 vs 7950COPY.exe
                Source: 7950COPY.exeBinary or memory string: OriginalFilenameNewStb.exe4 vs 7950COPY.exe
                Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@18/10@0/0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mwi2efp.lkh.ps1Jump to behavior
                Source: 7950COPY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\7950COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 7950COPY.exeReversingLabs: Detection: 63%
                Source: C:\Users\user\Desktop\7950COPY.exeFile read: C:\Users\user\Desktop\7950COPY.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\7950COPY.exe "C:\Users\user\Desktop\7950COPY.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 1532
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\psr.exe "C:\Windows\SysWOW64\psr.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\fltMC.exe "C:\Windows\SysWOW64\fltMC.exe"
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -ForceJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\psr.exe "C:\Windows\SysWOW64\psr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\fltMC.exe "C:\Windows\SysWOW64\fltMC.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\7950COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: 7950COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 7950COPY.exeStatic file information: File size 2238495 > 1048576
                Source: 7950COPY.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: System.Windows.Forms.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: fltMC.pdb source: ilasm.exe, 00000005.00000002.2188442822.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: mscorlib.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: .pdbError: CoCreateInstance(IID_ISymUnmanagedWriter) returns %X source: 7950COPY.exe, 00000000.00000002.2311713328.0000000015DDC000.00000004.80000000.00040000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601098295.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601717977.00000000039AC000.00000004.10000000.00040000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Windows.Forms.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: mscorlib.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: wntdll.pdbUGP source: ilasm.exe, 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.00000000034DE000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2188880100.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2190926695.0000000003199000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: wntdll.pdb source: ilasm.exe, ilasm.exe, 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, fltMC.exe, 0000000F.00000002.3601401909.00000000034DE000.00000040.00001000.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2188880100.0000000002FE3000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000003.2190926695.0000000003199000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601401909.0000000003340000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: System.Core.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Drawing.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: ilasm.pdb source: 7950COPY.exe, 00000000.00000002.2311713328.0000000015DDC000.00000004.80000000.00040000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601098295.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, fltMC.exe, 0000000F.00000002.3601717977.00000000039AC000.00000004.10000000.00040000.00000000.sdmp
                Source: Binary string: System.Drawing.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: fltMC.pdbGCTL source: ilasm.exe, 00000005.00000002.2188442822.0000000005BB8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.ni.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.pdb source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Core.ni.pdbRSDS source: WER40CA.tmp.dmp.9.dr
                Source: Binary string: System.Core.ni.pdb source: WER40CA.tmp.dmp.9.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 7950COPY.exe, .cs.Net Code: System.AppDomain.Load(byte[])
                Source: 7950COPY.exe, .cs.Net Code: System.AppDomain.Load(byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0041480E pushad ; ret 5_2_0041481C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040D14B push ss; iretd 5_2_0040D14C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00407105 push ds; iretd 5_2_00407108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004031D0 push eax; ret 5_2_004031D2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040D1A0 push 00000043h; ret 5_2_0040D1A5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0040BAFD push es; ret 5_2_0040BB00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0041A383 push ebp; ret 5_2_0041A3BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0041645F pushad ; iretd 5_2_0041645E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_0041643E pushad ; iretd 5_2_0041645E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00418D0B pushfd ; retf 5_2_00418D14
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_004235E3 push edi; retf 5_2_004235EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00417E6B push edx; ret 5_2_00417E6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00401602 push ebx; ret 5_2_00401603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00417E1F push F4118F09h; iretd 5_2_00417E26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00404FE0 push esi; retf 5_2_00404FE5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E909AD push ecx; mov dword ptr [esp], ecx5_2_05E909B6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_033709AD push ecx; mov dword ptr [esp], ecx15_2_033709B6
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C671B0 push ebp; ret 15_2_00C671E8
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C6328C pushad ; iretd 15_2_00C6328B
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C6F2BF push esi; retn 0000h15_2_00C6F2C7
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C6326B pushad ; iretd 15_2_00C6328B
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C7040D push edi; retf 15_2_00C70419
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C70410 push edi; retf 15_2_00C70419
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C6163B pushad ; ret 15_2_00C61649
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C709D1 push esp; retf 15_2_00C709DD
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C709B6 push ebx; retf 15_2_00C709B7
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C5892A push es; ret 15_2_00C5892D
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C65B38 pushfd ; retf 15_2_00C65B41
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C64C98 push edx; ret 15_2_00C64C99
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C64C4C push F4118F09h; iretd 15_2_00C64C53
                Source: C:\Windows\SysWOW64\fltMC.exeCode function: 15_2_00C51E0D push esi; retf 15_2_00C51E12

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 7950COPY.exe PID: 6908, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE22210774
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE22210774
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
                Source: C:\Windows\SysWOW64\fltMC.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: 17095E40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: 170AF800000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: 170B7EC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D1C0 rdtsc 5_2_05F0D1C0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5747Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3158Jump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeWindow / User API: threadDelayed 3370Jump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeWindow / User API: threadDelayed 6605Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeAPI coverage: 1.0 %
                Source: C:\Windows\SysWOW64\fltMC.exeAPI coverage: 1.9 %
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exe TID: 1364Thread sleep count: 3370 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exe TID: 1364Thread sleep time: -6740000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exe TID: 1364Thread sleep count: 6605 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exe TID: 1364Thread sleep time: -13210000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\fltMC.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\fltMC.exeLast function: Thread delayed
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Amcache.hve.9.drBinary or memory string: VMware
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: 7950COPY.exe, 00000000.00000002.2313369865.0000017095CDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                Source: fltMC.exe, 0000000F.00000002.3601098295.0000000002E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: 7950COPY.exe, 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D1C0 rdtsc 5_2_05F0D1C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_00417513 LdrLoadDll,5_2_00417513
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC5ED mov eax, dword ptr fs:[00000030h]5_2_05ECC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC5ED mov eax, dword ptr fs:[00000030h]5_2_05ECC5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E925E0 mov eax, dword ptr fs:[00000030h]5_2_05E925E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE5E7 mov eax, dword ptr fs:[00000030h]5_2_05EBE5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15F4 mov eax, dword ptr fs:[00000030h]5_2_05EB15F4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D5D0 mov eax, dword ptr fs:[00000030h]5_2_05F0D5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D5D0 mov ecx, dword ptr fs:[00000030h]5_2_05F0D5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F635D7 mov eax, dword ptr fs:[00000030h]5_2_05F635D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F635D7 mov eax, dword ptr fs:[00000030h]5_2_05F635D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F635D7 mov eax, dword ptr fs:[00000030h]5_2_05F635D7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE5CF mov eax, dword ptr fs:[00000030h]5_2_05ECE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE5CF mov eax, dword ptr fs:[00000030h]5_2_05ECE5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC55C0 mov eax, dword ptr fs:[00000030h]5_2_05EC55C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB95DA mov eax, dword ptr fs:[00000030h]5_2_05EB95DA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E965D0 mov eax, dword ptr fs:[00000030h]5_2_05E965D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA5D0 mov eax, dword ptr fs:[00000030h]5_2_05ECA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA5D0 mov eax, dword ptr fs:[00000030h]5_2_05ECA5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F655C9 mov eax, dword ptr fs:[00000030h]5_2_05F655C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15A9 mov eax, dword ptr fs:[00000030h]5_2_05EB15A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15A9 mov eax, dword ptr fs:[00000030h]5_2_05EB15A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15A9 mov eax, dword ptr fs:[00000030h]5_2_05EB15A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15A9 mov eax, dword ptr fs:[00000030h]5_2_05EB15A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB15A9 mov eax, dword ptr fs:[00000030h]5_2_05EB15A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F235BA mov eax, dword ptr fs:[00000030h]5_2_05F235BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F235BA mov eax, dword ptr fs:[00000030h]5_2_05F235BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F235BA mov eax, dword ptr fs:[00000030h]5_2_05F235BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F235BA mov eax, dword ptr fs:[00000030h]5_2_05F235BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F5BE mov eax, dword ptr fs:[00000030h]5_2_05F4F5BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F105A7 mov eax, dword ptr fs:[00000030h]5_2_05F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F105A7 mov eax, dword ptr fs:[00000030h]5_2_05F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F105A7 mov eax, dword ptr fs:[00000030h]5_2_05F105A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB45B1 mov eax, dword ptr fs:[00000030h]5_2_05EB45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB45B1 mov eax, dword ptr fs:[00000030h]5_2_05EB45B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBF5B0 mov eax, dword ptr fs:[00000030h]5_2_05EBF5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC4588 mov eax, dword ptr fs:[00000030h]5_2_05EC4588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1B594 mov eax, dword ptr fs:[00000030h]5_2_05F1B594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1B594 mov eax, dword ptr fs:[00000030h]5_2_05F1B594
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8758F mov eax, dword ptr fs:[00000030h]5_2_05E8758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8758F mov eax, dword ptr fs:[00000030h]5_2_05E8758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8758F mov eax, dword ptr fs:[00000030h]5_2_05E8758F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E92582 mov eax, dword ptr fs:[00000030h]5_2_05E92582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E92582 mov ecx, dword ptr fs:[00000030h]5_2_05E92582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE59C mov eax, dword ptr fs:[00000030h]5_2_05ECE59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC656A mov eax, dword ptr fs:[00000030h]5_2_05EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC656A mov eax, dword ptr fs:[00000030h]5_2_05EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC656A mov eax, dword ptr fs:[00000030h]5_2_05EC656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B562 mov eax, dword ptr fs:[00000030h]5_2_05E8B562
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECB570 mov eax, dword ptr fs:[00000030h]5_2_05ECB570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECB570 mov eax, dword ptr fs:[00000030h]5_2_05ECB570
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E98550 mov eax, dword ptr fs:[00000030h]5_2_05E98550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E98550 mov eax, dword ptr fs:[00000030h]5_2_05E98550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F65537 mov eax, dword ptr fs:[00000030h]5_2_05F65537
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE53E mov eax, dword ptr fs:[00000030h]5_2_05EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE53E mov eax, dword ptr fs:[00000030h]5_2_05EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE53E mov eax, dword ptr fs:[00000030h]5_2_05EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE53E mov eax, dword ptr fs:[00000030h]5_2_05EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBE53E mov eax, dword ptr fs:[00000030h]5_2_05EBE53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3F525 mov eax, dword ptr fs:[00000030h]5_2_05F3F525
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4B52F mov eax, dword ptr fs:[00000030h]5_2_05F4B52F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECD530 mov eax, dword ptr fs:[00000030h]5_2_05ECD530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECD530 mov eax, dword ptr fs:[00000030h]5_2_05ECD530
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D534 mov eax, dword ptr fs:[00000030h]5_2_05E9D534
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0535 mov eax, dword ptr fs:[00000030h]5_2_05EA0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC7505 mov eax, dword ptr fs:[00000030h]5_2_05EC7505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC7505 mov ecx, dword ptr fs:[00000030h]5_2_05EC7505
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F64500 mov eax, dword ptr fs:[00000030h]5_2_05F64500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E904E5 mov ecx, dword ptr fs:[00000030h]5_2_05E904E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F394E0 mov eax, dword ptr fs:[00000030h]5_2_05F394E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F654DB mov eax, dword ptr fs:[00000030h]5_2_05F654DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1A4B0 mov eax, dword ptr fs:[00000030h]5_2_05F1A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E964AB mov eax, dword ptr fs:[00000030h]5_2_05E964AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC34B0 mov eax, dword ptr fs:[00000030h]5_2_05EC34B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC44B0 mov ecx, dword ptr fs:[00000030h]5_2_05EC44B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B480 mov eax, dword ptr fs:[00000030h]5_2_05E8B480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E99486 mov eax, dword ptr fs:[00000030h]5_2_05E99486
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E99486 mov eax, dword ptr fs:[00000030h]5_2_05E99486
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91460 mov eax, dword ptr fs:[00000030h]5_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91460 mov eax, dword ptr fs:[00000030h]5_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91460 mov eax, dword ptr fs:[00000030h]5_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91460 mov eax, dword ptr fs:[00000030h]5_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91460 mov eax, dword ptr fs:[00000030h]5_2_05E91460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6547F mov eax, dword ptr fs:[00000030h]5_2_05F6547F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF460 mov eax, dword ptr fs:[00000030h]5_2_05EAF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBA470 mov eax, dword ptr fs:[00000030h]5_2_05EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBA470 mov eax, dword ptr fs:[00000030h]5_2_05EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBA470 mov eax, dword ptr fs:[00000030h]5_2_05EBA470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F453 mov eax, dword ptr fs:[00000030h]5_2_05F4F453
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B440 mov eax, dword ptr fs:[00000030h]5_2_05E9B440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECE443 mov eax, dword ptr fs:[00000030h]5_2_05ECE443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB245A mov eax, dword ptr fs:[00000030h]5_2_05EB245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8645D mov eax, dword ptr fs:[00000030h]5_2_05E8645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8E420 mov eax, dword ptr fs:[00000030h]5_2_05E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8E420 mov eax, dword ptr fs:[00000030h]5_2_05E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8E420 mov eax, dword ptr fs:[00000030h]5_2_05E8E420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8C427 mov eax, dword ptr fs:[00000030h]5_2_05E8C427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB340D mov eax, dword ptr fs:[00000030h]5_2_05EB340D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC8402 mov eax, dword ptr fs:[00000030h]5_2_05EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC8402 mov eax, dword ptr fs:[00000030h]5_2_05EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC8402 mov eax, dword ptr fs:[00000030h]5_2_05EC8402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB27ED mov eax, dword ptr fs:[00000030h]5_2_05EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB27ED mov eax, dword ptr fs:[00000030h]5_2_05EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB27ED mov eax, dword ptr fs:[00000030h]5_2_05EB27ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9D7E0 mov ecx, dword ptr fs:[00000030h]5_2_05E9D7E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E947FB mov eax, dword ptr fs:[00000030h]5_2_05E947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E947FB mov eax, dword ptr fs:[00000030h]5_2_05E947FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9C7C0 mov eax, dword ptr fs:[00000030h]5_2_05E9C7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E957C0 mov eax, dword ptr fs:[00000030h]5_2_05E957C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E957C0 mov eax, dword ptr fs:[00000030h]5_2_05E957C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E957C0 mov eax, dword ptr fs:[00000030h]5_2_05E957C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F637B6 mov eax, dword ptr fs:[00000030h]5_2_05F637B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E907AF mov eax, dword ptr fs:[00000030h]5_2_05E907AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F7BA mov eax, dword ptr fs:[00000030h]5_2_05E8F7BA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F197A9 mov eax, dword ptr fs:[00000030h]5_2_05F197A9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD7B0 mov eax, dword ptr fs:[00000030h]5_2_05EBD7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1F7AF mov eax, dword ptr fs:[00000030h]5_2_05F1F7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1F7AF mov eax, dword ptr fs:[00000030h]5_2_05F1F7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1F7AF mov eax, dword ptr fs:[00000030h]5_2_05F1F7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1F7AF mov eax, dword ptr fs:[00000030h]5_2_05F1F7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1F7AF mov eax, dword ptr fs:[00000030h]5_2_05F1F7AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F78A mov eax, dword ptr fs:[00000030h]5_2_05F4F78A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B765 mov eax, dword ptr fs:[00000030h]5_2_05E8B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B765 mov eax, dword ptr fs:[00000030h]5_2_05E8B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B765 mov eax, dword ptr fs:[00000030h]5_2_05E8B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B765 mov eax, dword ptr fs:[00000030h]5_2_05E8B765
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E98770 mov eax, dword ptr fs:[00000030h]5_2_05E98770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA0770 mov eax, dword ptr fs:[00000030h]5_2_05EA0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC674D mov esi, dword ptr fs:[00000030h]5_2_05EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC674D mov eax, dword ptr fs:[00000030h]5_2_05EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC674D mov eax, dword ptr fs:[00000030h]5_2_05EC674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F14755 mov eax, dword ptr fs:[00000030h]5_2_05F14755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA3740 mov eax, dword ptr fs:[00000030h]5_2_05EA3740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA3740 mov eax, dword ptr fs:[00000030h]5_2_05EA3740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA3740 mov eax, dword ptr fs:[00000030h]5_2_05EA3740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E90750 mov eax, dword ptr fs:[00000030h]5_2_05E90750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2750 mov eax, dword ptr fs:[00000030h]5_2_05ED2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2750 mov eax, dword ptr fs:[00000030h]5_2_05ED2750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F63749 mov eax, dword ptr fs:[00000030h]5_2_05F63749
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0C730 mov eax, dword ptr fs:[00000030h]5_2_05F0C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E93720 mov eax, dword ptr fs:[00000030h]5_2_05E93720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6B73C mov eax, dword ptr fs:[00000030h]5_2_05F6B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6B73C mov eax, dword ptr fs:[00000030h]5_2_05F6B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6B73C mov eax, dword ptr fs:[00000030h]5_2_05F6B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F6B73C mov eax, dword ptr fs:[00000030h]5_2_05F6B73C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF720 mov eax, dword ptr fs:[00000030h]5_2_05EAF720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF720 mov eax, dword ptr fs:[00000030h]5_2_05EAF720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAF720 mov eax, dword ptr fs:[00000030h]5_2_05EAF720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC720 mov eax, dword ptr fs:[00000030h]5_2_05ECC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC720 mov eax, dword ptr fs:[00000030h]5_2_05ECC720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC273C mov eax, dword ptr fs:[00000030h]5_2_05EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC273C mov ecx, dword ptr fs:[00000030h]5_2_05EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC273C mov eax, dword ptr fs:[00000030h]5_2_05EC273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9973A mov eax, dword ptr fs:[00000030h]5_2_05E9973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9973A mov eax, dword ptr fs:[00000030h]5_2_05E9973A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89730 mov eax, dword ptr fs:[00000030h]5_2_05E89730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89730 mov eax, dword ptr fs:[00000030h]5_2_05E89730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC5734 mov eax, dword ptr fs:[00000030h]5_2_05EC5734
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F72E mov eax, dword ptr fs:[00000030h]5_2_05F4F72E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5972B mov eax, dword ptr fs:[00000030h]5_2_05F5972B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E97703 mov eax, dword ptr fs:[00000030h]5_2_05E97703
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E95702 mov eax, dword ptr fs:[00000030h]5_2_05E95702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E95702 mov eax, dword ptr fs:[00000030h]5_2_05E95702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC700 mov eax, dword ptr fs:[00000030h]5_2_05ECC700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECF71F mov eax, dword ptr fs:[00000030h]5_2_05ECF71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECF71F mov eax, dword ptr fs:[00000030h]5_2_05ECF71F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E90710 mov eax, dword ptr fs:[00000030h]5_2_05E90710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC0710 mov eax, dword ptr fs:[00000030h]5_2_05EC0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F106F1 mov eax, dword ptr fs:[00000030h]5_2_05F106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F106F1 mov eax, dword ptr fs:[00000030h]5_2_05F106F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E6F2 mov eax, dword ptr fs:[00000030h]5_2_05F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E6F2 mov eax, dword ptr fs:[00000030h]5_2_05F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E6F2 mov eax, dword ptr fs:[00000030h]5_2_05F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E6F2 mov eax, dword ptr fs:[00000030h]5_2_05F0E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4D6F0 mov eax, dword ptr fs:[00000030h]5_2_05F4D6F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD6E0 mov eax, dword ptr fs:[00000030h]5_2_05EBD6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD6E0 mov eax, dword ptr fs:[00000030h]5_2_05EBD6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F236EE mov eax, dword ptr fs:[00000030h]5_2_05F236EE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC16CF mov eax, dword ptr fs:[00000030h]5_2_05EC16CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9B6C0 mov eax, dword ptr fs:[00000030h]5_2_05E9B6C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA6C7 mov ebx, dword ptr fs:[00000030h]5_2_05ECA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA6C7 mov eax, dword ptr fs:[00000030h]5_2_05ECA6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F6C7 mov eax, dword ptr fs:[00000030h]5_2_05F4F6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F516CC mov eax, dword ptr fs:[00000030h]5_2_05F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F516CC mov eax, dword ptr fs:[00000030h]5_2_05F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F516CC mov eax, dword ptr fs:[00000030h]5_2_05F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F516CC mov eax, dword ptr fs:[00000030h]5_2_05F516CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8D6AA mov eax, dword ptr fs:[00000030h]5_2_05E8D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8D6AA mov eax, dword ptr fs:[00000030h]5_2_05E8D6AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECC6A6 mov eax, dword ptr fs:[00000030h]5_2_05ECC6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E876B2 mov eax, dword ptr fs:[00000030h]5_2_05E876B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E876B2 mov eax, dword ptr fs:[00000030h]5_2_05E876B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E876B2 mov eax, dword ptr fs:[00000030h]5_2_05E876B2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC66B0 mov eax, dword ptr fs:[00000030h]5_2_05EC66B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E94690 mov eax, dword ptr fs:[00000030h]5_2_05E94690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E94690 mov eax, dword ptr fs:[00000030h]5_2_05E94690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1368C mov eax, dword ptr fs:[00000030h]5_2_05F1368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1368C mov eax, dword ptr fs:[00000030h]5_2_05F1368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1368C mov eax, dword ptr fs:[00000030h]5_2_05F1368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1368C mov eax, dword ptr fs:[00000030h]5_2_05F1368C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA660 mov eax, dword ptr fs:[00000030h]5_2_05ECA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECA660 mov eax, dword ptr fs:[00000030h]5_2_05ECA660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC9660 mov eax, dword ptr fs:[00000030h]5_2_05EC9660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC9660 mov eax, dword ptr fs:[00000030h]5_2_05EC9660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC2674 mov eax, dword ptr fs:[00000030h]5_2_05EC2674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5866E mov eax, dword ptr fs:[00000030h]5_2_05F5866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5866E mov eax, dword ptr fs:[00000030h]5_2_05F5866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAC640 mov eax, dword ptr fs:[00000030h]5_2_05EAC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F65636 mov eax, dword ptr fs:[00000030h]5_2_05F65636
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9262C mov eax, dword ptr fs:[00000030h]5_2_05E9262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC6620 mov eax, dword ptr fs:[00000030h]5_2_05EC6620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC8620 mov eax, dword ptr fs:[00000030h]5_2_05EC8620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE627 mov eax, dword ptr fs:[00000030h]5_2_05EAE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F626 mov eax, dword ptr fs:[00000030h]5_2_05E8F626
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA260B mov eax, dword ptr fs:[00000030h]5_2_05EA260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC1607 mov eax, dword ptr fs:[00000030h]5_2_05EC1607
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECF603 mov eax, dword ptr fs:[00000030h]5_2_05ECF603
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED2619 mov eax, dword ptr fs:[00000030h]5_2_05ED2619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E609 mov eax, dword ptr fs:[00000030h]5_2_05F0E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E93616 mov eax, dword ptr fs:[00000030h]5_2_05E93616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E93616 mov eax, dword ptr fs:[00000030h]5_2_05E93616
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB51EF mov eax, dword ptr fs:[00000030h]5_2_05EB51EF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E951ED mov eax, dword ptr fs:[00000030h]5_2_05E951ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F661E5 mov eax, dword ptr fs:[00000030h]5_2_05F661E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC01F8 mov eax, dword ptr fs:[00000030h]5_2_05EC01F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E1D0 mov eax, dword ptr fs:[00000030h]5_2_05F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E1D0 mov eax, dword ptr fs:[00000030h]5_2_05F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E1D0 mov ecx, dword ptr fs:[00000030h]5_2_05F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E1D0 mov eax, dword ptr fs:[00000030h]5_2_05F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0E1D0 mov eax, dword ptr fs:[00000030h]5_2_05F0E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F561C3 mov eax, dword ptr fs:[00000030h]5_2_05F561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F561C3 mov eax, dword ptr fs:[00000030h]5_2_05F561C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECD1D0 mov eax, dword ptr fs:[00000030h]5_2_05ECD1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ECD1D0 mov ecx, dword ptr fs:[00000030h]5_2_05ECD1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F651CB mov eax, dword ptr fs:[00000030h]5_2_05F651CB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F411A4 mov eax, dword ptr fs:[00000030h]5_2_05F411A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F411A4 mov eax, dword ptr fs:[00000030h]5_2_05F411A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F411A4 mov eax, dword ptr fs:[00000030h]5_2_05F411A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F411A4 mov eax, dword ptr fs:[00000030h]5_2_05F411A4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAB1B0 mov eax, dword ptr fs:[00000030h]5_2_05EAB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED0185 mov eax, dword ptr fs:[00000030h]5_2_05ED0185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1019F mov eax, dword ptr fs:[00000030h]5_2_05F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1019F mov eax, dword ptr fs:[00000030h]5_2_05F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1019F mov eax, dword ptr fs:[00000030h]5_2_05F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F1019F mov eax, dword ptr fs:[00000030h]5_2_05F1019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4C188 mov eax, dword ptr fs:[00000030h]5_2_05F4C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4C188 mov eax, dword ptr fs:[00000030h]5_2_05F4C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EE7190 mov eax, dword ptr fs:[00000030h]5_2_05EE7190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8A197 mov eax, dword ptr fs:[00000030h]5_2_05E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8A197 mov eax, dword ptr fs:[00000030h]5_2_05E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8A197 mov eax, dword ptr fs:[00000030h]5_2_05E8A197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F29179 mov eax, dword ptr fs:[00000030h]5_2_05F29179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8F172 mov eax, dword ptr fs:[00000030h]5_2_05E8F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89148 mov eax, dword ptr fs:[00000030h]5_2_05E89148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89148 mov eax, dword ptr fs:[00000030h]5_2_05E89148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89148 mov eax, dword ptr fs:[00000030h]5_2_05E89148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E89148 mov eax, dword ptr fs:[00000030h]5_2_05E89148
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F65152 mov eax, dword ptr fs:[00000030h]5_2_05F65152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F24144 mov eax, dword ptr fs:[00000030h]5_2_05F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F24144 mov eax, dword ptr fs:[00000030h]5_2_05F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F24144 mov ecx, dword ptr fs:[00000030h]5_2_05F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F24144 mov eax, dword ptr fs:[00000030h]5_2_05F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F24144 mov eax, dword ptr fs:[00000030h]5_2_05F24144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E97152 mov eax, dword ptr fs:[00000030h]5_2_05E97152
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E96154 mov eax, dword ptr fs:[00000030h]5_2_05E96154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E96154 mov eax, dword ptr fs:[00000030h]5_2_05E96154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8C156 mov eax, dword ptr fs:[00000030h]5_2_05E8C156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC0124 mov eax, dword ptr fs:[00000030h]5_2_05EC0124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91131 mov eax, dword ptr fs:[00000030h]5_2_05E91131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E91131 mov eax, dword ptr fs:[00000030h]5_2_05E91131
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B136 mov eax, dword ptr fs:[00000030h]5_2_05E8B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B136 mov eax, dword ptr fs:[00000030h]5_2_05E8B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B136 mov eax, dword ptr fs:[00000030h]5_2_05E8B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8B136 mov eax, dword ptr fs:[00000030h]5_2_05E8B136
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F50115 mov eax, dword ptr fs:[00000030h]5_2_05F50115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3A118 mov ecx, dword ptr fs:[00000030h]5_2_05F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3A118 mov eax, dword ptr fs:[00000030h]5_2_05F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3A118 mov eax, dword ptr fs:[00000030h]5_2_05F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3A118 mov eax, dword ptr fs:[00000030h]5_2_05F3A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E980E9 mov eax, dword ptr fs:[00000030h]5_2_05E980E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8A0E3 mov ecx, dword ptr fs:[00000030h]5_2_05E8A0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB50E4 mov eax, dword ptr fs:[00000030h]5_2_05EB50E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB50E4 mov ecx, dword ptr fs:[00000030h]5_2_05EB50E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8C0F0 mov eax, dword ptr fs:[00000030h]5_2_05E8C0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05ED20F0 mov ecx, dword ptr fs:[00000030h]5_2_05ED20F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov ecx, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov ecx, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov ecx, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov ecx, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA70C0 mov eax, dword ptr fs:[00000030h]5_2_05EA70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F120DE mov eax, dword ptr fs:[00000030h]5_2_05F120DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F650D9 mov eax, dword ptr fs:[00000030h]5_2_05F650D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EB90DB mov eax, dword ptr fs:[00000030h]5_2_05EB90DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D0C0 mov eax, dword ptr fs:[00000030h]5_2_05F0D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D0C0 mov eax, dword ptr fs:[00000030h]5_2_05F0D0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F560B8 mov eax, dword ptr fs:[00000030h]5_2_05F560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F560B8 mov ecx, dword ptr fs:[00000030h]5_2_05F560B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9208A mov eax, dword ptr fs:[00000030h]5_2_05E9208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8D08D mov eax, dword ptr fs:[00000030h]5_2_05E8D08D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC909C mov eax, dword ptr fs:[00000030h]5_2_05EC909C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD090 mov eax, dword ptr fs:[00000030h]5_2_05EBD090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBD090 mov eax, dword ptr fs:[00000030h]5_2_05EBD090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E95096 mov eax, dword ptr fs:[00000030h]5_2_05E95096
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F0D070 mov ecx, dword ptr fs:[00000030h]5_2_05F0D070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F65060 mov eax, dword ptr fs:[00000030h]5_2_05F65060
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBC073 mov eax, dword ptr fs:[00000030h]5_2_05EBC073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov ecx, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA1070 mov eax, dword ptr fs:[00000030h]5_2_05EA1070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3705E mov ebx, dword ptr fs:[00000030h]5_2_05F3705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F3705E mov eax, dword ptr fs:[00000030h]5_2_05F3705E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E92050 mov eax, dword ptr fs:[00000030h]5_2_05E92050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EBB052 mov eax, dword ptr fs:[00000030h]5_2_05EBB052
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8A020 mov eax, dword ptr fs:[00000030h]5_2_05E8A020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E8C020 mov eax, dword ptr fs:[00000030h]5_2_05E8C020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5903E mov eax, dword ptr fs:[00000030h]5_2_05F5903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5903E mov eax, dword ptr fs:[00000030h]5_2_05F5903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5903E mov eax, dword ptr fs:[00000030h]5_2_05F5903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F5903E mov eax, dword ptr fs:[00000030h]5_2_05F5903E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE016 mov eax, dword ptr fs:[00000030h]5_2_05EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE016 mov eax, dword ptr fs:[00000030h]5_2_05EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE016 mov eax, dword ptr fs:[00000030h]5_2_05EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE016 mov eax, dword ptr fs:[00000030h]5_2_05EAE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EA03E9 mov eax, dword ptr fs:[00000030h]5_2_05EA03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F653FC mov eax, dword ptr fs:[00000030h]5_2_05F653FC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4F3E6 mov eax, dword ptr fs:[00000030h]5_2_05F4F3E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EC63FF mov eax, dword ptr fs:[00000030h]5_2_05EC63FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE3F0 mov eax, dword ptr fs:[00000030h]5_2_05EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE3F0 mov eax, dword ptr fs:[00000030h]5_2_05EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05EAE3F0 mov eax, dword ptr fs:[00000030h]5_2_05EAE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05F4B3D0 mov ecx, dword ptr fs:[00000030h]5_2_05F4B3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E9A3C0 mov eax, dword ptr fs:[00000030h]5_2_05E9A3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeCode function: 5_2_05E983C0 mov eax, dword ptr fs:[00000030h]5_2_05E983C0
                Source: C:\Users\user\Desktop\7950COPY.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 7950COPY.exe, .csReference to suspicious API methods: GetProcAddress(, )
                Source: 7950COPY.exe, .csReference to suspicious API methods: VirtualProtect(procAddress, (UIntPtr)(ulong)array.Length, ., out var )
                Source: 7950COPY.exe, .csReference to suspicious API methods: LoadLibrary([.])
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -ForceJump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: C:\Windows\regedit.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: C:\Windows\System32\cmd.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\7950COPY.exeNtResumeThread: Indirect: 0x12122B7Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeNtMapViewOfSection: Indirect: 0x12121B0Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeNtMapViewOfSection: Indirect: 0x121216CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\System32\cmd.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeSection loaded: NULL target: C:\Windows\SysWOW64\fltMC.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeSection loaded: NULL target: C:\Users\user\Desktop\7950COPY.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeSection loaded: NULL target: C:\Users\user\Desktop\7950COPY.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeSection loaded: NULL target: C:\Users\user\Desktop\7950COPY.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exeThread register set: target process: 6908Jump to behavior
                Source: C:\Windows\SysWOW64\fltMC.exeThread register set: target process: 6908Jump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\regedit.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\regedit.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\System32\cmd.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\System32\cmd.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe base: 5368008Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -ForceJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\psr.exe "C:\Windows\SysWOW64\psr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeProcess created: C:\Windows\SysWOW64\fltMC.exe "C:\Windows\SysWOW64\fltMC.exe"Jump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeQueries volume information: C:\Users\user\Desktop\7950COPY.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\7950COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Disables UAC (registry)
                Source: C:\Users\user\Desktop\7950COPY.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.ilasm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		511
                Process Injection                		1
                Modify Registry                		OS Credential Dumping231
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		21
                Disable or Modify Tools                		LSASS Memory1
                Process Discovery                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook511
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials112
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                7950COPY.exe63%ReversingLabsByteCode-MSIL.Trojan.Leonem
                7950COPY.exe100%AviraHEUR/AGEN.1313324
                7950COPY.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://upx.sf.netAmcache.hve.9.drfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1542909
                Start date and time:2024-10-26 20:10:30 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 35s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Run name:Run with higher sleep bypass
                Number of analysed new started processes analysed:17
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:7950COPY.exe
                Detection:MAL
                Classification:mal100.troj.expl.evad.winEXE@18/10@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 16
                • Number of non-executed functions: 318
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 20.189.173.22
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: 7950COPY.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                14:12:49API Interceptor6314644x Sleep call for process: fltMC.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_7950COPY.exe_e07bac6fc75f0dd754c80383f3a605ac56aa5_579a01df_e20d6790-64c5-4ba2-a7a8-e1f22217ea1c\Report.wer

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):65536
                Entropy (8bit):1.1313961705517015
                Encrypted:false
                SSDEEP:192:Lp13aRq50UnUdaWhNmbB6bdzuiFnZ24lO8H:loRHUnUdauNZZzuiFnY4lO8H
                MD5:F810B57E9D94E89E16310E3540272D17
                SHA1:A047DAAAECF0D8C4DFDA0F1CE233C664D2D4B735
                SHA-256:22ABA4A587C843CAE87C636D0E19C6B4454D8EA6E6B00C0F1398E6BDED378861
                SHA-512:F80EE6A16964DA159155B9A1E56594DEB039541D7A608E349B70D2C8823266A449DFA1BD91E0EFC234310E85DD556D133A936F7A07332C97C4BB5F52DBF4F5EF
                Malicious:true
                Reputation:low
                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.3.9.8.9.2.5.2.6.4.7.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.3.9.8.9.3.8.7.0.1.9.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.0.d.6.7.9.0.-.6.4.c.5.-.4.b.a.2.-.a.7.a.8.-.e.1.f.2.2.2.1.7.e.a.1.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.d.d.2.d.1.3.-.8.d.1.3.-.4.6.6.4.-.a.4.a.f.-.e.d.a.3.1.5.e.a.3.0.4.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.7.9.5.0.C.O.P.Y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.e.w.S.t.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.f.c.-.0.0.0.1.-.0.0.1.4.-.5.0.6.3.-.2.a.7.a.d.2.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.0.2.f.a.d.2.4.c.7.b.8.d.6.7.8.a.9.b.8.c.0.1.a.7.1.f.f.a.d.6.0.0.0.0.0.0.0.0.0.!.0.0.0.0.5.b.5.f.1.5.5.9.5.3.b.b.c.1.3.b.f.8.5.2.a.6.7.3.e.4.b.e.0.8.8.a.f.c.5.7.d.d.a.9.!.7.9.5.0.C.O.P.Y...e.x.e.....

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER40CA.tmp.dmp

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:Mini DuMP crash report, 16 streams, Sat Oct 26 18:11:33 2024, 0x1205a4 type
                Category:dropped
                Size (bytes):442060
                Entropy (8bit):3.273818103004028
                Encrypted:false
                SSDEEP:3072:9bP01CTwTeIFIrQgFnEP4vcSeG1CCqm1TdyiR3+vOwnlUok:9LSCTwTe0gMGpqmhdyiR3QG
                MD5:C00A2AFFAA0025A7C78851F985337186
                SHA1:BF3F0C902E899A7AADAAFEDA09E23AFF620139BF
                SHA-256:514608A9140A03683BAF5000D589CF6C891340A7375F30991824CB56CCFADD3B
                SHA-512:19554A53FB14086C87CDCAF63F297A0A22C7E2A9C3B3E76181130D288F6128C4E65083392695E4E1EFC9BFF846BD9670C9CAD9906A7E91DC133644BF011920E1
                Malicious:false
                Preview:MDMP..a..... ........0.g............D...........p...d.......$....$...........$......DH..2...........l.......8...........T...........x8..T............A...........C..............................................................................eJ......XD......Lw......................T............0.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER44E2.tmp.WERInternalMetadata.xml

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):8602
                Entropy (8bit):3.710446173439931
                Encrypted:false
                SSDEEP:192:R6l7wVeJQIz+6Y9OltgmfF6JXprQ89bqkIfMOm:R6lXJXK6Y0ltgmfFiXqLf8
                MD5:3CA23B2670AF4727D4D08A68304EC92F
                SHA1:7EFE1F9547E7BDC7A771B8007961D357986BD38A
                SHA-256:0674642ADF379BD0CBF4B7A9F698021ED7D86EB55835E3E491457CFCAAAD4A4F
                SHA-512:F1F957B48E56FE701839B5C19F347420871114F948A924A3001857FB80A9E571AEB063232D81B5E6267FD30CD598F7AC58059939838E74DDD12698622A978B82
                Malicious:false
                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.0.8.<./.P.i.

                C:\ProgramData\Microsoft\Windows\WER\Temp\WER4531.tmp.xml

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):4744
                Entropy (8bit):4.512291458388145
                Encrypted:false
                SSDEEP:48:cvIwWl8zsVJg771I9hGWpW8VYSYm8M4J17VAFmVRyq85hGLv+tmtNd:uIjfvI76H7VWJ17FVRc0+tmtNd
                MD5:790B5281768F4DA5A50FEC31D78F3913
                SHA1:38F423A7A5C4B343DD68D7BBC2608E6B3EC0DD8F
                SHA-256:998660DEDFECF57180D51B0D2A13C2EBD2634EE595625580CBFBA7916DB68D62
                SHA-512:AF15301191A7E4FFB399B105E4D3E1E8C48FFBE5A9EC8D85F4A8E72AFC65B254A42664F619BBF37C5EEDD53C0D65B1B6E4E1A28F8EF14F2A8CB24E6081E53175
                Malicious:false
                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560714" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1940658735648508
                Encrypted:false
                SSDEEP:3:NllluljjElz:NllUE
                MD5:11E11881DB10CF040A1189171FFA58F4
                SHA1:FA0557B00771F196EF84B8274DCF7D079278811D
                SHA-256:2060C23CA036F0750DFC90E1C6D5374136E9D90262F6D125FC39BF72F75727A8
                SHA-512:C4762CDBE3A3AEDD00383855E5F4DF838B053199FC721F1600371ED177B37F8FE1C0983BC05F8CA940568034E2C66F67C586950A23E5032FED4F9A985A71BD73
                Malicious:false
                Preview:@...e.................................r.!............@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mwi2efp.lkh.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mr4flysb.5fq.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocm30u3u.1vl.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w2lohtxg.gea.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Windows\appcompat\Programs\Amcache.hve

                Download File
                Process:C:\Windows\System32\WerFault.exe
                File Type:MS Windows registry file, NT/2000 or above
                Category:dropped
                Size (bytes):1835008
                Entropy (8bit):4.46556203746047
                Encrypted:false
                SSDEEP:6144:AIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSb18:FXD94OWlLZMM6YFHG+18
                MD5:4604CBE651BA8B996A0AFBF91DADF68D
                SHA1:E9CEB9008198590A6E89F6FDE5FA5E94CA1E54C8
                SHA-256:D687A9E07C82710DA99D602015B3FFE81D5E4D2323BA906FCE211D509AB447B6
                SHA-512:512FA0A9F3F82BDAA798E7836CB81CC19395A1BE66081E33DA8546ADB05FC549EC7D42FCD72830E7707D52A35DAFA7E46ECE95B0A25974831BA6DF4916D09779
                Malicious:false
                Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.#.|.'.................................................................................................................................................................................................................................................................................................................................................H........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.050900712597312
                TrID:
                • Win64 Executable GUI (202006/5) 92.65%
                • Win64 Executable (generic) (12005/4) 5.51%
                • Generic Win/DOS Executable (2004/3) 0.92%
                • DOS Executable Generic (2002/1) 0.92%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:7950COPY.exe
                File size:2'238'495 bytes
                MD5:366019444461914c99eca593e71a9a02
                SHA1:5b5f155953bbc13bf852a673e4be088afc57dda9
                SHA256:369c60a89a3351e62008c3f8014ebe5424a67ef020767f0d37b7939243d6e808
                SHA512:b4af7a3996cc2caede6a3a28951d899222f4b2e868d386eaeb03cc6d305f67c60fbedcc910ed26139d21c9df03d12beccd637e683c76d49535e42ea33fe75a96
                SSDEEP:12288:pHhz3icNDH2VkmLF7nZk4IFp5BpGYLaJ/3Y:O02V1LVnZkD5BFLq3Y
                TLSH:8CA52212BA1B8D2FFE565674E8E170FA9BFD8D5B31F641AFEF004E0814152BE25428B4
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....p.g.........."...0.("............... ....@...... ....................................`................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x400000
                Entrypoint Section:
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x67197080 [Wed Oct 23 21:54:08 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:

                Entrypoint Preview

                Instruction
                dec ebp
                pop edx
                nop
                add byte ptr [ebx], al
                add byte ptr [eax], al
                add byte ptr [eax+eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x4ce.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x22280x2400fef16421a45b55fa8a7962638d208d37False0.5590277777777778data5.598988654569912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x60000x4ce0x6007799bdbba17d2b240f4f11686a6491e2False0.373046875data3.706685001452932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0x60a00x244data0.46379310344827585
                RT_MANIFEST0x62e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:14:11:28
                Start date:26/10/2024
                Path:C:\Users\user\Desktop\7950COPY.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\7950COPY.exe"
                Imagebase:0x17095b00000
                File size:2'238'495 bytes
                MD5 hash:366019444461914C99ECA593E71A9A02
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2314358721.0000017097B34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:1
                Start time:14:11:30
                Start date:26/10/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7950COPY.exe" -Force
                Imagebase:0x7ff788560000
                File size:452'608 bytes
                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:14:11:30
                Start date:26/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:14:11:31
                Start date:26/10/2024
                Path:C:\Windows\regedit.exe
                Wow64 process (32bit):
                Commandline:"C:\Windows\regedit.exe"
                Imagebase:
                File size:370'176 bytes
                MD5 hash:999A30979F6195BF562068639FFC4426
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:false

                General

                Target ID:4
                Start time:14:11:31
                Start date:26/10/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):
                Commandline:"C:\Windows\System32\cmd.exe"
                Imagebase:
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                General

                Target ID:5
                Start time:14:11:31
                Start date:26/10/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
                Imagebase:0xdd0000
                File size:306'264 bytes
                MD5 hash:2B2AE2C9C5D693D2306EF388583B1A03
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2188485814.0000000005DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                Reputation:moderate
                Has exited:true

                General

                Target ID:6
                Start time:14:11:31
                Start date:26/10/2024
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
                Wow64 process (32bit):
                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
                Imagebase:
                File size:306'264 bytes
                MD5 hash:2B2AE2C9C5D693D2306EF388583B1A03
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:false

                General

                Target ID:9
                Start time:14:11:32
                Start date:26/10/2024
                Path:C:\Windows\System32\WerFault.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\WerFault.exe -u -p 6908 -s 1532
                Imagebase:0x7ff7fec00000
                File size:570'736 bytes
                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:14:11:35
                Start date:26/10/2024
                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Imagebase:0x7ff693ab0000
                File size:496'640 bytes
                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                Has elevated privileges:true
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:14:12:07
                Start date:26/10/2024
                Path:C:\Windows\SysWOW64\psr.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\SysWOW64\psr.exe"
                Imagebase:0x6a0000
                File size:194'048 bytes
                MD5 hash:3117B8F9AF28E7E720739A2C13F919C2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:true

                General

                Target ID:15
                Start time:14:12:07
                Start date:26/10/2024
                Path:C:\Windows\SysWOW64\fltMC.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\SysWOW64\fltMC.exe"
                Imagebase:0xdf0000
                File size:24'576 bytes
                MD5 hash:330E111C418797FC2E56F3F7E5FAAB9A
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3601048120.0000000000C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3601268503.0000000003110000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.3601299719.0000000003160000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:moderate
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:1.5%
                  Dynamic/Decrypted Code Coverage:6%
                  Signature Coverage:8.6%
                  Total number of Nodes:151
                  Total number of Limit Nodes:12
                  execution_graph 75989 424783 75990 42479f 75989->75990 75991 4247c7 75990->75991 75992 4247db 75990->75992 75993 42c3d3 NtClose 75991->75993 75999 42c3d3 75992->75999 75995 4247d0 75993->75995 75996 4247e4 76002 42e5b3 75996->76002 75998 4247ef 76000 42c3ed 75999->76000 76001 42c3fe NtClose 76000->76001 76001->75996 76005 42c6f3 76002->76005 76004 42e5d0 76004->75998 76006 42c710 76005->76006 76007 42c721 RtlAllocateHeap 76006->76007 76007->76004 76155 42f663 76156 42f5d3 76155->76156 76160 42f630 76156->76160 76161 42e573 76156->76161 76158 42f60d 76159 42e493 RtlFreeHeap 76158->76159 76159->76160 76162 42c6f3 RtlAllocateHeap 76161->76162 76163 42e58e 76162->76163 76163->76158 76164 424b23 76169 424b3c 76164->76169 76165 424bcc 76166 424b87 76167 42e493 RtlFreeHeap 76166->76167 76168 424b97 76167->76168 76169->76165 76169->76166 76170 424bc7 76169->76170 76171 42e493 RtlFreeHeap 76170->76171 76171->76165 76008 415743 76009 415768 76008->76009 76014 417513 76009->76014 76013 4157c6 76015 417537 76014->76015 76016 41579e 76015->76016 76017 417581 LdrLoadDll 76015->76017 76016->76013 76018 419293 76016->76018 76017->76016 76019 4192c6 76018->76019 76020 4192ea 76019->76020 76025 42bf43 76019->76025 76020->76013 76022 41930d 76022->76020 76023 42c3d3 NtClose 76022->76023 76024 41938d 76023->76024 76024->76013 76026 42bf60 76025->76026 76029 5ed2ca0 LdrInitializeThunk 76026->76029 76027 42bf8c 76027->76022 76029->76027 76030 413dc3 76031 413ddd 76030->76031 76032 417513 LdrLoadDll 76031->76032 76033 413dfb 76032->76033 76034 413e40 76033->76034 76035 413e2f PostThreadMessageW 76033->76035 76035->76034 76036 4019ca 76037 4019d4 76036->76037 76040 42fa03 76037->76040 76043 42e043 76040->76043 76044 42e069 76043->76044 76055 407253 76044->76055 76046 42e07f 76054 401a86 76046->76054 76058 41ae63 76046->76058 76048 42e0b3 76069 4280a3 76048->76069 76049 42e09e 76049->76048 76073 42c793 76049->76073 76052 42e0cd 76053 42c793 ExitProcess 76052->76053 76053->76054 76076 416233 76055->76076 76057 407260 76057->76046 76059 41ae8f 76058->76059 76104 41ad53 76059->76104 76062 41aed4 76066 42c3d3 NtClose 76062->76066 76067 41aef0 76062->76067 76063 41aebc 76064 42c3d3 NtClose 76063->76064 76065 41aec7 76063->76065 76064->76065 76065->76049 76068 41aee6 76066->76068 76067->76049 76068->76049 76070 428105 76069->76070 76072 428112 76070->76072 76115 418383 76070->76115 76072->76052 76074 42c7b0 76073->76074 76075 42c7c1 ExitProcess 76074->76075 76075->76048 76078 416250 76076->76078 76077 416269 76077->76057 76078->76077 76083 42ce23 76078->76083 76080 4162c4 76080->76077 76090 428dc3 NtClose LdrInitializeThunk 76080->76090 76082 416312 76082->76057 76085 42ce3d 76083->76085 76084 42ce6c 76084->76080 76085->76084 76091 42ba23 76085->76091 76090->76082 76092 42ba40 76091->76092 76098 5ed2c0a 76092->76098 76093 42ba6c 76095 42e493 76093->76095 76101 42c743 76095->76101 76097 42cee5 76097->76080 76099 5ed2c1f LdrInitializeThunk 76098->76099 76100 5ed2c11 76098->76100 76099->76093 76100->76093 76102 42c75d 76101->76102 76103 42c76e RtlFreeHeap 76102->76103 76103->76097 76105 41ad6d 76104->76105 76109 41ae49 76104->76109 76110 42bac3 76105->76110 76108 42c3d3 NtClose 76108->76109 76109->76062 76109->76063 76111 42bae0 76110->76111 76114 5ed35c0 LdrInitializeThunk 76111->76114 76112 41ae3d 76112->76108 76114->76112 76117 4183ad 76115->76117 76116 4188bb 76116->76072 76117->76116 76123 413a43 76117->76123 76119 4184da 76119->76116 76120 42e493 RtlFreeHeap 76119->76120 76121 4184f2 76120->76121 76121->76116 76122 42c793 ExitProcess 76121->76122 76122->76116 76127 413a63 76123->76127 76125 413ac2 76125->76119 76126 413acc 76126->76119 76127->76126 76128 41b173 RtlFreeHeap LdrInitializeThunk 76127->76128 76128->76125 76129 5ed2b60 LdrInitializeThunk 76130 42e453 76133 42c613 76130->76133 76134 42c62d 76133->76134 76137 5ed2f90 LdrInitializeThunk 76134->76137 76135 42c659 76137->76135 76138 42b9d3 76139 42b9ed 76138->76139 76142 5ed2df0 LdrInitializeThunk 76139->76142 76140 42ba15 76142->76140 76172 42f533 76173 42f543 76172->76173 76174 42f549 76172->76174 76175 42e573 RtlAllocateHeap 76174->76175 76176 42f56f 76175->76176 76177 41afb3 76178 41afc4 76177->76178 76179 42ba23 LdrInitializeThunk 76178->76179 76180 41b00b 76178->76180 76179->76180 76143 418ad8 76144 42c3d3 NtClose 76143->76144 76145 418ae2 76144->76145 76146 413898 76147 413869 76146->76147 76150 42c663 76147->76150 76151 42c67d 76150->76151 76154 5ed2c70 LdrInitializeThunk 76151->76154 76152 413885 76154->76152

                  Executed Functions

                  Function 00417513 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 82 417513-41753c call 42f073 85 417542-417550 call 42f673 82->85 86 41753e-417541 82->86 89 417560-417571 call 42db13 85->89 90 417552-41755d call 42f913 85->90 95 417573-417587 LdrLoadDll 89->95 96 41758a-41758d 89->96 90->89 95->96
                  APIs
                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417585
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: Load
                  • String ID:
                  • API String ID: 2234796835-0
                  • Opcode ID: 48c47ea0acbd36e415d169c110b67be6197c7bdde2e5932421a282de22021925
                  • Instruction ID: cda20b1af228496a4f4233491df0f2ba6d17eaa28420fe62226e94654bf05f32
                  • Opcode Fuzzy Hash: 48c47ea0acbd36e415d169c110b67be6197c7bdde2e5932421a282de22021925
                  • Instruction Fuzzy Hash: E3015EB1E4020DBBDF10DBA1DC42FDEB3789B14308F4041AAE90897241F634EB488B95
                  Function 0042C3D3 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 117 42c3d3-42c40c call 404673 call 42d603 NtClose
                  APIs
                  • NtClose.NTDLL(?,6aA@,001F0001,?,00000000,?,?,00000104), ref: 0042C407
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: eaa955a66304852f9481c97360de3e84e728e1265d3dfa970e9c9fc313b7cad7
                  • Instruction ID: eed19b771388391831234f7e2e81d2dd274eb6c5f102349647466fd41cc7dde3
                  • Opcode Fuzzy Hash: eaa955a66304852f9481c97360de3e84e728e1265d3dfa970e9c9fc313b7cad7
                  • Instruction Fuzzy Hash: 1CE04F366042147BD110BA6ADC01F9777ACDBC5710F40841AFA0867241C675791587E4
                  Function 05ED35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: ec68050f8c902217800ae2e137f8f8b4fe4edc4a8081e0a4e45f0ad2b5e06ed9
                  • Instruction ID: 1258caa62d3df6ec2f32d419ac81d6d687ca92b5d41100c46de0178ce9b62b5a
                  • Opcode Fuzzy Hash: ec68050f8c902217800ae2e137f8f8b4fe4edc4a8081e0a4e45f0ad2b5e06ed9
                  • Instruction Fuzzy Hash: D3900232A1950402D14071584556706101587D0201FA5D411A0864568D87958A5165A2
                  Function 05ED2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 134 5ed2df0-5ed2dfc LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 2dfc0df98c162e87c5003243a81945f84e3699a2b4d119a4e217fe6793f067fa
                  • Instruction ID: aaaa5e169dc277245c16ae7df0bb672280f478d75c26829a579a7ffe986b8997
                  • Opcode Fuzzy Hash: 2dfc0df98c162e87c5003243a81945f84e3699a2b4d119a4e217fe6793f067fa
                  • Instruction Fuzzy Hash: B890023261540413D15171584546707001987D0241FD5D412A0864558D96568A52A121
                  Function 05ED2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 133 5ed2ca0-5ed2cac LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: e49b82a46c61389793752ce8909e1b5283ca65bb17692555c2efa6b8e369ccc6
                  • Instruction ID: 14cce9e8d52ac094472811425e6922a7608ae7bb08ccc6dafcac277740ceeec5
                  • Opcode Fuzzy Hash: e49b82a46c61389793752ce8909e1b5283ca65bb17692555c2efa6b8e369ccc6
                  • Instruction Fuzzy Hash: 3390023261540402D1407598544A646001587E0301F95E011A5464555EC66589916131
                  Function 05ED2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 132 5ed2c70-5ed2c7c LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: d0acaa44fcac8b4b09c61a7e260fbdcbe460a48f4252a470205ff8fd32a0aff1
                  • Instruction ID: 8a63b49bde813e4d0b240cc1ee33f04575272f0edeaaa9865339ab337e375fdf
                  • Opcode Fuzzy Hash: d0acaa44fcac8b4b09c61a7e260fbdcbe460a48f4252a470205ff8fd32a0aff1
                  • Instruction Fuzzy Hash: B390023261548802D1507158844674A001587D0301F99D411A4864658D869589917121
                  Function 05ED2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 9aa667dc85e2c6ad0aef00d0c3ec31a58ad8bd4482db5e177a138d3c5423159d
                  • Instruction ID: 040d032b7ab9c1a6c5d7551f0d5cad610c9bee3c85c85249736e3b5467b28f62
                  • Opcode Fuzzy Hash: 9aa667dc85e2c6ad0aef00d0c3ec31a58ad8bd4482db5e177a138d3c5423159d
                  • Instruction Fuzzy Hash: 0590023261580402D1407158485670B001587D0302F95D011A15A4555D862589516571
                  Function 05ED2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 131 5ed2b60-5ed2b6c LdrInitializeThunk
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 7e7d1ef6b71548ca9f73f7904eecb123d22dda86da26be42041565fad3c1b7d6
                  • Instruction ID: f14c6a63dbc902de94224c565aabe5cb82e819f0a7b6b5d7441beb6a57171860
                  • Opcode Fuzzy Hash: 7e7d1ef6b71548ca9f73f7904eecb123d22dda86da26be42041565fad3c1b7d6
                  • Instruction Fuzzy Hash: 7090027261640003414571584456616401A87E0201B95D021E1454590DC52589916125
                  Function 00418383 Relevance: .4, Instructions: 437COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4943e23c2207d64657b7ff264b810356d0a526c1ad71f6541fc237ac1e1034a9
                  • Instruction ID: eb8c6ca8274ce9b248a74d56f29bb616af59a1b57333e3c00e07521140decbf4
                  • Opcode Fuzzy Hash: 4943e23c2207d64657b7ff264b810356d0a526c1ad71f6541fc237ac1e1034a9
                  • Instruction Fuzzy Hash: 97F1B170E0021AAFDB24DFA5DC81BEEB778AF44304F1481AEE414A7341EB746A85CF95
                  Function 00413CC1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 413cc1-413cd0 1 413cd2-413ce5 0->1 2 413d1c-413d1f 0->2 5 413c82-413ca2 1->5 6 413ce6-413ce7 1->6 3 413d21-413d59 2->3 4 413ca9-413cb6 2->4 11 413d5f-413d63 3->11 4->0 7 413ca4-413ca7 5->7 8 413ce9-413cf8 5->8 6->8 7->4 10 413d14-413d16 7->10 8->10 10->6 11->11 13 413d65-413d7c 11->13 14 413df9-413e2d call 4045e3 call 424c43 13->14 15 413d7e-413d90 13->15 20 413e4d-413e53 14->20 21 413e2f-413e3e PostThreadMessageW 14->21 15->14 21->20 22 413e40-413e4a 21->22 22->20
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 7F327Fu1$7F327Fu1
                  • API String ID: 0-2746152832
                  • Opcode ID: 5289f3c9ef0fc926f3ff8b02abae3e03c085a2d8e502ff98b9c7a1ede0990a7e
                  • Instruction ID: 00665e7d9c341732fcc01b503541089e27fc17d5584f6db9e6d9ba7faf9c7a6b
                  • Opcode Fuzzy Hash: 5289f3c9ef0fc926f3ff8b02abae3e03c085a2d8e502ff98b9c7a1ede0990a7e
                  • Instruction Fuzzy Hash: 1741DF72946155FFC701DF7098818EEBB78EEA231171442AFD800AB241D72A9A47C7D5
                  Function 00413DC3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 23 413dc3-413e00 call 42e533 call 42ef43 call 417513 30 413e07-413e2d call 424c43 23->30 31 413e02 call 4045e3 23->31 34 413e4d-413e53 30->34 35 413e2f-413e3e PostThreadMessageW 30->35 31->30 35->34 36 413e40-413e4a 35->36 36->34
                  APIs
                  • PostThreadMessageW.USER32(7F327Fu1,00000111,00000000,00000000), ref: 00413E3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: MessagePostThread
                  • String ID: 7F327Fu1$7F327Fu1
                  • API String ID: 1836367815-2746152832
                  • Opcode ID: 764643cc6d8e19f47ea07da935bdc09ef252e3facaa64e913ffa210c35795bed
                  • Instruction ID: 870f4600c515de9e8828853a4b0f66eb6345d4bb71ebefa246f89c3f1a8b36ae
                  • Opcode Fuzzy Hash: 764643cc6d8e19f47ea07da935bdc09ef252e3facaa64e913ffa210c35795bed
                  • Instruction Fuzzy Hash: B101D671D0125CBADB11ABE29C81DEFBB7CDF41798F448469FA04A7141E6784F0687B1
                  Function 004175A0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 98 4175a0-4175a4 99 4175c1-4175c5 98->99 100 4175a7-4175b9 98->100 101 417581-417587 LdrLoadDll 99->101 102 4175c7 99->102 100->99 103 41758a-41758d 101->103 104 4175c9-4175d9 102->104 105 417568-417571 102->105 105->103 106 417573-417580 105->106 106->101
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 305cfbd95feb4398d3fb63ca95f616b9210eeea7e183075cf4c6d5b95a792214
                  • Instruction ID: 912228949d7c05b3a780ba9e2a3e7af4adf42cbb326bc957f296f98e87c86bcd
                  • Opcode Fuzzy Hash: 305cfbd95feb4398d3fb63ca95f616b9210eeea7e183075cf4c6d5b95a792214
                  • Instruction Fuzzy Hash: EDF04C34A49147AFEB00CB90C8D1BE9FBB5EB57708F2015DAE98489243E230A543C740
                  Function 0042C6F3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 107 42c6f3-42c737 call 404673 call 42d603 RtlAllocateHeap
                  APIs
                  • RtlAllocateHeap.NTDLL(?,0041E314,?,?,00000000,?,0041E314,?,?,?), ref: 0042C732
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 074ea6249f7f8fe115429c6a6993a44557046891f711dbd7ff58e3637898dc57
                  • Instruction ID: fec6a8fec527972d5efb7c0dd73820ad7fcebc30fcace0200a1d3d63316ddb0f
                  • Opcode Fuzzy Hash: 074ea6249f7f8fe115429c6a6993a44557046891f711dbd7ff58e3637898dc57
                  • Instruction Fuzzy Hash: FBE06D716046047BD610EE59EC41FDB37ACEFC9714F00441AF908A7241D675B910CBF8
                  Function 0042C743 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 112 42c743-42c784 call 404673 call 42d603 RtlFreeHeap
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,20D5327C,00000007,00000000,00000004,00000000,00416DEC,000000F4), ref: 0042C77F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: 296b629c9d2835155d13318d5961f35c72fe7f99373226a56f2c4c08cde68261
                  • Instruction ID: ef3760d35d2e403e5b6184eb4195a9065e1dff8902e5148952db74cdecb80896
                  • Opcode Fuzzy Hash: 296b629c9d2835155d13318d5961f35c72fe7f99373226a56f2c4c08cde68261
                  • Instruction Fuzzy Hash: 40E06DB2604204BBD610EE59EC41F9B77ACEFC5714F00441AFA0CA7281D778B910CBB8
                  Function 0042C793 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 122 42c793-42c7cf call 404673 call 42d603 ExitProcess
                  APIs
                  • ExitProcess.KERNEL32(?,00000000,00000000,?,ADE13978,?,?,ADE13978), ref: 0042C7CA
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: c93ce2ae967698a6f02e063620f4612e4e2637c9ce2baa18892357b06b3dd98a
                  • Instruction ID: 77e5706d1dace191d34fed1c20be903f81824fec6ac957a55923df3bb2477cfa
                  • Opcode Fuzzy Hash: c93ce2ae967698a6f02e063620f4612e4e2637c9ce2baa18892357b06b3dd98a
                  • Instruction Fuzzy Hash: D3E026712002003BC210EA2ADC01F97775CDFC2710F00401EFA0CA7281C370790087F4
                  Function 05ED2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 127 5ed2c0a-5ed2c0f 128 5ed2c1f-5ed2c26 LdrInitializeThunk 127->128 129 5ed2c11-5ed2c18 127->129
                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 5ca7a0f38077f09c587bcb3e997d600189b4996b7c69fbf8cc124ab758a5c5cf
                  • Instruction ID: 7769b383715f4680d0de311b03afd1a5c38ab85e4e3ff2019a9a1d4f8f2f7af9
                  • Opcode Fuzzy Hash: 5ca7a0f38077f09c587bcb3e997d600189b4996b7c69fbf8cc124ab758a5c5cf
                  • Instruction Fuzzy Hash: EEB09B72D055C5C5EA51E7604609B17791177D0705F55D061D3470645E4738C5D1F175

                  Non-executed Functions

                  Function 05E868B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim engine DLL$LdrpGetShimEngineInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_InitializeEngine$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-3089669407
                  • Opcode ID: 99ab135a1a8bdf89c45bc1600661c18d1de90ef3a51125451fda35cc08d4b9a4
                  • Instruction ID: 502ad04c1f5a6c5973beedf1a815c7b5979126974dbf394d47a24d37f6cf5dd1
                  • Opcode Fuzzy Hash: 99ab135a1a8bdf89c45bc1600661c18d1de90ef3a51125451fda35cc08d4b9a4
                  • Instruction Fuzzy Hash: 62810DB3D15218BF8B11EAE4DDD9EFE7BFEAB04750B045422B944EB110E674ED058BA0
                  Function 05EC8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                  Download Yara Rule
                  Strings
                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05F054CE
                  • Thread is in a state in which it cannot own a critical section, xrefs: 05F05543
                  • corrupted critical section, xrefs: 05F054C2
                  • Address of the debug info found in the active list., xrefs: 05F054AE, 05F054FA
                  • 8, xrefs: 05F052E3
                  • Thread identifier, xrefs: 05F0553A
                  • undeleted critical section in freed memory, xrefs: 05F0542B
                  • Critical section address., xrefs: 05F05502
                  • Invalid debug info address of this critical section, xrefs: 05F054B6
                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05F0540A, 05F05496, 05F05519
                  • double initialized or corrupted critical section, xrefs: 05F05508
                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 05F054E2
                  • Critical section debug info address, xrefs: 05F0541F, 05F0552E
                  • Critical section address, xrefs: 05F05425, 05F054BC, 05F05534
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                  • API String ID: 0-2368682639
                  • Opcode ID: f7abeebc2d4e57d02fee29c88e94d69124988bd4aaa9b3e5e744b3b4d6b7a9f0
                  • Instruction ID: e861c4cf6b084c3fc74a4c5e5eca841ea03c01833b203fce80576b7b3fd15713
                  • Opcode Fuzzy Hash: f7abeebc2d4e57d02fee29c88e94d69124988bd4aaa9b3e5e744b3b4d6b7a9f0
                  • Instruction Fuzzy Hash: C5819EB1A44348AFDB20CF98C949FAEBBBAFB08714F145159F548B7280D3B5A941DF60
                  Function 05EC0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                  • API String ID: 0-360209818
                  • Opcode ID: a8ea5ecc6c5a76800479a7069136f7a5999c17e28a099842ade1106a1402afa1
                  • Instruction ID: dabeb783b996109b586b5f67549488a9df29fa9357bfc4631c0139f9cc4e46ab
                  • Opcode Fuzzy Hash: a8ea5ecc6c5a76800479a7069136f7a5999c17e28a099842ade1106a1402afa1
                  • Instruction Fuzzy Hash: 336291B5E042298FDB24CF18CC41BA9B7B7BF85314F5891DAD489AB280D7369AD1DF40
                  Function 05F412ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                  • API String ID: 0-3591852110
                  • Opcode ID: ccc25bc47a1e08fe68a35ec927986fe2efbf118b0f9381fd5f8d7c4da47ade0d
                  • Instruction ID: 580635669929f62099a0287763a4df4fcf73214b21c439307bc91a3d60a7cd1e
                  • Opcode Fuzzy Hash: ccc25bc47a1e08fe68a35ec927986fe2efbf118b0f9381fd5f8d7c4da47ade0d
                  • Instruction Fuzzy Hash: BB128831A04642AFD725DF28C445FBABBE6BF09754F188859E4DA8B651D738E880CF50
                  Function 05EAAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                  • API String ID: 0-3197712848
                  • Opcode ID: 607abdd6f9a8b50f3834418eeb8188a093b14aa66b56a87f6cb001ebe7bbce75
                  • Instruction ID: 9a9f219db4f0f08f0490881fa7689d2ddec530ca918b8ee49297b518a4f003df
                  • Opcode Fuzzy Hash: 607abdd6f9a8b50f3834418eeb8188a093b14aa66b56a87f6cb001ebe7bbce75
                  • Instruction Fuzzy Hash: 9C12D3726083558BE324DF24C884BBAB7E6BF84748F04696DF9C58F291EB34E944C752
                  Function 05E8D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                  • API String ID: 0-3532704233
                  • Opcode ID: a798e0ff46953fe5a6d5aaf7ef39b4fb1078b50a4c284d15df53d43d1b4ae0ec
                  • Instruction ID: bfab75eea6b97027d3fc5b5750b9c51d1bd87dbced7b13e644243cabdea1501f
                  • Opcode Fuzzy Hash: a798e0ff46953fe5a6d5aaf7ef39b4fb1078b50a4c284d15df53d43d1b4ae0ec
                  • Instruction Fuzzy Hash: 25B19D725083059FD711EF24C984A6BB7E9BB84758F01692EF8CDD7280E770D909CB92
                  Function 05F40CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                  • API String ID: 0-1357697941
                  • Opcode ID: 261e658ac0a613d749dcc6e60889424d531f24fb2a0ae09ea7c1516237ad1f10
                  • Instruction ID: e3e1f502b305702c4f2d2df80afd5c4615432c469006c186d63c38d059ca1b25
                  • Opcode Fuzzy Hash: 261e658ac0a613d749dcc6e60889424d531f24fb2a0ae09ea7c1516237ad1f10
                  • Instruction Fuzzy Hash: 96F11231A04245EFCB25DF68C448BBABBF9FF09714F088059E5DA9B251DB38A985CF50
                  Function 05F29179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                  • API String ID: 2994545307-3063724069
                  • Opcode ID: 45a370943b5f32fbda854bed8c188a54ed8a891201867d56fd71af9ac4c62056
                  • Instruction ID: 1afa388f2a3d061beace739ff581ccd59fd23cbce05589db17913bcc0b938018
                  • Opcode Fuzzy Hash: 45a370943b5f32fbda854bed8c188a54ed8a891201867d56fd71af9ac4c62056
                  • Instruction Fuzzy Hash: 60D103F2908325ABD731DB64C945BABBBE8BF84714F00592DFA8497150D7B8CD84C7A2
                  Function 05F40274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                  • API String ID: 0-1700792311
                  • Opcode ID: 087e01f28b6736f109605447da4c2b95fc99c8c3622a97dcc1072be095f37a58
                  • Instruction ID: 666cfebc26347b391e586011122011df3fb38513bf9e0b3b7e99bb9865170111
                  • Opcode Fuzzy Hash: 087e01f28b6736f109605447da4c2b95fc99c8c3622a97dcc1072be095f37a58
                  • Instruction Fuzzy Hash: F4D1DD31A14685DFCB12EF68C449ABDBFFAFF49614F088459E58A9F261CB389940CF14
                  Function 05E8D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                  Download Yara Rule
                  Strings
                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 05E8D262
                  • @, xrefs: 05E8D313
                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 05E8D196
                  • @, xrefs: 05E8D0FD
                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 05E8D0CF
                  • @, xrefs: 05E8D2AF
                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 05E8D2C3
                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 05E8D146
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                  • API String ID: 0-1356375266
                  • Opcode ID: 95e6d65ac441be3ee20a5c82ec6ff2625949a14fdc607a903c7a47083703b794
                  • Instruction ID: e628462e7f026f93ba199382510cf3112a5fd272e1ce4b3b0a2259b68648b64d
                  • Opcode Fuzzy Hash: 95e6d65ac441be3ee20a5c82ec6ff2625949a14fdc607a903c7a47083703b794
                  • Instruction Fuzzy Hash: E7A16E729083459FE721DF24C988BABB7E9BF84759F00592EE5CC96280E774D908CF52
                  Function 05EA9EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON
                  Download Yara Rule
                  Strings
                  • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 05EF7709
                  • sxsisol_SearchActCtxForDllName, xrefs: 05EF76DD
                  • @, xrefs: 05EA9EE7
                  • Internal error check failed, xrefs: 05EF7718, 05EF78A9
                  • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 05EF76EE
                  • Status != STATUS_NOT_FOUND, xrefs: 05EF789A
                  • minkernel\ntdll\sxsisol.cpp, xrefs: 05EF7713, 05EF78A4
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                  • API String ID: 0-761764676
                  • Opcode ID: c76af6f78bba1b15a4c167a1e95ed83352b92966c610292b1454f622238a289a
                  • Instruction ID: 3cd91bdeb5b7a569400ee77b371b6ff6ba9bc107eaa64dc83b8361f342bce721
                  • Opcode Fuzzy Hash: c76af6f78bba1b15a4c167a1e95ed83352b92966c610292b1454f622238a289a
                  • Instruction Fuzzy Hash: F4128075A00229DBDB24CF68C881AFDB7B5FF08714F15906AE989EF241E735E841CB60
                  Function 05E9EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                  • API String ID: 0-1109411897
                  • Opcode ID: 8e731e4537d6771d2b52c2d01e4c0a6ba3adaf04f341bb5e548dc712cb0fc45a
                  • Instruction ID: 41a1ff9b12aedf4e941ce716653d312eabd839326889c4a5dbd5960f34786510
                  • Opcode Fuzzy Hash: 8e731e4537d6771d2b52c2d01e4c0a6ba3adaf04f341bb5e548dc712cb0fc45a
                  • Instruction Fuzzy Hash: 7BA25B75A056298FDF69DF15CC88BAAB7B6BF44304F1052E9D59DA7290EB309E80CF40
                  Function 05E8F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-523794902
                  • Opcode ID: 161d160cb85f23f2d14028143845e302f2b1b5032c1ad3ca28d01aad9598f738
                  • Instruction ID: fcf002de0e39a582ffd1d7cf330f8d916a847acb956fc7bc5f59d389bcfefeff
                  • Opcode Fuzzy Hash: 161d160cb85f23f2d14028143845e302f2b1b5032c1ad3ca28d01aad9598f738
                  • Instruction Fuzzy Hash: 3942D0312187819FD715EF28C888A7ABBE6FF88704F04696DE4EA8B351E734D845CB51
                  Function 05E9ADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                  • API String ID: 0-4098886588
                  • Opcode ID: 45cc4978979c58178ba41012a4839c5c2e677a5460782c203dba6b2a320cf356
                  • Instruction ID: 2194d26be538a6764d8467ad4299f8423e940562668cc0200476e89881d3fde7
                  • Opcode Fuzzy Hash: 45cc4978979c58178ba41012a4839c5c2e677a5460782c203dba6b2a320cf356
                  • Instruction Fuzzy Hash: 5732B571A08269CBEF29CF14D898BFEB7BABF45344F1061E5D489A7250DB719E818F40
                  Function 05EAB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                  • API String ID: 0-122214566
                  • Opcode ID: 82d2e2dc99fc89dbe2240d84314d33ba7a42514587990159bca08049611cb251
                  • Instruction ID: 11290a172b7dae159c1dae3cb30d56411e7c1c0a9e4aeaf0d973e006a48306c3
                  • Opcode Fuzzy Hash: 82d2e2dc99fc89dbe2240d84314d33ba7a42514587990159bca08049611cb251
                  • Instruction Fuzzy Hash: ADC12A32B082159BDB24CF74C885BBE776ABF45304F146169E9C69F291EBB4AC44C391
                  Function 05EC63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-792281065
                  • Opcode ID: 65da4d83745be53ee475bb36df3d365becb621c5c5b963bf8c9ce32111bc6d63
                  • Instruction ID: bd939382805554478b800e93e5eb0f5e57c3c2739e9956ae258447b3e2002000
                  • Opcode Fuzzy Hash: 65da4d83745be53ee475bb36df3d365becb621c5c5b963bf8c9ce32111bc6d63
                  • Instruction Fuzzy Hash: 18911B31B047189BDB25DF14DD49BBE7BA2BF40B14F18259CEA826B2C0DB78D802D791
                  Function 05F3F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                  • API String ID: 0-1745908468
                  • Opcode ID: ecdc1c16e6f9d83ff6674638c551a690f743f90286b4b3efe1eff75d41a478ec
                  • Instruction ID: ef93e62bae5ba31965dc677ea5d047e752114360b5a1906b5f3115ffc0536d37
                  • Opcode Fuzzy Hash: ecdc1c16e6f9d83ff6674638c551a690f743f90286b4b3efe1eff75d41a478ec
                  • Instruction Fuzzy Hash: B5910131E00645DFEB15EF68C446ABEBBF2FF09714F188459E49A9B261CB3D9880CB14
                  Function 05E8645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 05EE9A11, 05EE9A3A
                  • apphelp.dll, xrefs: 05E86496
                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 05EE9A2A
                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 05EE9A01
                  • LdrpInitShimEngine, xrefs: 05EE99F4, 05EE9A07, 05EE9A30
                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 05EE99ED
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-204845295
                  • Opcode ID: 3a3eedad871fe44d208290b5e783655e398dab5764d4c153f2568085202a6b1e
                  • Instruction ID: b17d76423e879e477c797015666b738879ade4029bcc65e417099be0e8048bdc
                  • Opcode Fuzzy Hash: 3a3eedad871fe44d208290b5e783655e398dab5764d4c153f2568085202a6b1e
                  • Instruction Fuzzy Hash: 815193716587049FE325EF24D846ABB77E5FF84744F002919F5C99B1A1EB30E904CB92
                  Function 05ECC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 05F081E5
                  • minkernel\ntdll\ldrinit.c, xrefs: 05ECC6C3
                  • LdrpInitializeProcess, xrefs: 05ECC6C4
                  • LdrpInitializeImportRedirection, xrefs: 05F08177, 05F081EB
                  • Loading import redirection DLL: '%wZ', xrefs: 05F08170
                  • minkernel\ntdll\ldrredirect.c, xrefs: 05F08181, 05F081F5
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                  • API String ID: 0-475462383
                  • Opcode ID: 0766f8fd45dab0e12f2c8f5d7351719c86309990edf69b7ef956dc377c4d683d
                  • Instruction ID: 0b06aceb0d89100e5448e03b3fdc22b0ce93d28cbdcc78d3d317dad5ea878a06
                  • Opcode Fuzzy Hash: 0766f8fd45dab0e12f2c8f5d7351719c86309990edf69b7ef956dc377c4d683d
                  • Instruction Fuzzy Hash: C63159717483059BC310EF28DE4AE6B7B95EF84B54F041958F8C59B2D0EA24EC01D7A2
                  Function 05EC2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 05F02178
                  • RtlGetAssemblyStorageRoot, xrefs: 05F02160, 05F0219A, 05F021BA
                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 05F0219F
                  • SXS: %s() passed the empty activation context, xrefs: 05F02165
                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 05F021BF
                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 05F02180
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                  • API String ID: 0-861424205
                  • Opcode ID: 9f30ab77b02f75cdd46bc04b211a852d4c51305520bd73c69b1bb2110410e39e
                  • Instruction ID: 1b879e4582e3eac65696b14428b470291ab43e424c2f74fa149770448099e0ae
                  • Opcode Fuzzy Hash: 9f30ab77b02f75cdd46bc04b211a852d4c51305520bd73c69b1bb2110410e39e
                  • Instruction Fuzzy Hash: AF310D3AF40224B7F721CA55CC85F5E7B79EB54A40F095099BA8567140D174DE01D6B1
                  Function 05EBF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 05F002E7
                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 05F002BD
                  • RTL: Re-Waiting, xrefs: 05F0031E
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                  • API String ID: 0-2474120054
                  • Opcode ID: eaaad763a530197045cb96f6016b352d89228930bcaabae7bd94ae4a35669d8c
                  • Instruction ID: 5d19f43e792cabd36a21716bdfc30c997e3a2216abadb9d3b41a4cdc836438dc
                  • Opcode Fuzzy Hash: eaaad763a530197045cb96f6016b352d89228930bcaabae7bd94ae4a35669d8c
                  • Instruction Fuzzy Hash: 5BE1F231A08741DFE725CF28C888BAAB7E5BF44314F141A6DF5A58B2D0DBB8D845CB52
                  Function 05F19C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
                  • API String ID: 0-3127649145
                  • Opcode ID: 059c5cd85b6defd2a870878a0d1028f59cabc9987ba59879d4812004dcb991ef
                  • Instruction ID: 30ecd70958b1f28bacebc65348b38b6f0c8033ab112a58bd3e421896e385718c
                  • Opcode Fuzzy Hash: 059c5cd85b6defd2a870878a0d1028f59cabc9987ba59879d4812004dcb991ef
                  • Instruction Fuzzy Hash: 6D328C71A013199BDB31DF25CC88BAAB7F9FF48300F1041EAD949A7250DB75AA84CF94
                  Function 05EA9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                  • API String ID: 0-3393094623
                  • Opcode ID: 3f352b21baabb32acc562baf92675ee81ccc84bcbbbc35d80ad4690312b339ad
                  • Instruction ID: 66f5514384bbae938589af80f7cba4b6518f85316c3fe6ad592990aca44a5faa
                  • Opcode Fuzzy Hash: 3f352b21baabb32acc562baf92675ee81ccc84bcbbbc35d80ad4690312b339ad
                  • Instruction Fuzzy Hash: E2024B7250C3418BE721CF64C184BABB7E6BF84744F45A91EE9D9CB252E770E844CB92
                  Function 05EB51EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                  Download Yara Rule
                  Strings
                  • WindowsExcludedProcs, xrefs: 05EB522A
                  • Kernel-MUI-Language-SKU, xrefs: 05EB542B
                  • Kernel-MUI-Language-Disallowed, xrefs: 05EB5352
                  • Kernel-MUI-Number-Allowed, xrefs: 05EB5247
                  • Kernel-MUI-Language-Allowed, xrefs: 05EB527B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                  • API String ID: 0-258546922
                  • Opcode ID: b9bf70e7e6996d69549289227175f568523e4728ceb810e68314203394618af6
                  • Instruction ID: 19da29e033f5027ab99b59cb5b692c3972ce216b77b2e75087385f2b06a77f28
                  • Opcode Fuzzy Hash: b9bf70e7e6996d69549289227175f568523e4728ceb810e68314203394618af6
                  • Instruction Fuzzy Hash: FCF15072E05219EFEB15DFA4C984DEFB7BDFF08654F14605AE581A7210E7709E018BA0
                  Function 05F14F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                  • API String ID: 0-2518169356
                  • Opcode ID: 5d11dec924bfea941a4161522c776ba58469f009064addf7181828a100b52841
                  • Instruction ID: 5d59cc7732b78ff6c83e1069fe0b6fab63102c5d854aaeb381912e168115a5b9
                  • Opcode Fuzzy Hash: 5d11dec924bfea941a4161522c776ba58469f009064addf7181828a100b52841
                  • Instruction Fuzzy Hash: AB91C072E0061ADBCB21CFA8C881ABEB7B5FF88310F594169E855E7350E739D901CB94
                  Function 05EBD7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-1975516107
                  • Opcode ID: 81f6933bdbdfd313c6b356619ade35429a83161e2a7aafcfa6e0e2de6bb0d8ef
                  • Instruction ID: 858f21ebdb1afc68d44f922b14c6ed2895d59052f21490c94cdb36801797fe9b
                  • Opcode Fuzzy Hash: 81f6933bdbdfd313c6b356619ade35429a83161e2a7aafcfa6e0e2de6bb0d8ef
                  • Instruction Fuzzy Hash: 4D512871E043499FEB14DFA4DA457FEBBB2FF04319F146199D4816B291DBB4A841CB80
                  Function 05E876B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                  • API String ID: 0-3061284088
                  • Opcode ID: fd3b582d6a195b4bda91c0719a5ec0b716ed91b93d5c4448e828bd8cf767dc3a
                  • Instruction ID: 2be9b775e450983a054f208fec7614aee69f818442b3ca55a8d298f7ce51aada
                  • Opcode Fuzzy Hash: fd3b582d6a195b4bda91c0719a5ec0b716ed91b93d5c4448e828bd8cf767dc3a
                  • Instruction Fuzzy Hash: 5D01DD32264550DED225AB18D40EF7677D8EB41AB4F146059E0D947661CAA46880D165
                  Function 05EA70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                  • API String ID: 0-3178619729
                  • Opcode ID: 501b570cac886b2dba6f8d3f1662a91656fe68f3faaede17f30e60bd90bd64ae
                  • Instruction ID: 82bf1679322be2ee3505ee81f4b6cfa48a1276f75ddf0eda80edc4c2cfcd155f
                  • Opcode Fuzzy Hash: 501b570cac886b2dba6f8d3f1662a91656fe68f3faaede17f30e60bd90bd64ae
                  • Instruction Fuzzy Hash: F0139071A04255DFEB25CF68C494BA9BBF2FF48304F1491A9D88AAF381D734B945CB90
                  Function 05EA1070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-3570731704
                  • Opcode ID: 440c1a0678594efb28c4b018abd3a497ea4eea55e5a86d91902b8a47fbb355ba
                  • Instruction ID: 75cb6ead12523dc2361293f19a340cf3c3154529236760351eb64547b1e96018
                  • Opcode Fuzzy Hash: 440c1a0678594efb28c4b018abd3a497ea4eea55e5a86d91902b8a47fbb355ba
                  • Instruction Fuzzy Hash: F5923E71A05268CFEB24CF24CC44FA9B7B6BF45354F0591EAD989AB250E734AE80CF51
                  Function 05EAA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                  Download Yara Rule
                  Strings
                  • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 05EF7D39
                  • SsHd, xrefs: 05EAA885
                  • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 05EF7D56
                  • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 05EF7D03
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                  • API String ID: 0-2905229100
                  • Opcode ID: 5b3fad11bfa7d376690254b22ef1fb1bd2b024b522bed949b42792bcc434d226
                  • Instruction ID: 4b16697fefa51bc8ccbdc1b58ee52daff90fe4e0d2764478195871c5510f12cd
                  • Opcode Fuzzy Hash: 5b3fad11bfa7d376690254b22ef1fb1bd2b024b522bed949b42792bcc434d226
                  • Instruction Fuzzy Hash: FED1C272A04319DBDB25CFA8D8C0AEDB7F2FF48304F155069E985AF255E731A941CBA0
                  Function 05EA3D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                  • API String ID: 0-3178619729
                  • Opcode ID: 339fa30d7d7d2b711a418d7a8f2153033c38ec1b4fb1d2bc9178519e303c151d
                  • Instruction ID: 90d6ff5ffc70c59bac6f7fa38ad89122eb88d8ac54281c5b458ecd291d57b0f2
                  • Opcode Fuzzy Hash: 339fa30d7d7d2b711a418d7a8f2153033c38ec1b4fb1d2bc9178519e303c151d
                  • Instruction Fuzzy Hash: 33E2BF71A042558FEF25CF68C484BA9BBF2FF49304F149199E889AF385D7B4B845CB90
                  Function 05E9A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                  • API String ID: 0-379654539
                  • Opcode ID: db2625278b2da433f1f62fc2bdfd52d0989feea4d61184b7cfd43bd533c2a4d8
                  • Instruction ID: f058c47d960076ac41a165dae1ec8b585bf34198dfd59a7068dda6839c424431
                  • Opcode Fuzzy Hash: db2625278b2da433f1f62fc2bdfd52d0989feea4d61184b7cfd43bd533c2a4d8
                  • Instruction Fuzzy Hash: 2BC18BB5208382CFDB19DF58C444BAAB7E5FF84708F00A96AF9D68B250E734C945CB52
                  Function 05EC8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 05EC8421
                  • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 05EC855E
                  • LdrpInitializeProcess, xrefs: 05EC8422
                  • @, xrefs: 05EC8591
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-1918872054
                  • Opcode ID: 59365b615332af76cf7984637ea25d82071ff6369eae9a824829ee1fce59e480
                  • Instruction ID: b46b9815a70413a047ab11d4d0506ada294d4f7f2b823b111c3961306b03af15
                  • Opcode Fuzzy Hash: 59365b615332af76cf7984637ea25d82071ff6369eae9a824829ee1fce59e480
                  • Instruction Fuzzy Hash: 1791AF72648344AFD721DF20CE54EBBBBE9BF84684F40196EF6C486140E3B4D905CB62
                  Function 05EA0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                  Download Yara Rule
                  Strings
                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 05EF55AE
                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 05EF54ED
                  • HEAP[%wZ]: , xrefs: 05EF54D1, 05EF5592
                  • HEAP: , xrefs: 05EF54E0, 05EF55A1
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                  • API String ID: 0-1657114761
                  • Opcode ID: e2fb9355c919618f4d83e2f06187306b985d30ed7c49ab7b076a4e6d1c436ef5
                  • Instruction ID: c80a114d4a9cd6b46f642efefdf76a79ccf1120e3d2e272d1973eedf9377a2d4
                  • Opcode Fuzzy Hash: e2fb9355c919618f4d83e2f06187306b985d30ed7c49ab7b076a4e6d1c436ef5
                  • Instruction Fuzzy Hash: 4AA1E176604245AFEB28DF34C448BBABBF2BF54304F14A56AD4DA8B681E734F844C791
                  Function 05EC273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                  Download Yara Rule
                  Strings
                  • .Local, xrefs: 05EC28D8
                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 05F022B6
                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 05F021D9, 05F022B1
                  • SXS: %s() passed the empty activation context, xrefs: 05F021DE
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                  • API String ID: 0-1239276146
                  • Opcode ID: f63a9377cc2b45a749a573912641c71df4c9dd02c63c0f2ea6578ad46be46c11
                  • Instruction ID: 2e7dacd036a896c1735969dddddeca4325431193465adcac6f6133985d8cb06c
                  • Opcode Fuzzy Hash: f63a9377cc2b45a749a573912641c71df4c9dd02c63c0f2ea6578ad46be46c11
                  • Instruction Fuzzy Hash: F3A1C039E002299BDB24CF64CD88BA9B7B1BF58314F1451EDD989AB251D730DE81CF90
                  Function 004011A0 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: VUUU$gfff$}*$~
                  • API String ID: 0-931585465
                  • Opcode ID: 47581c6372108d3df40e55b6a51e1e2e431017db3b2e3e023f00596a4df81867
                  • Instruction ID: 736efeb6fce3c64669619015c91490c94a9c0db86dae9f3c1a202981569ee3f0
                  • Opcode Fuzzy Hash: 47581c6372108d3df40e55b6a51e1e2e431017db3b2e3e023f00596a4df81867
                  • Instruction Fuzzy Hash: 8181B071E1074987CF18CE99D8901EEB771FFA5310F14826BE805BF395EB789A808B85
                  Function 05E964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                  Download Yara Rule
                  Strings
                  • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 05EF1028
                  • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 05EF0FE5
                  • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 05EF10AE
                  • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 05EF106B
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                  • API String ID: 0-1468400865
                  • Opcode ID: 29618f940239a984702428389c9be583909fd417acf002cea1fff5743a991ce8
                  • Instruction ID: d921419ec283828ac8540aa5191929ee911cde567989504235b154b504e85121
                  • Opcode Fuzzy Hash: 29618f940239a984702428389c9be583909fd417acf002cea1fff5743a991ce8
                  • Instruction Fuzzy Hash: DB71E4B1A04344AFDB20DF14C888FA77BA9BF44754F406869F9C98B186D734D589CBE2
                  Function 05E8F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                  • API String ID: 0-2586055223
                  • Opcode ID: 33aee0c819fd735a5bfd6162aebabb56584ccbc0cdd4a5291c9b65aae558941f
                  • Instruction ID: 57f92cffe0815acd4a4fdfc627177f9148362ab0b2c1b3c845fe840a6fa63ee2
                  • Opcode Fuzzy Hash: 33aee0c819fd735a5bfd6162aebabb56584ccbc0cdd4a5291c9b65aae558941f
                  • Instruction Fuzzy Hash: 7461F4722146809FE721EB68C848F77B7E9FF84714F041558E9E98B291E734E845CB61
                  Function 05F411A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                  • API String ID: 0-336120773
                  • Opcode ID: ac1ae7628993458c592ad7e28e8dfc86a602c69aa6f50fd04f8afbeca49654bc
                  • Instruction ID: e735749adc28656aeede0d4ae9a8d24a2ef02283cfa9ed443444ed8766546771
                  • Opcode Fuzzy Hash: ac1ae7628993458c592ad7e28e8dfc86a602c69aa6f50fd04f8afbeca49654bc
                  • Instruction Fuzzy Hash: 15310632714210EFD715DB98C885F7B7BE9FF046A4F141055F489CB2A0E678AE80CE64
                  Function 05EB245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 05EFA9A2
                  • apphelp.dll, xrefs: 05EB2462
                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 05EFA992
                  • LdrpDynamicShimModule, xrefs: 05EFA998
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-176724104
                  • Opcode ID: ec92be4ef193863788944e248271e52746b914bcf65b9348987edcb587b89052
                  • Instruction ID: d532e5e5d4c30d9a46e0c09bec77a7ba91c815118054606dcd7cfb57d8c1560e
                  • Opcode Fuzzy Hash: ec92be4ef193863788944e248271e52746b914bcf65b9348987edcb587b89052
                  • Instruction Fuzzy Hash: 86314C32A10205ABEB20DF58DC46EBE7BB6FF84B04F151069FA45AF250DFB49841C750
                  Function 05E89148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                  • API String ID: 2994545307-1391187441
                  • Opcode ID: 44ce3e2b7b960e84a5cec0dd78a8efd6898892b85fc64049fe1f7403f1e5e5d5
                  • Instruction ID: 05356d9e272c01c958ca3798ab9caaa363d4140c192036bce8ca70fdb599590f
                  • Opcode Fuzzy Hash: 44ce3e2b7b960e84a5cec0dd78a8efd6898892b85fc64049fe1f7403f1e5e5d5
                  • Instruction Fuzzy Hash: 1931C132B14218EFDB01EB44C889FBAB7BDEF44764F155055E89DA7291D770E940CA60
                  Function 05EA29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                  Download Yara Rule
                  Strings
                  • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 05EA327D
                  • HEAP[%wZ]: , xrefs: 05EA3255
                  • HEAP: , xrefs: 05EA3264
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                  • API String ID: 0-617086771
                  • Opcode ID: 72e4f4f853983f92b3ddb79d2906e584f9293c85183d4c3d70d24157d3c7011b
                  • Instruction ID: 97abac352317bd8db9b752c5dbf76285a376dd8724c1e67c72eff03a5b08509b
                  • Opcode Fuzzy Hash: 72e4f4f853983f92b3ddb79d2906e584f9293c85183d4c3d70d24157d3c7011b
                  • Instruction Fuzzy Hash: B992CF76A042489FEB25CF68C444BAEBBF2FF48304F149459E99AAF351D734A941CF50
                  Function 05EA1F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                  • API String ID: 0-3178619729
                  • Opcode ID: 74ad0b040c7e0896d68dbac71c380328d14b63822803307bee10973da61dd90d
                  • Instruction ID: 223dab73cd06d741b28f019d8a5589639aee0c5271f87e7d32ba158a425b5db6
                  • Opcode Fuzzy Hash: 74ad0b040c7e0896d68dbac71c380328d14b63822803307bee10973da61dd90d
                  • Instruction Fuzzy Hash: 9C222570604641DFEB25CF24C495B7ABBF6FF05708F14949AE6DA8B281EB35E841CB50
                  Function 05F394E0 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $0
                  • API String ID: 0-3352262554
                  • Opcode ID: 1b7f91010e42e8c2b66eba0990d3fe5b0e460f6a408a1b4bbed4dfac859109a6
                  • Instruction ID: 684341dda584ca0cf3c3846c484160cb45899e300c892d7164020145ad563d61
                  • Opcode Fuzzy Hash: 1b7f91010e42e8c2b66eba0990d3fe5b0e460f6a408a1b4bbed4dfac859109a6
                  • Instruction Fuzzy Hash: 663217B1A083418FE360CF68C685B6BFBE5BB88344F04492DF59987350D7B9E949CB52
                  Function 05EA0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-4253913091
                  • Opcode ID: 9d81a85f90efc35ce0ef35368ef49c380e400c4d4e10097eb83c920bf94c6706
                  • Instruction ID: 60ff58993d07962f77138df9eb269efe4081815c6bd50a3022772ff51d1ad58e
                  • Opcode Fuzzy Hash: 9d81a85f90efc35ce0ef35368ef49c380e400c4d4e10097eb83c920bf94c6706
                  • Instruction Fuzzy Hash: 6BF1AC31700605DFEB15CF68C888FBAB7B6FB44304F1491A9E5969B391EB34B941CB90
                  Function 05E91460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                  Download Yara Rule
                  Strings
                  • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 05E91728
                  • HEAP[%wZ]: , xrefs: 05E91712
                  • HEAP: , xrefs: 05E91596
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                  • API String ID: 0-3178619729
                  • Opcode ID: 5840d23ef7d73cc25db70c780d36df31dd8c828238ef0472677cb08584fe6696
                  • Instruction ID: 281aaa6cb1edeab3d58b77538c2372c2f23a678e93661287c5febed56d66e2da
                  • Opcode Fuzzy Hash: 5840d23ef7d73cc25db70c780d36df31dd8c828238ef0472677cb08584fe6696
                  • Instruction Fuzzy Hash: 0BE1E071A142869FEB2DCF28C455BBABBF2BF49304F14945DE4E68B246E734E940CB50
                  Function 05E9B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                  • API String ID: 0-1145731471
                  • Opcode ID: 271e596d04fedcd221059e07d6a64134187622dbe30b99d76b96d169fd13e83e
                  • Instruction ID: 4c960fff2c82be3a6b80945f07552bbf150fa6295e7c4e543899bf32a705b73b
                  • Opcode Fuzzy Hash: 271e596d04fedcd221059e07d6a64134187622dbe30b99d76b96d169fd13e83e
                  • Instruction Fuzzy Hash: 49B1C236A086849FDF29CF55E980FADB7BABF48704F145969E592DB380DB34E840CB40
                  Function 05F1368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                  • API String ID: 0-2391371766
                  • Opcode ID: 4fe3aeff1b3435299ca9accca739ee6b776d0dd222141b1ee2cd76fcbb56187f
                  • Instruction ID: 71b4f087f27848bf8826b7080152d0b8fb07f20054747df3d6754b936ff68508
                  • Opcode Fuzzy Hash: 4fe3aeff1b3435299ca9accca739ee6b776d0dd222141b1ee2cd76fcbb56187f
                  • Instruction Fuzzy Hash: 3FB1AF76A08345AFE711DF54C885F6BBBE9BB44710F000D29FA919B2D0DB79E804CB96
                  Function 05EB6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: $@
                  • API String ID: 2994545307-1077428164
                  • Opcode ID: 69e97582844dc8b10fbd7dfda193f91a0963fa3241701c64c107697aac8a2b2f
                  • Instruction ID: 84cbd6d446f6635c86a7b6aae4c45cc75222c543293380870f0b6a5d49445d15
                  • Opcode Fuzzy Hash: 69e97582844dc8b10fbd7dfda193f91a0963fa3241701c64c107697aac8a2b2f
                  • Instruction Fuzzy Hash: 85C25C7160C3459FEB25CF24C880BABBBE6BFC8745F14A92DE9C987250E774D8058B52
                  Function 05E8A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: FilterFullPath$UseFilter$\??\
                  • API String ID: 0-2779062949
                  • Opcode ID: 4d93ce214e2109bed7126ad2132c1843f79abad3fa9d8c1b56e42c991c58c626
                  • Instruction ID: 5f14aa0ffcf95887aa312d5ca57c515d00617051079a3d862c5bbcc00180e9de
                  • Opcode Fuzzy Hash: 4d93ce214e2109bed7126ad2132c1843f79abad3fa9d8c1b56e42c991c58c626
                  • Instruction Fuzzy Hash: 66A17B729106299BDB31DF24CC88BEAB7B9FB08714F1011EAE94DA7210D7359E85CF50
                  Function 05F236EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                  • API String ID: 0-318774311
                  • Opcode ID: cb2e9323944496a92354559a73192300281c28de50add772a34a3a36dd0ff5c8
                  • Instruction ID: f2d274977c4b16eb0da5c9ea0f64806ab2c9bbfaf367d918b4a3bfb46ef2a0fb
                  • Opcode Fuzzy Hash: cb2e9323944496a92354559a73192300281c28de50add772a34a3a36dd0ff5c8
                  • Instruction Fuzzy Hash: 25815BF6A08351AFE711DB14C844B6AB7EAFF85750F040D29B9919B3D0D778E904CB62
                  Function 00402240 Relevance: 4.0, Strings: 3, Instructions: 234COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: a```$gfff$gfff
                  • API String ID: 0-2709241141
                  • Opcode ID: 1be59b1bc11dd937977a90a724bf49bbb0a29161c14d1168032db055b3e8b957
                  • Instruction ID: 83ac00d38729b07f03ed087526cdb246287eebf35f04b12ddd0ef92428ce3e35
                  • Opcode Fuzzy Hash: 1be59b1bc11dd937977a90a724bf49bbb0a29161c14d1168032db055b3e8b957
                  • Instruction Fuzzy Hash: 2371F672B0011A4BCB2CCE5DDE842AAB395EBD4305F18817BED49DF3C1E6B8ED518684
                  Function 05E9B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                  • API String ID: 0-373624363
                  • Opcode ID: e72ad6142f615c8abcd5b6a279764f039d6bb77b6fe254d2bccb4b8c8fb3f5e4
                  • Instruction ID: a4ec411e78646d8716704471342182fab5b7586fbcb38d5545bcb8fc4c9370a7
                  • Opcode Fuzzy Hash: e72ad6142f615c8abcd5b6a279764f039d6bb77b6fe254d2bccb4b8c8fb3f5e4
                  • Instruction Fuzzy Hash: 2691C272A08249CBEF25CF54E440BEE77BAFF04318F145595E8D2AB2D1D778A940CB90
                  Function 05EC909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: %$&$@
                  • API String ID: 0-1537733988
                  • Opcode ID: 281c9c729955f22a88ef9c26e66735f746ee46f9ac8cae09e6d2902e8b2a1098
                  • Instruction ID: b93923e499860c2e5ccfadb0823cde42ec351ec0ab537efbb54c92ef83ea23be
                  • Opcode Fuzzy Hash: 281c9c729955f22a88ef9c26e66735f746ee46f9ac8cae09e6d2902e8b2a1098
                  • Instruction Fuzzy Hash: 3371D0706093019FD714DF24CA84A6BBFE6BF84718F10A95DF4EA97292D730E906CB52
                  Function 05F6B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                  Download Yara Rule
                  Strings
                  • GlobalizationUserSettings, xrefs: 05F6B834
                  • TargetNtPath, xrefs: 05F6B82F
                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 05F6B82A
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                  • API String ID: 0-505981995
                  • Opcode ID: 01a1c9541e371da707cc1a97db90098614c93205d92957bb339c47ca999061fe
                  • Instruction ID: 875b1e6af843d527bc5e85a1ef89a5a69aa776e033c9ca0195509f6186579a0b
                  • Opcode Fuzzy Hash: 01a1c9541e371da707cc1a97db90098614c93205d92957bb339c47ca999061fe
                  • Instruction Fuzzy Hash: 83616F72D41229ABDB21DF54CC88BEAB7B9AF14754F0101E5E549EB250DB789E80CF90
                  Function 05E8F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                  Download Yara Rule
                  Strings
                  • HEAP[%wZ]: , xrefs: 05EEE6A6
                  • HEAP: , xrefs: 05EEE6B3
                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 05EEE6C6
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                  • API String ID: 0-1340214556
                  • Opcode ID: 36b04589591372f9d1188c40ff727356a609141440a6392e46e72490dc6c1970
                  • Instruction ID: cfaa475e6cfabe105b552ce60e8c14bf36348c0596fb488d12f105c71d7507a1
                  • Opcode Fuzzy Hash: 36b04589591372f9d1188c40ff727356a609141440a6392e46e72490dc6c1970
                  • Instruction Fuzzy Hash: B251E331714685EFE722EBA8C848FB6BBF9BF05704F0410A5E5D98B291E774E940CB50
                  Function 05EB15F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                  Download Yara Rule
                  Strings
                  • LdrpCompleteMapModule, xrefs: 05EFA590
                  • minkernel\ntdll\ldrmap.c, xrefs: 05EFA59A
                  • Could not validate the crypto signature for DLL %wZ, xrefs: 05EFA589
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                  • API String ID: 0-1676968949
                  • Opcode ID: 979c12269a667ec843e088b9692320a0e3f9e8f57731a7575a91f52ea7813bfe
                  • Instruction ID: 893a850076a56ac59c822815c86ae42e15aee2dca9d22921a78ab6a9311f24d8
                  • Opcode Fuzzy Hash: 979c12269a667ec843e088b9692320a0e3f9e8f57731a7575a91f52ea7813bfe
                  • Instruction Fuzzy Hash: 52512570704744DBF725CB68C958BAA77E5BF00728F1825A4EAD69F2E5EBB4E800C740
                  Function 05F3DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                  Download Yara Rule
                  Strings
                  • Heap block at %p modified at %p past requested size of %Ix, xrefs: 05F3DC32
                  • HEAP[%wZ]: , xrefs: 05F3DC12
                  • HEAP: , xrefs: 05F3DC1F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                  • API String ID: 0-3815128232
                  • Opcode ID: 107277f834a0bdc502b0995fe219cc17ccb2814a3b2c84245b3284389840d31b
                  • Instruction ID: 227ec24ccf3678398c5750e455033dca8ec0b8a887f5ecc479ccd633376c933a
                  • Opcode Fuzzy Hash: 107277f834a0bdc502b0995fe219cc17ccb2814a3b2c84245b3284389840d31b
                  • Instruction Fuzzy Hash: D85112366181548AF764DF2AC84A77277E7FB452C4F04488AE4D6CB291D37ED842DB20
                  Function 05ECC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 05F082E8
                  • Failed to reallocate the system dirs string !, xrefs: 05F082D7
                  • LdrpInitializePerUserWindowsDirectory, xrefs: 05F082DE
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-1783798831
                  • Opcode ID: 64b610d3cb17a51c72dae8c5bdadd2a5deaef4fc02ed8b67de23b5bdb3973963
                  • Instruction ID: f304e8dae537c90edb156734c5e2233c4ff7f9fb665dc0e387eabfd1beb8aa35
                  • Opcode Fuzzy Hash: 64b610d3cb17a51c72dae8c5bdadd2a5deaef4fc02ed8b67de23b5bdb3973963
                  • Instruction Fuzzy Hash: DA412772654304ABD720EB34DD45B7B7BE9FB44750F14182AB998DB290EB78E801C791
                  Function 05E8758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                  • API String ID: 0-1151232445
                  • Opcode ID: 83de23340a879afab2e520d40cd7948d8e164627550ede32320b09abf4271894
                  • Instruction ID: cbce45fd29b284e46a795c065acca3c150b283588f547d948fa5a61b3f4fd58b
                  • Opcode Fuzzy Hash: 83de23340a879afab2e520d40cd7948d8e164627550ede32320b09abf4271894
                  • Instruction Fuzzy Hash: 0F41D1703142508FEF29EB5CC088BB977E2EB01348F2864ADD4CE8B256DA769885D751
                  Function 05EC16CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                  Download Yara Rule
                  Strings
                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 05F01B39
                  • minkernel\ntdll\ldrtls.c, xrefs: 05F01B4A
                  • LdrpAllocateTls, xrefs: 05F01B40
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                  • API String ID: 0-4274184382
                  • Opcode ID: fc877d1649fe6b4e69fc6dd214186a0b9227875f05c8f1b0132160b0388a6de9
                  • Instruction ID: 749bcde84f9343f66f476c91391c9e1061bc9534ecee7122bf3b9c251dc7a188
                  • Opcode Fuzzy Hash: fc877d1649fe6b4e69fc6dd214186a0b9227875f05c8f1b0132160b0388a6de9
                  • Instruction Fuzzy Hash: A241AA76A00608EFDB19DFA8CD41AAEBBF6FF48704F049519E446A7351DB38A801DB90
                  Function 05F4C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                  Download Yara Rule
                  Strings
                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 05F4C1C5
                  • @, xrefs: 05F4C1F1
                  • PreferredUILanguages, xrefs: 05F4C212
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                  • API String ID: 0-2968386058
                  • Opcode ID: 423d0509814126b690c87a5d91aa67aafbb04e9b3df119baf9787789bdfb9cc9
                  • Instruction ID: d721fe0178e88e6546871fb22d40ba6cb8d8343682c0869297e6aec6d0d3fcb9
                  • Opcode Fuzzy Hash: 423d0509814126b690c87a5d91aa67aafbb04e9b3df119baf9787789bdfb9cc9
                  • Instruction Fuzzy Hash: A8416F72E01209ABDF11DED4C885FEEBBB9BB14740F14506AE645A7280E7B89F458F60
                  Function 05F14755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  Strings
                  • LdrpCheckRedirection, xrefs: 05F1488F
                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 05F14888
                  • minkernel\ntdll\ldrredirect.c, xrefs: 05F14899
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                  • API String ID: 0-3154609507
                  • Opcode ID: 7797c23ebf770eb1b028a1cee400423307f461529a5d710d819d571d57d0a150
                  • Instruction ID: 9260b811395a033c4e60f5709689d7ca6cc9b14953ffbdc1144bc6d3cc8c8070
                  • Opcode Fuzzy Hash: 7797c23ebf770eb1b028a1cee400423307f461529a5d710d819d571d57d0a150
                  • Instruction Fuzzy Hash: 91419372A146509BCF21CE58D848E377BEAFFC9760B090A69EC59D7351DB38D800CB95
                  Function 05F24144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                  • API String ID: 0-1373925480
                  • Opcode ID: 308d5db8a44716ffafd2425767fdf9b45825cfc9e635d130b7e37eab2d6d5abb
                  • Instruction ID: 6c303aa5e283b52a47443fdf396afeb0f2f3eaabfb2869377b5f16519c48ef66
                  • Opcode Fuzzy Hash: 308d5db8a44716ffafd2425767fdf9b45825cfc9e635d130b7e37eab2d6d5abb
                  • Instruction Fuzzy Hash: ED41E6B2E04268CBDF26DBE6C848BADB7B9FF45340F250459D841EB791D6B89901CB11
                  Function 00402CD0 Relevance: 3.9, Strings: 3, Instructions: 119COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: VUUU$VUUU$gfff
                  • API String ID: 0-2314002932
                  • Opcode ID: baf356d54062e4ce8e4bcf2172ba127e978481ba8bbd574120f46b7963a9c8a4
                  • Instruction ID: bfe129cae91a8820556b7659e8f85bb07734edb1217281866fa287995463376a
                  • Opcode Fuzzy Hash: baf356d54062e4ce8e4bcf2172ba127e978481ba8bbd574120f46b7963a9c8a4
                  • Instruction Fuzzy Hash: 303149337004250BCB2C482E9E5936AB587DFD4314B5A523BEC9AEF3E5E8BCDD164184
                  Function 05F1B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                  Download Yara Rule
                  Strings
                  • @, xrefs: 05F1B670
                  • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 05F1B632
                  • GlobalFlag, xrefs: 05F1B68F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                  • API String ID: 0-4192008846
                  • Opcode ID: 0acaae2105c23320094d887996e436a4799c53c3d3e0697a705f09efb5758d6c
                  • Instruction ID: 5770c2b1b6f813f7854954d4e90503335bdf1be9c9dd996809c5de3888959e61
                  • Opcode Fuzzy Hash: 0acaae2105c23320094d887996e436a4799c53c3d3e0697a705f09efb5758d6c
                  • Instruction Fuzzy Hash: 48314CB2E00219AFDB11EFA4CC94AEEBBB8EF44744F1404A9EA45E7150D7749E00CBA4
                  Function 05EC1607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  Strings
                  • DLL "%wZ" has TLS information at %p, xrefs: 05F01A40
                  • LdrpInitializeTls, xrefs: 05F01A47
                  • minkernel\ntdll\ldrtls.c, xrefs: 05F01A51
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                  • API String ID: 0-931879808
                  • Opcode ID: 2bd5af52595b87d17e32dbba80e9fd9c3bac0e30f05b47eac6859b1b86bb6a23
                  • Instruction ID: 0a462d7f10ce38954be6f0605bcc98b28247b25e2ae459a25d6435c59b49109b
                  • Opcode Fuzzy Hash: 2bd5af52595b87d17e32dbba80e9fd9c3bac0e30f05b47eac6859b1b86bb6a23
                  • Instruction Fuzzy Hash: 1D312772B10204BBE718DB54CE4AFBA7A7ABB44744F04149DF481A7181DB74ED02CB90
                  Function 05F120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                  Download Yara Rule
                  Strings
                  • minkernel\ntdll\ldrinit.c, xrefs: 05F12104
                  • LdrpInitializationFailure, xrefs: 05F120FA
                  • Process initialization failed with status 0x%08lx, xrefs: 05F120F3
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                  • API String ID: 0-2986994758
                  • Opcode ID: 315ae0da733ff1378e3491a2f56e31d6cd37e676465632f99ba74bcce2495e41
                  • Instruction ID: aee250fcc07c5208eba6ae735746e8084ffa1ae1f1179ac855c5c567ac6261b3
                  • Opcode Fuzzy Hash: 315ae0da733ff1378e3491a2f56e31d6cd37e676465632f99ba74bcce2495e41
                  • Instruction Fuzzy Hash: 72F02234A5030CBBE724E649CC4BFA93B69FB40B44F100494FA80BB2C0D6B8A901DA94
                  Function 05EA03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: #%u
                  • API String ID: 48624451-232158463
                  • Opcode ID: 69c58e66070b9b206fece758b803147b7c760cf203a112093038bf82778ae304
                  • Instruction ID: 8c6aff557bf82dfd7c1020fdf6a3c578dfd206562aa4d55295adac632d3e253b
                  • Opcode Fuzzy Hash: 69c58e66070b9b206fece758b803147b7c760cf203a112093038bf82778ae304
                  • Instruction Fuzzy Hash: 3C715CB2A001499FDB01DFA8C998FAEB7F9BF08304F145065E941EB291EA34ED41CB60
                  Function 05EA52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @$@
                  • API String ID: 0-149943524
                  • Opcode ID: a99d17f039433077ef11e855f3065923c6a86f9258867405c77c73fb88b8930a
                  • Instruction ID: a3aae3e62b8641c6d6803a6a70d41f03c0633cea3b13b135a3d39adc375e7003
                  • Opcode Fuzzy Hash: a99d17f039433077ef11e855f3065923c6a86f9258867405c77c73fb88b8930a
                  • Instruction Fuzzy Hash: FC326B726083118BDB24CF24C484B7AB7E2BFC5748F14692EF9D69B250E774E9448B52
                  Function 05F5A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: `$`
                  • API String ID: 0-197956300
                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                  • Instruction ID: 758a7619ef65985f70f0ad9556f00c716dd7bc9a5cae300c21207c31e2c0280b
                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                  • Instruction Fuzzy Hash: 55C1E2326083429BD725CF24C844B2BBBE6BF84365F144B2DFAD6CA290D779D519CB41
                  Function 05E90CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                  Download Yara Rule
                  Strings
                  • ResIdCount less than 2., xrefs: 05EEEEC9
                  • Failed to retrieve service checksum., xrefs: 05EEEE56
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                  • API String ID: 0-863616075
                  • Opcode ID: a00683ff1b08b92fa55c7683abd82fa7250b586d8ef1cbbf87c761ca2b96bb75
                  • Instruction ID: e0a52261c979c3a32ef579a1de2c5a9067a844433a447bec9cf378018d148573
                  • Opcode Fuzzy Hash: a00683ff1b08b92fa55c7683abd82fa7250b586d8ef1cbbf87c761ca2b96bb75
                  • Instruction Fuzzy Hash: C7E102B1A187849FE324CF15C485BABBBE4FB88714F40892EE5D98B390DB719509CF46
                  Function 00402560 Relevance: 2.8, Strings: 2, Instructions: 259COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: gfff$gfff
                  • API String ID: 0-3084402119
                  • Opcode ID: 404b1941f5da993c4371112e3841f79fc909cdd596c9bb9edbef59bfc9f5794b
                  • Instruction ID: 047773880b4616f5c61f3dd7bc6305f84ce3a4ba8b7469165e3aff1c6a3ca117
                  • Opcode Fuzzy Hash: 404b1941f5da993c4371112e3841f79fc909cdd596c9bb9edbef59bfc9f5794b
                  • Instruction Fuzzy Hash: E581E231B0050547DF2CC95DDE983AAB252EBE4305F18823ED90AEF3D5E6B9DE018785
                  Function 05F0E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: Legacy$UEFI
                  • API String ID: 2994545307-634100481
                  • Opcode ID: 51264e1f828b8d5de6c0e57134167bd8ce5818d413424293684544ffb2149d2f
                  • Instruction ID: 1f06c4864e63327416dd3fcb5b866ecdeaf41c101479e3fc8411cf8213e17b64
                  • Opcode Fuzzy Hash: 51264e1f828b8d5de6c0e57134167bd8ce5818d413424293684544ffb2149d2f
                  • Instruction Fuzzy Hash: B4616D72E043089FDB25DFA8C840BAEBBF9FB44700F18582DE659EB291D735A900DB50
                  Function 05EAF720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $$$
                  • API String ID: 0-233714265
                  • Opcode ID: 4fdf2cf65ac1b1a23db08b54552fffaa8278687a956bb22003d74e0d30cc8ef8
                  • Instruction ID: 2137836d3194117464f7db626b193e85ad0836cc4f36f9d723d0b1a12baa37b6
                  • Opcode Fuzzy Hash: 4fdf2cf65ac1b1a23db08b54552fffaa8278687a956bb22003d74e0d30cc8ef8
                  • Instruction Fuzzy Hash: 3561DF76A04749DBEB20DFB4C584BADB7B2FF04708F0460A9D5A5AF640DB74B981CB80
                  Function 05E904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                  Download Yara Rule
                  Strings
                  • kLsE, xrefs: 05E90540
                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 05E9063D
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                  • API String ID: 0-2547482624
                  • Opcode ID: f2a6eab30ba6539ad0febf5a84e9b01e7caf1f5847559352ca66ee4d6108e930
                  • Instruction ID: 65bfe24828e96654f03784d9fdab179dc0f619aa2b14e642b188a474ea49c048
                  • Opcode Fuzzy Hash: f2a6eab30ba6539ad0febf5a84e9b01e7caf1f5847559352ca66ee4d6108e930
                  • Instruction Fuzzy Hash: 1B51D1716047828FDB28EF25C548AA7BBE5BF84308F40683EE9DA87641E770E545CB91
                  Function 05F235BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                  • API String ID: 0-118005554
                  • Opcode ID: 0b7d9fdf95ea25d0af53c08cba4042ce9dd33c063111f2f8f5b3541d2be2be3b
                  • Instruction ID: 776e7b35bd53525f8e6e354a2336c44de4dc049664c6a6fac30762493f990247
                  • Opcode Fuzzy Hash: 0b7d9fdf95ea25d0af53c08cba4042ce9dd33c063111f2f8f5b3541d2be2be3b
                  • Instruction Fuzzy Hash: 1231E5B27083519BD311DB68D448B1ABBE8FF84750F055C69F8818B3D0E778D805CB52
                  Function 05EC34B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                  Download Yara Rule
                  Strings
                  • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 05F02A95
                  • RtlpInitializeAssemblyStorageMap, xrefs: 05F02A90
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                  • API String ID: 0-2653619699
                  • Opcode ID: 7326cad28045e9c2b9c6a71852fb7a2863c38b7ae0be43f437aef185c260b572
                  • Instruction ID: 7ad9a6071a9f1f5ca88291a867c9094daf394816f4cb86fe1feba4215128d634
                  • Opcode Fuzzy Hash: 7326cad28045e9c2b9c6a71852fb7a2863c38b7ae0be43f437aef185c260b572
                  • Instruction Fuzzy Hash: 71112075B04214ABE725CA48CD45F6B76A9FB88B54F18D0ADB905DB280E674CD0197A0
                  Function 05ECA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: Cleanup Group$Threadpool!
                  • API String ID: 2994545307-4008356553
                  • Opcode ID: 240f5befa0a7531bf90738a6c7684150835076f129515988325a1453bac35fb8
                  • Instruction ID: 0907ddbfbb4b7152baea9ef6fa32ffeb6a8bb3bbf857084f231e5e0773bdc1dd
                  • Opcode Fuzzy Hash: 240f5befa0a7531bf90738a6c7684150835076f129515988325a1453bac35fb8
                  • Instruction Fuzzy Hash: B30128B2254748AFD311DF14CE4AF267BE8E744715F00897DB598CB190E734D805CB46
                  Function 05E9C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: MUI
                  • API String ID: 0-1339004836
                  • Opcode ID: 0b80c0d17e031fac583705cbb98d39618f8967defcb5d78e67df5ccad3513dcb
                  • Instruction ID: 08b3d1825bf536e40d9f6e262cf3cc8f45bd4a6e19c2625dc564579386342b43
                  • Opcode Fuzzy Hash: 0b80c0d17e031fac583705cbb98d39618f8967defcb5d78e67df5ccad3513dcb
                  • Instruction Fuzzy Hash: D0826075E042189FEF28DFA9C944BEDB7B2BF44314F249169D89AAB350E7309D81CB50
                  Function 05EE2F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: P`vRbv
                  • API String ID: 0-2392986850
                  • Opcode ID: 2d2af41462fc32978fa7ab854c79ae39e837c16bcedd26c973ef78688c84f293
                  • Instruction ID: ecd903e8fab0ddb333bd8d6925485c80dc39c91a018de50e816845867f877f1c
                  • Opcode Fuzzy Hash: 2d2af41462fc32978fa7ab854c79ae39e837c16bcedd26c973ef78688c84f293
                  • Instruction Fuzzy Hash: 7C423E71D2825AAEEF25CF68D844AFDBBB2FF0D318F14A81AD4D1A7290E7346941C750
                  Function 05EB2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 103421ff9c315752e09e7a12a685218a2336542701f4ca9e26bf99584eb99a5c
                  • Instruction ID: 587de91aef0fb7ce3b0493fdcf2960496ba5c36f490f4a18f48004dcc7ad292d
                  • Opcode Fuzzy Hash: 103421ff9c315752e09e7a12a685218a2336542701f4ca9e26bf99584eb99a5c
                  • Instruction Fuzzy Hash: 81F1BF71608342CFEB25CF24C485AABB7E6BF8C615F146D2DE9C99B240DB70D805CB52
                  Function 004165BE Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (
                  • API String ID: 0-3887548279
                  • Opcode ID: 0156eea5746a53115624a98c3f4760550ff7cbb6fdf5202b83e28f0a4b1af602
                  • Instruction ID: b9a8cc7f7ee371adb38a70aa5549742b3d91b2ee7fc26995be93c4bc165f0fd6
                  • Opcode Fuzzy Hash: 0156eea5746a53115624a98c3f4760550ff7cbb6fdf5202b83e28f0a4b1af602
                  • Instruction Fuzzy Hash: 1A021EB6E006189FDB54CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                  Function 004165C3 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (
                  • API String ID: 0-3887548279
                  • Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                  • Instruction ID: 707c439578de91832c5989b1e82aedc1b9e88b2a8add3e9eaf918a1f2550510c
                  • Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
                  • Instruction Fuzzy Hash: 0A021EB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                  Function 05E92FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: PATH
                  • API String ID: 0-1036084923
                  • Opcode ID: 4be70afb2fc2224618a62e15da4359993a93b8db3d24ff3e314559e9e786b884
                  • Instruction ID: 32200043e46b03e733b48dc8d8bdd8848f75fdaa3c3b70925a788b6ff1b4eb1c
                  • Opcode Fuzzy Hash: 4be70afb2fc2224618a62e15da4359993a93b8db3d24ff3e314559e9e786b884
                  • Instruction Fuzzy Hash: 75F1CF71E14218DBDF29DF99D881ABEBBB2FF4C704F455429E881EB250EB349841CB61
                  Function 05ECF603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bab4a8179965aee8fd8d905e42bf7fbd8570d6bd1ece5c1e7fbdd07c7242ad96
                  • Instruction ID: e1e610246eb2f43c8675381a139aa83f81e07c38ea93e14cc5cc9e95f0593c26
                  • Opcode Fuzzy Hash: bab4a8179965aee8fd8d905e42bf7fbd8570d6bd1ece5c1e7fbdd07c7242ad96
                  • Instruction Fuzzy Hash: 3E415A74D002889FDB20DFA9C980AAEFFF5FF48740F50416EE499A7211DB349901CBA0
                  Function 05E90100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 3777b6af25a253428c9f127712f1a91b701b7576aee1f29f5c08a4702a87cf28
                  • Instruction ID: 9bc21621348093fbad91a0c68b8b09153dac997a9fc9f8ac2ffa784b81018024
                  • Opcode Fuzzy Hash: 3777b6af25a253428c9f127712f1a91b701b7576aee1f29f5c08a4702a87cf28
                  • Instruction Fuzzy Hash: 29A13D71B083186BEF3CCA25884DBFE77AB6F45318F447099EDCBA7281D67099848B50
                  Function 05ECA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: GlobalTags
                  • API String ID: 0-1106856819
                  • Opcode ID: ea28a5025187aaf9f01de63f89b38feb3bb68dea5053a6f4c687568db85f2e3c
                  • Instruction ID: 0d9e731fd8e90f013a66475e347b3750dc8392d783a972361c1ff86a528a3b5e
                  • Opcode Fuzzy Hash: ea28a5025187aaf9f01de63f89b38feb3bb68dea5053a6f4c687568db85f2e3c
                  • Instruction Fuzzy Hash: E6719275E04219CFDF28CF98C590AAEBBF2BF48710F18952EE446E7280DB399911DB50
                  Function 05E9973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                  • Instruction ID: 191061045312e7d4080d25bbe507aee7eb1e365d5989e8f6cdde51737d7d98b5
                  • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                  • Instruction Fuzzy Hash: 7F61AD75D00258ABEF25DF95C804BEEBBB5FF40714F10516DE991E7290E7709A01CB60
                  Function 05F1F7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                  • Instruction ID: 96ff9420794948184298a38d13ee08902bbf0f3160719dd1bdbab7b01151c2d8
                  • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                  • Instruction Fuzzy Hash: CB519072618705AFE721DF54CC44F6BB7E9FB84750F400929B9819B290EBB8ED04CBA5
                  Function 05EAE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: EXT-
                  • API String ID: 0-1948896318
                  • Opcode ID: 2a2f71116035da424e4dcaf94492f4ea18b5c977f9af744a8eedf1eb27e805d3
                  • Instruction ID: b8c1ac136c40da77cf331eaf7d73d784959359c0fd0bb090c8821cd5226ba46c
                  • Opcode Fuzzy Hash: 2a2f71116035da424e4dcaf94492f4ea18b5c977f9af744a8eedf1eb27e805d3
                  • Instruction Fuzzy Hash: 62418073608311ABE721DF74C984BABB7ECAF88758F442929F5C5DB140E674E904C7A2
                  Function 004029EB Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: gfff
                  • API String ID: 0-1553575800
                  • Opcode ID: e09fb3229fb4bf7cc65a5064ac46cf2120417b7d4de09b49bcbdaac5a9682e88
                  • Instruction ID: a110493c6399659ba9d232603f32bab4d1247863097d3c227723b6d112227efa
                  • Opcode Fuzzy Hash: e09fb3229fb4bf7cc65a5064ac46cf2120417b7d4de09b49bcbdaac5a9682e88
                  • Instruction Fuzzy Hash: 9441AE36B0041D07CB398C6DDE893EAB656E7D4314F28523BDD99EB3D0D8BC9D068A84
                  Function 004029F0 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: gfff
                  • API String ID: 0-1553575800
                  • Opcode ID: 7ddeac7a378ce165cdc38605cb9c3b0aadbc39dfcdc8b0601e25c7805e46de0b
                  • Instruction ID: 5c68278dfccc13382cae4e65f72f646655c80b003166bfca5aabd27cdbdbd4f0
                  • Opcode Fuzzy Hash: 7ddeac7a378ce165cdc38605cb9c3b0aadbc39dfcdc8b0601e25c7805e46de0b
                  • Instruction Fuzzy Hash: 4D419C36B0041D07CB398C6DDE893EAB655E7D4314F28527BDD99EB3D0D8BC9D068A84
                  Function 05F0C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: BinaryHash
                  • API String ID: 0-2202222882
                  • Opcode ID: 025d2e2b30870c5583c83d90c2a4d9fe7b2fd6fd2acf703968756ed16ffe3b83
                  • Instruction ID: eb6de0691871f9b6210d2f3b9211715cf6ecd69ec4ebb3566e0a8590d0d55159
                  • Opcode Fuzzy Hash: 025d2e2b30870c5583c83d90c2a4d9fe7b2fd6fd2acf703968756ed16ffe3b83
                  • Instruction Fuzzy Hash: 084165B1D0012CABDF21DB50CC84FDEF77DAB44714F0456A5EA48AB180DB749E898FA8
                  Function 05F197A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: verifier.dll
                  • API String ID: 0-3265496382
                  • Opcode ID: e14676a5c0e1d4c1643d61446d4bec9871132ee29d107d4c3bd3f1d3c0ab8c06
                  • Instruction ID: 621eb93035d56ad72763533b58c6bcb7cd564f78b8ad62811896752367638fda
                  • Opcode Fuzzy Hash: e14676a5c0e1d4c1643d61446d4bec9871132ee29d107d4c3bd3f1d3c0ab8c06
                  • Instruction Fuzzy Hash: 1D31D375B10201AFDB249F299961B3776E6FB48720F94903AE945CF280EEB88C80C794
                  Function 05F3705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: kLsE
                  • API String ID: 0-3058123920
                  • Opcode ID: caf1bb642be3e2f65f174635f053da6cfe0c9ecf2cd7528d4f90ed40baf99b87
                  • Instruction ID: 38b5bee237f94563c3d765d2b8a70a9f14c3eb2bd9735d28b784379d98ba79ea
                  • Opcode Fuzzy Hash: caf1bb642be3e2f65f174635f053da6cfe0c9ecf2cd7528d4f90ed40baf99b87
                  • Instruction Fuzzy Hash: 0A4123B2A2635946EB20BB64D88BB7A3F92FB00768F140158FDA1CE1C1CFBC4585C790
                  Function 05EC7505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: #
                  • API String ID: 0-1885708031
                  • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                  • Instruction ID: 530bcbc059a79fc452bc1882cebc8e09b367b550c6b79709de78920973b57db3
                  • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                  • Instruction Fuzzy Hash: 12418C75A00616ABDF21DF44C590BBEBBB6FB44701F00509EE9C2A7240EB34D942CBE1
                  Function 05E95096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: Actx
                  • API String ID: 0-89312691
                  • Opcode ID: c8b4423cf8ed7e5518b1555c3403e37d8baf8773841b2e2ba221fb8ee921fbd3
                  • Instruction ID: 8ad21d704e7c6c962d23b4783269303ce7ef2eb8598fa2bc322dfdcf574d466f
                  • Opcode Fuzzy Hash: c8b4423cf8ed7e5518b1555c3403e37d8baf8773841b2e2ba221fb8ee921fbd3
                  • Instruction Fuzzy Hash: 691196317087028BFF2E8D1D88546767297FF82268F34652BD8D2CB391F671D8418780
                  Function 05ECE8F0 Relevance: 1.0, Instructions: 985COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0355584e92b1e434da107914af4df4e0fa585ed63df99e89c284350724d4d7ce
                  • Instruction ID: cde62c76cd4e2bee7802214f9bb44aef94b66691e599620a4b3136c83c2a6aa0
                  • Opcode Fuzzy Hash: 0355584e92b1e434da107914af4df4e0fa585ed63df99e89c284350724d4d7ce
                  • Instruction Fuzzy Hash: 8D821072F102188BCB58CFADD8916DDB7F2EF8C314B19812DE41AEB345DA34AC568B45
                  Function 05ED516C Relevance: .8, Instructions: 785COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c19cdca4b675c87067bc68ddef0d7ffd2afcc7635405a8a287c3476bfdb6285
                  • Instruction ID: fb4725d14ed5c2a142f74e837d390cc1541202fc51ef30089d6767f1c3f712a4
                  • Opcode Fuzzy Hash: 7c19cdca4b675c87067bc68ddef0d7ffd2afcc7635405a8a287c3476bfdb6285
                  • Instruction Fuzzy Hash: 9962B13290864AAFDF14CF08D4915EEFB73BE51358B45E15EC8EA27604D371B946CBA0
                  Function 05EE739A Relevance: .7, Instructions: 705COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad6e3ff721c82dc0bd4c7bfaceb72a5081010c22b875c9417434cda26f00c4f6
                  • Instruction ID: 31acfdfbf9ccb1d4bc08059568171e876df8bd4813414d3ba5de1137cdbdfd6e
                  • Opcode Fuzzy Hash: ad6e3ff721c82dc0bd4c7bfaceb72a5081010c22b875c9417434cda26f00c4f6
                  • Instruction Fuzzy Hash: 2A42C371A146969FDF18CF58C8809BEB7B2FF88318B14956DD996AB340D734EC42CB90
                  Function 05EE5AA0 Relevance: .7, Instructions: 652COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                  • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                  • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                  • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                  Function 05EBB2C0 Relevance: .6, Instructions: 629COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed1f84f59418e5997ee64c242871a99196eff34af44cb1b4c6cc9e16828c7e11
                  • Instruction ID: 6044d1d9d7760cd24064c96688e15dd20694e44818e796b48ecac499666e64d5
                  • Opcode Fuzzy Hash: ed1f84f59418e5997ee64c242871a99196eff34af44cb1b4c6cc9e16828c7e11
                  • Instruction Fuzzy Hash: FD32A171E04219DBEB14CF98D844BFEBBBAFF44714F181129E886AB350E7759901CB91
                  Function 05EA2840 Relevance: .6, Instructions: 605COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c8ffd914ca9438899102fcc322a6662d6158536e72da5d19155566df450a63b
                  • Instruction ID: c0878d26eb742c290d86397693809ebe831ee685375eb798654a638cad1f13de
                  • Opcode Fuzzy Hash: 5c8ffd914ca9438899102fcc322a6662d6158536e72da5d19155566df450a63b
                  • Instruction Fuzzy Hash: 8F32C074A047558FEB24CF69C844BBEBBF2BF84708F14551DD6C6AB284EB35A842CB50
                  Function 05F3A118 Relevance: .6, Instructions: 591COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 88ceffff278982184fae1de05c570150c89ef35f62aba9c8c7fbc577a2f2500b
                  • Instruction ID: 2218fd60c5fa343291ffa16885f6ac0adcb7bb901257b1e57d69fe176ad21198
                  • Opcode Fuzzy Hash: 88ceffff278982184fae1de05c570150c89ef35f62aba9c8c7fbc577a2f2500b
                  • Instruction Fuzzy Hash: E622C171A086518BEB25CF2AC096772B7F2BF45300F088899D8D78F695E73DD492CB60
                  Function 05F516CC Relevance: .6, Instructions: 571COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4b37539e1211fbca47ab07d56e7c42102e56af9653acc569e75f13e795a2a78
                  • Instruction ID: c6645cb489ec8db22e4504fd8fd5548453307acfe3c2fab0569affdde5826966
                  • Opcode Fuzzy Hash: d4b37539e1211fbca47ab07d56e7c42102e56af9653acc569e75f13e795a2a78
                  • Instruction Fuzzy Hash: A3227235F042168FCB19CF58C490FBAB7B2BF89324B14456DDA969B345DB38E942CB90
                  Function 05F51D5A Relevance: .6, Instructions: 559COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 788a5f527e9e0d91a17c9db29dd9656fe9c38fcd31cd5c98269a5451d88b556a
                  • Instruction ID: 5ded1faf52445900eb7c8afa42251d2e591c10ca54aac61e7e3486ace7297b1e
                  • Opcode Fuzzy Hash: 788a5f527e9e0d91a17c9db29dd9656fe9c38fcd31cd5c98269a5451d88b556a
                  • Instruction Fuzzy Hash: 8B22A539B047118FD718CF28C490A2AB7E2FF89324F544A6DEA96CB355D734E846CB91
                  Function 05EBFB80 Relevance: .6, Instructions: 559COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e173fe89ecc68ac1ebabae44217d352d0ea716095dacb0a170e87c5eaf823a7
                  • Instruction ID: 5c7fbb0a9438d636fc95c52d015e00759162f175e716abaa0813638a88e038bd
                  • Opcode Fuzzy Hash: 1e173fe89ecc68ac1ebabae44217d352d0ea716095dacb0a170e87c5eaf823a7
                  • Instruction Fuzzy Hash: C6220575E00209EFDB10DFA4C888BBEB7BAFF44300F589569D9559B281EB38E541DB90
                  Function 05EB8DBF Relevance: .6, Instructions: 554COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 385e401aeb0b3f1ec5b9e32277fcdc20b8a17d36be5fb725b9943c4c354965e5
                  • Instruction ID: f9e98a6dce49cd2dabbdcb82990db7fae730b73f867601db115eca8c70810ead
                  • Opcode Fuzzy Hash: 385e401aeb0b3f1ec5b9e32277fcdc20b8a17d36be5fb725b9943c4c354965e5
                  • Instruction Fuzzy Hash: 99225D70E0421ADBEB15CF95C9809FEFBF6BF44305B14906AE9859B341E774E941CBA0
                  Function 05F52446 Relevance: .5, Instructions: 485COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd8bcd5134740df66f3ec1f2348cb37d887b434e4839e0ffece4c804206a9e51
                  • Instruction ID: 72bfb4ce988705476b1ccf2bd9be5d9a0cf032089896c7acc9990e2cd392c98e
                  • Opcode Fuzzy Hash: bd8bcd5134740df66f3ec1f2348cb37d887b434e4839e0ffece4c804206a9e51
                  • Instruction Fuzzy Hash: 98020339A046418BD714CF29C450776BBF2BF45321B09869AEED6CF281D73CE846DB60
                  Function 05F6B16B Relevance: .4, Instructions: 450COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2809bee18722973152d3a8599d0532543e2f5218c3611a005148675966550ea1
                  • Instruction ID: c80e7cf2a89b474239fe00dd086e4dd5a33c5af174188fd8c521171a8a1b7996
                  • Opcode Fuzzy Hash: 2809bee18722973152d3a8599d0532543e2f5218c3611a005148675966550ea1
                  • Instruction Fuzzy Hash: E3F10573F046159BCB18CF69C9A167EFBF6BF88200719416DD496DB384E638EA41CB50
                  Function 0040FE83 Relevance: .4, Instructions: 435COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                  • Instruction ID: a4740f6b3c8402af9e01f6e60a2c45b2c35ddc0c5b855ca4f148ce3c6b87d17f
                  • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                  • Instruction Fuzzy Hash: 26026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                  Function 05F6A9A6 Relevance: .4, Instructions: 425COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c63a024ae97733b4fa9b53c3be7a420113d0dbe6997cd32c603e5af6f487b92
                  • Instruction ID: f7129e4c9bcdbe5c00b0c1f2066849014e7ee669a5fdccaf4c5b8cd23720d25f
                  • Opcode Fuzzy Hash: 4c63a024ae97733b4fa9b53c3be7a420113d0dbe6997cd32c603e5af6f487b92
                  • Instruction Fuzzy Hash: 32F1B373E005269BCB18DE69C5A05BDFBF6BF55200719426AD896FB380D738EE41CB90
                  Function 05EBFDC0 Relevance: .4, Instructions: 390COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 812b2b0ced7a023d6c841f4c882edd00626ee39f8aa450cba08cfd4aa94d3053
                  • Instruction ID: 5a6aafe905c1bda26af0dcd0521cc32d7ae6edce7d643cb98274be272b665ca6
                  • Opcode Fuzzy Hash: 812b2b0ced7a023d6c841f4c882edd00626ee39f8aa450cba08cfd4aa94d3053
                  • Instruction Fuzzy Hash: C4F1C070E00209DFDB14DFA4C884BBEB7BAFF04314F5895A9D945AB285EB38DA41DB50
                  Function 05E965D0 Relevance: .4, Instructions: 383COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 045d4838a7374283f8209fc02604e5a5d9dd5d263b7e453beb9e096357d17c4c
                  • Instruction ID: e4db771e78294934066a7a698855564647796dec50099ae3d65a5a55454dd8b1
                  • Opcode Fuzzy Hash: 045d4838a7374283f8209fc02604e5a5d9dd5d263b7e453beb9e096357d17c4c
                  • Instruction Fuzzy Hash: ECE19275608341CFDB18CF28C090A6ABBE1FF89318F05996EE5D99B351DB31E905CB92
                  Function 05EBC6E0 Relevance: .4, Instructions: 367COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab86815788d7b5dc89afceac04374b0ec92094c5786b1050223bf0b1c6ec78e9
                  • Instruction ID: 3b9e7e520ac580bab888001f35fd9999cfa2a013e0b8f87db0f3bf1fbb94666f
                  • Opcode Fuzzy Hash: ab86815788d7b5dc89afceac04374b0ec92094c5786b1050223bf0b1c6ec78e9
                  • Instruction Fuzzy Hash: 80D17271E0C11B8BFB28CE98C5417FFB7B6FB44306F24606AD58AA7290D7B49D418B54
                  Function 05EA38E0 Relevance: .3, Instructions: 349COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 388faf3382a1966a4291225b42945caa32bc87e6d7393e59c7dfe8c40ee7a3fa
                  • Instruction ID: 4bbbcdf9802140d11a6408205d69b1ba26ea2f443aa6b364a4d39418d759e3bf
                  • Opcode Fuzzy Hash: 388faf3382a1966a4291225b42945caa32bc87e6d7393e59c7dfe8c40ee7a3fa
                  • Instruction Fuzzy Hash: D2E19075A00205CFDB18CF68C980AAABBF2FF58314F249559E596EB391D734ED41CBA0
                  Function 05E9D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8bbf6a82658f68389df953473aeefc2aeaef9c7328084203064ec24cff4a88bf
                  • Instruction ID: ded41532fc7f0795d8b4322bf3dcf720d751fab976a32b2148118e715786b440
                  • Opcode Fuzzy Hash: 8bbf6a82658f68389df953473aeefc2aeaef9c7328084203064ec24cff4a88bf
                  • Instruction Fuzzy Hash: DDC1D171E042169BEF28CF58CD44BAEB7B6FF54314F189269D995AB2C0DB70E941CB80
                  Function 05EBD2F0 Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                  • Instruction ID: dd7838615a64accc4330333b299a0deaa2227ffb89ed3f31ea5aee40c3140f91
                  • Opcode Fuzzy Hash: d3d6c2a61c50af119dbf7a660be9dd8e78e4cce8ee85c1312ee98e55f77ac127
                  • Instruction Fuzzy Hash: 13B10722A145118BFB1CCA14CEA13BE2253FFC5325F19A279D9974F7E9D9B89A018342
                  Function 05EAF460 Relevance: .3, Instructions: 321COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 914f1f833c478f5f05052e3668332d1c6004f4f90f3dfde896e0297a5fde753e
                  • Instruction ID: 1bf89a28704d1fa25c9f900adcf2c49235abe2491f3e47efd3bcc78d0d5430e8
                  • Opcode Fuzzy Hash: 914f1f833c478f5f05052e3668332d1c6004f4f90f3dfde896e0297a5fde753e
                  • Instruction Fuzzy Hash: 64C1157AA14215CBDB24CF28C494BB977A2FFC4708F195159E8E29F391E734A941CB90
                  Function 05EA0535 Relevance: .3, Instructions: 300COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                  • Instruction ID: 20f9cf3a1a8ff0f9cb21cad120a7ba056a01b8085213e26c5b2fd2637d517e78
                  • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                  • Instruction Fuzzy Hash: 3DB10432704645AFDB25DB74C858BBEBBF6BF84304F141155D6D69B281EB30E941CB90
                  Function 05EB90DB Relevance: .3, Instructions: 287COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 1296929d79192365f654b0d20f4e5706f9981f34fca6af46b452798f929ad008
                  • Instruction ID: ac83ec659d61b11b26afd9345e60fdc83d03ff386deb8b8ca2f562a59634c433
                  • Opcode Fuzzy Hash: 1296929d79192365f654b0d20f4e5706f9981f34fca6af46b452798f929ad008
                  • Instruction Fuzzy Hash: 7CA14B72A04215AFEB12DFA4CC45FBF7BB9AF45754F015054FA80AB2A0DB75AC11CBA0
                  Function 05E983C0 Relevance: .3, Instructions: 281COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1beccb3bc0cc108bbdba886cb4614e5acfa5c5bd70aae728e2b2babaa3201613
                  • Instruction ID: 9bc6b7e1f66cf58564f9b204c4e3475db32302e7d2db7ba41c515920b2b62b52
                  • Opcode Fuzzy Hash: 1beccb3bc0cc108bbdba886cb4614e5acfa5c5bd70aae728e2b2babaa3201613
                  • Instruction Fuzzy Hash: 0AC15974608384CFE768CF14C494BAAB7E5BF88308F44595DE9C9872A0DB75E909CF92
                  Function 05E8C427 Relevance: .3, Instructions: 280COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3fc43fb66bf96f0862d9d71e64c71c816012bd45e8226a4bf0caeab497ff912d
                  • Instruction ID: 3128b1a21d8b48ad4c91781d5a9563aec9a08ebbbbb6d43ed3b67780ff2cd8e6
                  • Opcode Fuzzy Hash: 3fc43fb66bf96f0862d9d71e64c71c816012bd45e8226a4bf0caeab497ff912d
                  • Instruction Fuzzy Hash: 73B17170B002558BEB65DF64C884BB9B3B2BF45704F1495E9D58EEB290EB709D86CB20
                  Function 05EBE5E7 Relevance: .3, Instructions: 278COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: caca4e364e11d40ba6ead83d0faefa58d48d79cbe12174aadf9d1f52134a6f6e
                  • Instruction ID: fd07d2756e12a2e07d9122ebc5a9d8c246738a1af53b838a6b8f62481359b103
                  • Opcode Fuzzy Hash: caca4e364e11d40ba6ead83d0faefa58d48d79cbe12174aadf9d1f52134a6f6e
                  • Instruction Fuzzy Hash: 85A11932E046649FFB21DB54C848FFEBBAABB05718F051111EA91AB290DBB89D41C7D1
                  Function 05ED0185 Relevance: .3, Instructions: 276COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31a2caf66a99dca1fb167ef01fc503e67d3f2a9662d9cbe676fbc790a6153af4
                  • Instruction ID: 437e94e939aea38ede01f5a78f1d5c8cb9a76a7742a1e22799371b64ac5bca4d
                  • Opcode Fuzzy Hash: 31a2caf66a99dca1fb167ef01fc503e67d3f2a9662d9cbe676fbc790a6153af4
                  • Instruction Fuzzy Hash: 39A1C671B016199FDB24CF65C598BBAF7B6FF44314F085029EA8597281FB78E812CB60
                  Function 05F64500 Relevance: .3, Instructions: 275COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 876ba760a894347e9950b77cc053aa159fbf224dbdf42665773b259f7a0121d9
                  • Instruction ID: 4794ed9ee047e76d73650c479048260b00bcb941f97dc6a46e0dbce469c5e6f7
                  • Opcode Fuzzy Hash: 876ba760a894347e9950b77cc053aa159fbf224dbdf42665773b259f7a0121d9
                  • Instruction Fuzzy Hash: 5FA1DD72A14651AFCB15EF24C988F6ABBEAFF48704F050928F589DB650D738ED01CB91
                  Function 05EAE3F0 Relevance: .3, Instructions: 261COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8cc9b637703da8caf94d69cc63e314adba5a7ca76fe065f0174c22c0d2b6d9ba
                  • Instruction ID: 19c6261874c04214f02e754c66a815aec1443ca7374c43b6874f4f9cec1dafe5
                  • Opcode Fuzzy Hash: 8cc9b637703da8caf94d69cc63e314adba5a7ca76fe065f0174c22c0d2b6d9ba
                  • Instruction Fuzzy Hash: 5F911433B006558BE724DB78D444BBAB7AAFF84718F05A065E9C5DF281EB34E901CB61
                  Function 05E99486 Relevance: .3, Instructions: 259COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1215cb2ee273d472b809c91b4679beee2b1ec09125a4814694bd70fbf37802ae
                  • Instruction ID: 781ac1aa349f8b75dafd8bfae4b4b9cf69150be3d375c41cebdc443ff82e0076
                  • Opcode Fuzzy Hash: 1215cb2ee273d472b809c91b4679beee2b1ec09125a4814694bd70fbf37802ae
                  • Instruction Fuzzy Hash: 30B14F75A04205CFDF29CF28D485BBA77B2BF04318F14555DE8A6DB292EB35D842CB60
                  Function 05E91131 Relevance: .3, Instructions: 259COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6e712ac7f981673c2cfe33daaa0a6490193b325de0d130f94a6b7046ad86367
                  • Instruction ID: 8f52fe4296687e7a65687884132845ae2e175e1f86b33f99f10752abc3ccefc1
                  • Opcode Fuzzy Hash: d6e712ac7f981673c2cfe33daaa0a6490193b325de0d130f94a6b7046ad86367
                  • Instruction Fuzzy Hash: E7B102B56183419FD758CF28C580A6AFBE1BB88304F18596EF8D9D7351D331E945CB42
                  Function 05EC4750 Relevance: .3, Instructions: 251COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                  • Instruction ID: c939a67a30303e1311fa83c7a861dad2fe80438f5044f57127749826c736f529
                  • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                  • Instruction Fuzzy Hash: DA813D23E042958BDF11CE98C9A02BDBF52FF56305B1C69FEE4829B2C1D264D847D391
                  Function 05EDDBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                  • Instruction ID: b4435149a1be60777357230efab21620caf8ec75ae991ad7e8bfdacc02888089
                  • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                  • Instruction Fuzzy Hash: 5E915FB1614A068FEB25CF2DC985662FBE0FF55328B149A18D4E7DB6A0D335E512CB10
                  Function 05F5F7B0 Relevance: .2, Instructions: 242COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 00ae990709434fa1bf7048ea00a96f1959a121de0439603852c61d49a9f76883
                  • Instruction ID: c2ae59dd6ad092ff71f4b91752998f5fa53d0f91fdeb6398eece524cdabc2e9e
                  • Opcode Fuzzy Hash: 00ae990709434fa1bf7048ea00a96f1959a121de0439603852c61d49a9f76883
                  • Instruction Fuzzy Hash: B391D5B2E04606ABDB14CF28C840B7BB7E6BF44321F0485B4DE55DB281E779E945CB90
                  Function 05F5F43F Relevance: .2, Instructions: 241COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c73014163f5456d3606c6505d4cfde8875179d6b134cbadce420330f38a790a8
                  • Instruction ID: da35dcecfb49513a3313d175421c607922ce63afc06bc54e931c3d0e646337ab
                  • Opcode Fuzzy Hash: c73014163f5456d3606c6505d4cfde8875179d6b134cbadce420330f38a790a8
                  • Instruction Fuzzy Hash: 67910572A101159BCF08CF79C8946BEBBF2FF88321F1981A9E955DB285E738D905CB50
                  Function 05F581CC Relevance: .2, Instructions: 232COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b3a694e33e83c4035ea0d62e0ec3ad464571340ba901967970ea0a9f5d9df6f
                  • Instruction ID: 09ca6fcca3ae5f32e8e71a74fa660e933532b7b393cc65e67baf7c6ac0c42d7e
                  • Opcode Fuzzy Hash: 4b3a694e33e83c4035ea0d62e0ec3ad464571340ba901967970ea0a9f5d9df6f
                  • Instruction Fuzzy Hash: A281AA72E045159BCB14CF69C8805BDBBF6FF88360B25426ADE62E7280D778D952CB90
                  Function 05EA0E59 Relevance: .2, Instructions: 231COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f015d07c01a7e0e1b10d48454ec6398538abfaf396d061a000c6cbef1df90309
                  • Instruction ID: 830400f5d5792777170735ddd32092356192fdebaf04e6e5d0b671a19910c4a1
                  • Opcode Fuzzy Hash: f015d07c01a7e0e1b10d48454ec6398538abfaf396d061a000c6cbef1df90309
                  • Instruction Fuzzy Hash: B081D536A041289FDF14CE69C8849BEBBB3FF85254B25D195E895AF345D730FA01CB90
                  Function 05F4E4F6 Relevance: .2, Instructions: 224COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 51715d077787eadee0c0516ece1e941b0070741d81c5ef32853f97c29c33558e
                  • Instruction ID: 6d1e8becc599c7363f0e68820f4e9db0024e7475dd888ff6307926d3a7b18c2c
                  • Opcode Fuzzy Hash: 51715d077787eadee0c0516ece1e941b0070741d81c5ef32853f97c29c33558e
                  • Instruction Fuzzy Hash: 42819F72E002159BCB18CF98C990ABDBFF6FF89310F198169D916EB385D7389941CB90
                  Function 05F4B52F Relevance: .2, Instructions: 222COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                  • Instruction ID: a2ba0b534cabd7733c0d80ebb4b223d45087f96144e2e9bb2cc019acac61edb4
                  • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                  • Instruction Fuzzy Hash: 29717135E0421A9BCF20CF64C980ABFBFFABF54750F55495AE841AB246E738D9418F90
                  Function 05F5AB40 Relevance: .2, Instructions: 222COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                  • Instruction ID: 69156d22a7646db7315ee0d34c524136ec4276ce2666755dbe655e32680f5583
                  • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                  • Instruction Fuzzy Hash: A9816F71A002099FCF19DF58C884AAEB7F6FF84321F188669DE569B344D778E911CB90
                  Function 05EBD090 Relevance: .2, Instructions: 217COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                  • Instruction ID: bb6a9b6103e3dcf58918b31de3bdef20cdf9e1ae8939748e1e7ce317536f8820
                  • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                  • Instruction Fuzzy Hash: A0810672E042199BEF54CF68C980BEEB7B6FF84305F14916AC995B7350DB71AA00CB91
                  Function 05EBB950 Relevance: .2, Instructions: 209COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e12791d0e7a3b4b3d635930429dcdf3f7cf54c5c8bf47250c736d7e68a0418e1
                  • Instruction ID: e27a70d671b926de33ca6ab697b26c720c2333179e5f2cca56691751a991ac41
                  • Opcode Fuzzy Hash: e12791d0e7a3b4b3d635930429dcdf3f7cf54c5c8bf47250c736d7e68a0418e1
                  • Instruction Fuzzy Hash: 69712570B042108FF764CE2AC844BB773EABB44709F159559E9D6CB1D4EBB5E802CB60
                  Function 05EAC640 Relevance: .2, Instructions: 206COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49b18789aeaa68e9cbf972ec9aeaed8880ae24b16b4035ae1e12fed6327e1907
                  • Instruction ID: ce1c0422d36f766e389de95e9daad176aa28490a180e112e01fbc58cdf75e50f
                  • Opcode Fuzzy Hash: 49b18789aeaa68e9cbf972ec9aeaed8880ae24b16b4035ae1e12fed6327e1907
                  • Instruction Fuzzy Hash: 0771C4B6908229DBDB25CF68C8507FDBBB6FF48704F14511AF996AB350EB359800CB90
                  Function 05F4DAC6 Relevance: .2, Instructions: 202COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8478b712b359b1230eeab3c84d695acf5a50fce11c38f5df8a3ed9a12e7ab1ce
                  • Instruction ID: 73561fce4f7126af62b496c2d77275d28e9887bd042a2ef700de41b4d614303f
                  • Opcode Fuzzy Hash: 8478b712b359b1230eeab3c84d695acf5a50fce11c38f5df8a3ed9a12e7ab1ce
                  • Instruction Fuzzy Hash: C9817870D042559EDB24DF6AD444ABABFF2FF49300F00845AE996EB249D378D881DF60
                  Function 05EA260B Relevance: .2, Instructions: 201COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f49c274c706af40d57ee368b703056d2d871989dcd4ee179f50bf4f602cf0357
                  • Instruction ID: 3ca82c82b566fa1d62a7734dd94b591acec8c2127c27414defc901a6741627c2
                  • Opcode Fuzzy Hash: f49c274c706af40d57ee368b703056d2d871989dcd4ee179f50bf4f602cf0357
                  • Instruction Fuzzy Hash: 2271EF7A7042418FD312DF28C484B6AB7E6FFC4304F0495AAE9999B351EB34E945CB91
                  Function 05F570E9 Relevance: .2, Instructions: 201COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0213555704b6169b94abce200536a9cc3a90d490a3c197b6f1298cc97ea3715f
                  • Instruction ID: 3221c57a351340ed7a089ae01c0462e90c603a6a5b1a037235d3785b860db2ae
                  • Opcode Fuzzy Hash: 0213555704b6169b94abce200536a9cc3a90d490a3c197b6f1298cc97ea3715f
                  • Instruction Fuzzy Hash: DB61B776F012169BCB14FEA5C8859BFB76AFF44260F504429EF52A7240EB78D9418B90
                  Function 05F4F0CC Relevance: .2, Instructions: 199COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f25191be1ba25cb300ad34d63d587643d6a34f98e8f66bb5a6d6b6260535e6de
                  • Instruction ID: 91e59ffd982d9e7849d1ad022f9799e838810d4b8e4b533c55da7241e7c2ff38
                  • Opcode Fuzzy Hash: f25191be1ba25cb300ad34d63d587643d6a34f98e8f66bb5a6d6b6260535e6de
                  • Instruction Fuzzy Hash: B771AF79E04622DBCB24CF59C48057ABBF2FF84714B65486EE85A97340E778EA40CF60
                  Function 05F5132D Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 541235c048df1ba01b1e20e46d82a52ed7816341bd4d7245581ec199f06f13ac
                  • Instruction ID: 2996d2423ee41d23ac71ec08319bff012c360274755301c76f38c4c8825263b7
                  • Opcode Fuzzy Hash: 541235c048df1ba01b1e20e46d82a52ed7816341bd4d7245581ec199f06f13ac
                  • Instruction Fuzzy Hash: E8817175A00245DFCB09CF68C490AAEBBF1FF48310F1581A9D959EB355D738EA51CB90
                  Function 05F5903E Relevance: .2, Instructions: 186COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41b6811bff9a4dc07e31df69a37d94357da29608a2691c33fe39cea044569ac3
                  • Instruction ID: c0be0188f453895a7369b4c570a554b23eff4a1f31bb960ece75fe739db90eb2
                  • Opcode Fuzzy Hash: 41b6811bff9a4dc07e31df69a37d94357da29608a2691c33fe39cea044569ac3
                  • Instruction Fuzzy Hash: BC61BF72704715EBD719DF64C988BABBBA9FF48720F004619FE5A87240DB78E901CB91
                  Function 05F5FCF2 Relevance: .2, Instructions: 181COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87790701042bf3aa8ca0d3ef2e4ad692e9093080a7a573dab4f0c20b22d700ce
                  • Instruction ID: 04492d8abba6aec6a49adec16c4c62921c9443ae55a0f792fa1eda4eebf09c55
                  • Opcode Fuzzy Hash: 87790701042bf3aa8ca0d3ef2e4ad692e9093080a7a573dab4f0c20b22d700ce
                  • Instruction Fuzzy Hash: 3861C5B1E1020A9FCB04DF68C845ABEB7F5FF48324F1045B9EA56E7284E738A951CB50
                  Function 05E97703 Relevance: .2, Instructions: 179COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b6e6ccc01d702fa28ec122a7b751a337edb077ee96382cc0fef7179ca2e467c
                  • Instruction ID: 6b4f51bd9ea69cfe58aec7a6ad98c97c7a49417a21137fdbf65a6e1309ea1ba3
                  • Opcode Fuzzy Hash: 0b6e6ccc01d702fa28ec122a7b751a337edb077ee96382cc0fef7179ca2e467c
                  • Instruction Fuzzy Hash: BA617C75B10606AFDF1CDF78C480AADFBB6FF89204F14916AD599A7300DB30A945CB90
                  Function 05F5CE93 Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                  • Instruction ID: 1236eef45355aab1dc81b5160bb6c4decaf65c85347f5fe94d2063bd65cb62c4
                  • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                  • Instruction Fuzzy Hash: 0A51E432B087025BC714DE298850B6BBBD7BFC0260F19846DEE97D7245EA38DD0687E1
                  Function 0040FC63 Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                  • Instruction ID: 7113ae4b8f00ea26e8329cf58c0fa7a781a8a0863526c39fa8e1d65559ab3f4e
                  • Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
                  • Instruction Fuzzy Hash: 975163B3E14A214BD318CE09CC40635B792FFD8312B5F81BEDD199B397CA74E9529A90
                  Function 05F0D5D0 Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                  • Instruction ID: 8529e953efddbdd8856261c43192c440b417aa01811b37422ceb093729f3473f
                  • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                  • Instruction Fuzzy Hash: 4051F7766043029BCB11DFA48C40A7B7BE6FF88244F181829F985C7291E739C856E7E2
                  Function 05ECB570 Relevance: .2, Instructions: 161COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1cde3639855bf99dcbd3a4868e7e803ffd0e00bbe9c46e747175b228b7fcb9e
                  • Instruction ID: 3c61dc1aae43f77531986ca6bbd7f1824acb805c239d24e0c6c95e8b152c9a5c
                  • Opcode Fuzzy Hash: e1cde3639855bf99dcbd3a4868e7e803ffd0e00bbe9c46e747175b228b7fcb9e
                  • Instruction Fuzzy Hash: 045103B1615244AFE720EF24CD89FBB7BA9EB85324F04166CF991871D1DB38E801C7A1
                  Function 05EB95DA Relevance: .2, Instructions: 160COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 66b168fb35d594c8a14a1224df3dcac9d17426b3264b2a27d8a5ac267205ec20
                  • Instruction ID: d8e10bc57b38d3178faec9ad2d4729c14c5da1936a58659b495529c0f1efeb5e
                  • Opcode Fuzzy Hash: 66b168fb35d594c8a14a1224df3dcac9d17426b3264b2a27d8a5ac267205ec20
                  • Instruction Fuzzy Hash: D1518E71A00208ABEB21DFB5CD85BEEBBB6FF05305F20112AE6D0A7191DBB19945DF10
                  Function 05F57D73 Relevance: .2, Instructions: 160COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f4f2c1d53dde88f9ebfabb44a1875ff42ca81c99acbbb0b390c17c66dac396a3
                  • Instruction ID: 2721e6bcda14c8985972a33f02405759391f926f48aa134e2e0722a4725ba5b6
                  • Opcode Fuzzy Hash: f4f2c1d53dde88f9ebfabb44a1875ff42ca81c99acbbb0b390c17c66dac396a3
                  • Instruction Fuzzy Hash: 8751C336A1014A8BCB08CF68C880AAEB7F2FF98314B15827AD915DB355E734DA15CB90
                  Function 05EA3740 Relevance: .2, Instructions: 159COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9706900715edde9df59b627a3e6364f4db7638b90c5cf4791f073d6d546d642f
                  • Instruction ID: c375818548e9fb86758076dc9c10e0b91f181bd513ac2fd5397536228922ff2e
                  • Opcode Fuzzy Hash: 9706900715edde9df59b627a3e6364f4db7638b90c5cf4791f073d6d546d642f
                  • Instruction Fuzzy Hash: C251EF76A00616AFD711CF78C484AA9B7B1FF08714B049AA5E885DF780E734F991CBD0
                  Function 0040FC5B Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: efae17fffb2dfe9c5cc508ecd0e11abb24f01da6a33fed8edc2f506eecb531c3
                  • Instruction ID: aec773eaac201724bea61aa2b292a025681b3c6d4416e1d42d964f0f78d62508
                  • Opcode Fuzzy Hash: efae17fffb2dfe9c5cc508ecd0e11abb24f01da6a33fed8edc2f506eecb531c3
                  • Instruction Fuzzy Hash: EB5184B3E14A214BD318CF05CC50631BA92EFD8312B5FC1BECD199B397CA74A9519A90
                  Function 05ECE443 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 59442c4e6a9571d98f630ae65f0835a66e9d3ab2f600fa0a7b1a9d8e3203c978
                  • Instruction ID: 902f38153e1a59bfc277f4958bd92f8a549b1705e17d4b29357c37ed1b02591d
                  • Opcode Fuzzy Hash: 59442c4e6a9571d98f630ae65f0835a66e9d3ab2f600fa0a7b1a9d8e3203c978
                  • Instruction Fuzzy Hash: E8514071600A04EFDB22DF64CA84EAAB7FEFF08744F541869E59697260E734F941CB60
                  Function 05E97152 Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6535b5a8b85cb5fd61f3925bfb5fc3a645f97c6c5f2b15485faeed0cf916ad98
                  • Instruction ID: 93266aa1f3af08759eefd0c4831453aa6e5e676048557d296f35c63c6ebd02e7
                  • Opcode Fuzzy Hash: 6535b5a8b85cb5fd61f3925bfb5fc3a645f97c6c5f2b15485faeed0cf916ad98
                  • Instruction Fuzzy Hash: E151FF31A14609EFEF09DF64C948BBEBBB2FF46315F105069E58797290EB749905CB80
                  Function 05EB45B1 Relevance: .2, Instructions: 156COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                  • Instruction ID: 7d673f21e861482d166df75e9fabbeb2a39ff1272bc0e4a9cbf36bacbb8e5294
                  • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                  • Instruction Fuzzy Hash: 2551B472E04219ABEF15DF94C440BEFB7BABF48305F045069E981AB291E7B4DD44CBA0
                  Function 05F0D800 Relevance: .2, Instructions: 155COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 93a53e47d56e3ea867c26984d7791a00a92865257ef7e4920df688dd7336977c
                  • Instruction ID: 5b41fcebfad1916a4bc401f11c4c840306f9dfc6c1b668715ffd916038a124cc
                  • Opcode Fuzzy Hash: 93a53e47d56e3ea867c26984d7791a00a92865257ef7e4920df688dd7336977c
                  • Instruction Fuzzy Hash: 1051C270A00215EBCF14DF99C580ABEB7F6FF45700F085159E982DB680E739D951EB90
                  Function 05F57571 Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54fe94158dcaadc9d49bba24549176542c8de53f00059d9b73df2cc8363a4d16
                  • Instruction ID: c7b595af560ea67be5623010e4d42273c8bb78c509de00fe4158d246fe6e16c3
                  • Opcode Fuzzy Hash: 54fe94158dcaadc9d49bba24549176542c8de53f00059d9b73df2cc8363a4d16
                  • Instruction Fuzzy Hash: BC51D871E0111A9BCF15EB68D844A7EBBB6FF483A4F044529EE12D7250DB78AD15CBC0
                  Function 05E951ED Relevance: .1, Instructions: 149COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3dd41697d08c0177712b68aa73fc67c03f325e4cbd377f3c0657f6965acbd04d
                  • Instruction ID: d1b4377f753363ce9b529fc7865e43962d8079d3deccf27fbc148c604cbeae5c
                  • Opcode Fuzzy Hash: 3dd41697d08c0177712b68aa73fc67c03f325e4cbd377f3c0657f6965acbd04d
                  • Instruction Fuzzy Hash: 8251A231B05215DFEF2ADBA4D848BFDB7B6BF04718F14205AD886E7241E7B4A840CB50
                  Function 05ECF71F Relevance: .1, Instructions: 143COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 669ed21678f1bc5f8f71910e42bb0ed1e801c99914566222425afe8aa8623ef9
                  • Instruction ID: 4bd082bcfc9cf980b396d3659c4b8308b035bf2fea0dcec61fe835892c0cca6e
                  • Opcode Fuzzy Hash: 669ed21678f1bc5f8f71910e42bb0ed1e801c99914566222425afe8aa8623ef9
                  • Instruction Fuzzy Hash: 8441DA73D04229ABDB21DFA48D84AFFBBBEAF04654F051166E991E7200EA34DD01C7E4
                  Function 05F635D7 Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                  • Instruction ID: f1f4128fbc1176d3be4b083b93148a551013e9344595ad0fe8a0b858edfb86ae
                  • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                  • Instruction Fuzzy Hash: 2E516B72604606EFCB15CF14C580E66FBB6FF45304F15C5AAE8089F262E375E986CB90
                  Function 05E9D534 Relevance: .1, Instructions: 138COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 205744772946db7512a7628ac258b08d992ff81b9cc6707ea7d3846522863d66
                  • Instruction ID: baf826269fbc2d160270591e23900cb169003f3bfa0a759485825850d789629c
                  • Opcode Fuzzy Hash: 205744772946db7512a7628ac258b08d992ff81b9cc6707ea7d3846522863d66
                  • Instruction Fuzzy Hash: E251D0723046A0DFDB25CB18C944FAAB3E6BB48758F051965F886CB791EB38DC40C761
                  Function 05EC01F8 Relevance: .1, Instructions: 138COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0460619ea2307c56b04b50fdea033df71fe9175f28897edd261bde4829b1dd6f
                  • Instruction ID: e383bfeef367797457941afd624cb5f8c18662707b6ab5be8044f63c68c15bf4
                  • Opcode Fuzzy Hash: 0460619ea2307c56b04b50fdea033df71fe9175f28897edd261bde4829b1dd6f
                  • Instruction Fuzzy Hash: 3641CE35E01215DBDB14DF98C544AEDBBB5BF48714F14A19EE896E7240E734EC02CBA4
                  Function 05ED2750 Relevance: .1, Instructions: 137COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                  • Instruction ID: efa01d1ee20cd2b296ec5b45fd75b268505c664bdbdbaf4103c1a25aac9f51ab
                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                  • Instruction Fuzzy Hash: 1C515C79E00215CFCB14CF98C480AAEF7B6FF84710F2991A9D895A7390D734AE42DB90
                  Function 05F0D1C0 Relevance: .1, Instructions: 135COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                  • Instruction ID: e79077163e877c0fe157db7e9c1073827dfc7c5d4c142f5342154ddaa204abf3
                  • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                  • Instruction Fuzzy Hash: E2510771E04205DFCB18CFA8C581AA9BBF1FB48314B18856ED81AD7345D738EA80DF90
                  Function 05E96154 Relevance: .1, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 75f9ccbad281b40d16cbea8e68e2b7dba3b2d4b876ed668181e85bafec5e4ca8
                  • Instruction ID: f79e7bb8adaaff0b515d93e8f304952b1f2fec354f6ca6441a457bdbf6799c4e
                  • Opcode Fuzzy Hash: 75f9ccbad281b40d16cbea8e68e2b7dba3b2d4b876ed668181e85bafec5e4ca8
                  • Instruction Fuzzy Hash: C451F871A04116DBDF29DB24CC04BF9B7B2FF05318F14A2A6D59AAB6C1EB345981CF40
                  Function 05E8B136 Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bea86702ebb49980fa6cd100ff7194fa245fad91dc180b387a1bdcd863e4fa12
                  • Instruction ID: 151d71ca443dd6f2d8889344246c9b1328265f0d9af4e2d60ce2fe06e85275fd
                  • Opcode Fuzzy Hash: bea86702ebb49980fa6cd100ff7194fa245fad91dc180b387a1bdcd863e4fa12
                  • Instruction Fuzzy Hash: DE41BE71640305EFDB25EF64C984B7ABBAAFB00794F106469E599DB260E770EC01CB90
                  Function 05F5866E Relevance: .1, Instructions: 129COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                  • Instruction ID: 9541307cac7ad0a0a2243597b76d335bc1c95061ceed3e315b672722af38a9b3
                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                  • Instruction Fuzzy Hash: 0A41B675F00105EBDB15DFA5CC84ABFBBBABF846A0F244069ED05A7341D678DD048750
                  Function 05F5F0E0 Relevance: .1, Instructions: 129COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9057afc8c06b18d3a8bcc6f0521070657990326afb08257a079caa3fcedc740e
                  • Instruction ID: 0a47a5a77b1257a1249e68dfb43c036ddf358ca5febeae7110efdf26ffdeab09
                  • Opcode Fuzzy Hash: 9057afc8c06b18d3a8bcc6f0521070657990326afb08257a079caa3fcedc740e
                  • Instruction Fuzzy Hash: 8D41C1B12183418BCB04CF25D8A587ABBE1FF84625F04899EF9D58B382DB34D909CB61
                  Function 05F3D5B0 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 17fd9182acabca7971d802b2d3a8c2ea05865015ee79957547cfaba0c7134a78
                  • Instruction ID: 7b956c6b6567e842aaf38ca4dd2e115b7817c4bf0b1db02f5a35e660d1f818ea
                  • Opcode Fuzzy Hash: 17fd9182acabca7971d802b2d3a8c2ea05865015ee79957547cfaba0c7134a78
                  • Instruction Fuzzy Hash: C2412631E082949FDB14CF29C496ABAFBF2FF49340F0584A9E4D6CB245C738A456DB60
                  Function 05EBA470 Relevance: .1, Instructions: 127COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64ce6f77b46dbbacf3b8a812319162680df56233486e1fa9f8fb016bc898fd94
                  • Instruction ID: bf5d71d47af3d63e346f0bf9fe4fda1eeb66ba0c5b7d47cccb8734cf680a013f
                  • Opcode Fuzzy Hash: 64ce6f77b46dbbacf3b8a812319162680df56233486e1fa9f8fb016bc898fd94
                  • Instruction Fuzzy Hash: 6E41D332A45209CFEF11DF68D4547FE7BB6FB04319F042169D491BB290EB749A00CB60
                  Function 05EBD6E0 Relevance: .1, Instructions: 126COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a16c2af43e37273033b91d857c53637fc9b595e411497d5910d6dfa179e47b7a
                  • Instruction ID: 9610006575e5db6cc9a07c38c0c7fbc39181f9eb12323c715cac1f3c37a7d402
                  • Opcode Fuzzy Hash: a16c2af43e37273033b91d857c53637fc9b595e411497d5910d6dfa179e47b7a
                  • Instruction Fuzzy Hash: 834106756142059FE720EF24CD98FBBBBA9EB45324F04252DF9A587291CF34E801CB91
                  Function 05E8A020 Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                  • Instruction ID: bdf4b81f2a38e9178723af08118b6c0747935f4ac3a11b745d915c61b08621f4
                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                  • Instruction Fuzzy Hash: FA412E31B14221DBEB20EE558884BFAB776FB40769F15A07BE9CD9B240E6319D40C791
                  Function 05EC0710 Relevance: .1, Instructions: 121COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                  • Instruction ID: 50dd88749086e1b0c82aa0f1333cec2d1a7e55811af245208fbac1fe0fcb7b86
                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                  • Instruction Fuzzy Hash: 89415A72A00604EFDB24DF98CA94AAEBBF5FF08300B1049ADE596D7250E330EA45CF50
                  Function 05E9262C Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8269b1eb869b88190d1f62c0e00a953f39eb51da955f5fe5251eb90e39225b3d
                  • Instruction ID: dd8153b244707f7cc4ba5abba7c823feede72b381dde8511abf7e715c31efd6d
                  • Opcode Fuzzy Hash: 8269b1eb869b88190d1f62c0e00a953f39eb51da955f5fe5251eb90e39225b3d
                  • Instruction Fuzzy Hash: CD41F579601704EFDF28EF24C940B79B7B2FF44314F109199C6969B6A1EB30A941CF51
                  Function 05F5FFB1 Relevance: .1, Instructions: 117COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ceaaac6725ba57a371536a45d127880754a3dbdeb6bc0ae7cf576a2293e03a7f
                  • Instruction ID: f29a44a2e262e60021660ee68ba697f210781ff825a70b0ba6f36c7b88bf21dd
                  • Opcode Fuzzy Hash: ceaaac6725ba57a371536a45d127880754a3dbdeb6bc0ae7cf576a2293e03a7f
                  • Instruction Fuzzy Hash: 2C414B31A041596BDB00CB65C4A46BBBFFABF85249F1881A5D8C2D7282FA3DC506D770
                  Function 05F5EEDB Relevance: .1, Instructions: 113COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9beff1acb08e8d48a60c08fcaa8205abed0d7e00f8644d191c1335512f836837
                  • Instruction ID: 99ab6e5db9e6c59e27615097c053b27fc4006a05ea4470fb1380e7f494b3fb9c
                  • Opcode Fuzzy Hash: 9beff1acb08e8d48a60c08fcaa8205abed0d7e00f8644d191c1335512f836837
                  • Instruction Fuzzy Hash: 43419233E1402A9BCB18CF68D495579B7F6FB4831576641BDED06AB280EF38A905CB90
                  Function 05F105A7 Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4ee367eef3228bd71361b5e09507e5cb0735a06e4a1dff424844d160dbf00d8b
                  • Instruction ID: d5bbf0db11d86d288d746a7289982daaebd920a0876261cf4e6c6d81bfa298ca
                  • Opcode Fuzzy Hash: 4ee367eef3228bd71361b5e09507e5cb0735a06e4a1dff424844d160dbf00d8b
                  • Instruction Fuzzy Hash: FC41D672A087459FC320DF69C844A7AB3E9FFC8700F044A2DF89597680EB34E945C7A9
                  Function 05F5FB76 Relevance: .1, Instructions: 109COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f3c5b3255aad2a5428866663006bd1f93cc136b4bddacf21d39fdd66052bab66
                  • Instruction ID: 10d534d61e597c3357afddb97d75a65cf5eb51b2fb3e00ef84a21ce066ce546b
                  • Opcode Fuzzy Hash: f3c5b3255aad2a5428866663006bd1f93cc136b4bddacf21d39fdd66052bab66
                  • Instruction Fuzzy Hash: 5531C7B2B24115BBD714DF29CC49A67BBE6FF88364B058574FE09CB240DA38E901C790
                  Function 0040DF03 Relevance: .1, Instructions: 108COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                  • Instruction ID: 0de45e5a7e1ccbd481d4308faca4a9ce0a158b0a65d0046191796d59d4422895
                  • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                  • Instruction Fuzzy Hash: C4316211A586F14DD31E436D08BD675AEC18E5720174EC2FEDADB6F2F3C4988408D3A5
                  Function 05E95702 Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d015614ebfc20bbf615766e015c88473e062d0e49bd5cf271fcae07bf54fb984
                  • Instruction ID: 46e1ed4027f106ba51fdfd8b926e70c9c0ca188b6d6f61b61b3c0b6fc7ca2a2a
                  • Opcode Fuzzy Hash: d015614ebfc20bbf615766e015c88473e062d0e49bd5cf271fcae07bf54fb984
                  • Instruction Fuzzy Hash: 1B31D336301A06FFDF5A9F20CA84EA9F766FF44754F406066E98247A50EB70E920CBD0
                  Function 05EB50E4 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                  • Instruction ID: ab0179ceac36cdecdccb8e1463b24b07a9a72cc25fab9a4ef31e85b8dfacf787
                  • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                  • Instruction Fuzzy Hash: 1831F4317087419BF721DE68C800BE7B79ABB85759F08952BF4C58B281F6B4C841C7A2
                  Function 05E8B480 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 30254901d2d6a346d08982023772da68469a5c1d9f2d6de1e58d43ac0ba8408b
                  • Instruction ID: 900c0a228e8d9bcebf0d0fbd0ef430558b3a5ad203a603bb500af8d170b4ca5c
                  • Opcode Fuzzy Hash: 30254901d2d6a346d08982023772da68469a5c1d9f2d6de1e58d43ac0ba8408b
                  • Instruction Fuzzy Hash: ED31F172600204AFC721EF24C840A7A77AABF45364F145669EDDD8F2A1DB31ED06CBD0
                  Function 05F561C3 Relevance: .1, Instructions: 97COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1078ed0513d098d4d96cc67a1bae5faec60c1590b8247c813d0216d5ca9db2d
                  • Instruction ID: 95dcc0c298305aef178e27edf82981b16012119f63ea334efb74318a7daffd32
                  • Opcode Fuzzy Hash: a1078ed0513d098d4d96cc67a1bae5faec60c1590b8247c813d0216d5ca9db2d
                  • Instruction Fuzzy Hash: 4331E476E00219ABDB15DF98CC44FAEB7B6FB48750F814168E910EB284D774ED41CBA4
                  Function 05E89730 Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d93143e735cfd00c15e364feee3d246c3f9c15f9bc58b1bc8b1702423d6823cb
                  • Instruction ID: db2f2baaac716f2509669ae36d9016201dd990fa7beeeb3642261b18fc3f5cae
                  • Opcode Fuzzy Hash: d93143e735cfd00c15e364feee3d246c3f9c15f9bc58b1bc8b1702423d6823cb
                  • Instruction Fuzzy Hash: 8721D337E04A14ABD322AF288804B3A7BB6FB84B54F111429E59DDB752DB35E800CB90
                  Function 05F56BD7 Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70426c61b7e6c4c394b480ab884234794b237f9b47fdb6223d8e0d51ae4c691e
                  • Instruction ID: 8f5d267ba40486e7b7be701454ab102cee2d751cbef6de8fceed5dd7b2e05d22
                  • Opcode Fuzzy Hash: 70426c61b7e6c4c394b480ab884234794b237f9b47fdb6223d8e0d51ae4c691e
                  • Instruction Fuzzy Hash: BA31AA31B102149BCB14DF29D8C9A6B7BF5FF48211F8180A9FA08DF285E774E905CBA0
                  Function 05E907AF Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a9f4e1de670f486d533ed4d0bba66aaa600fe4e2fd041e906c1c582baa19449
                  • Instruction ID: d3f1f5909e3e60909f1de40d59df28567df798d198d90da313e171b190b6afdb
                  • Opcode Fuzzy Hash: 6a9f4e1de670f486d533ed4d0bba66aaa600fe4e2fd041e906c1c582baa19449
                  • Instruction Fuzzy Hash: 0F31D832B04751DBDB2ADE248888DFB77AAAF84750F4155A9FCD9A7310EA30DC0187D1
                  Function 05F560B8 Relevance: .1, Instructions: 95COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 49964cc9b73bc43aa93c54e3c90d3e17de19ff79b0408a2fc54dbc60c3d258b0
                  • Instruction ID: 74a29b7c45a76a631a09318222f8ab255bcff7bf62eb6f0afbe7156eadf58834
                  • Opcode Fuzzy Hash: 49964cc9b73bc43aa93c54e3c90d3e17de19ff79b0408a2fc54dbc60c3d258b0
                  • Instruction Fuzzy Hash: 7C31D672B40605AFDF129F68CC50B7EB7BAAF44B64F404069EA55DB351DA38DC008B90
                  Function 05E98550 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2aae178cfa4d2aa60b6c7ea8c69631228212273a73c486e231c108717b142288
                  • Instruction ID: a00bbc70bdd4234c51fbcabeca8946e31e85db2f42d44ae07d157c51f3a8f478
                  • Opcode Fuzzy Hash: 2aae178cfa4d2aa60b6c7ea8c69631228212273a73c486e231c108717b142288
                  • Instruction Fuzzy Hash: 4531AE766093019FE724CF19CC40B6AB7E5FB88704F04596DEACA9B3A1D770E848CB91
                  Function 0042E9F3 Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dfdefe39f26f9449e3fbc521915a4cb818f91b514011c8abbba79418a84b8116
                  • Instruction ID: 99284136c46ac9f6420519313eea25c394cc8d646be6fb5e402dd01077ab7311
                  • Opcode Fuzzy Hash: dfdefe39f26f9449e3fbc521915a4cb818f91b514011c8abbba79418a84b8116
                  • Instruction Fuzzy Hash: CE31DF72B106265BD354CE3AD880656F7E1FB88310B94863AC918C3B80E778FD62CBD0
                  Function 05E8D6AA Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                  • Instruction ID: dfdb00e16cf51ec859d247d5d430e65d7352dbb6637bccd06eedb732847582c8
                  • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                  • Instruction Fuzzy Hash: 8D31B837601504AFEB22EE54DE84F7EB3AAEB80754F159428A98D9B280E671DD40CB90
                  Function 00402F50 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188258196.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_ilasm.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7d754ebe75ecbddff2241da81080734a4b983baa83fe5f40215fc82514c580b2
                  • Instruction ID: 8492890e50f6258e51f2abb4270e74ddc6fcafb9c4263f1d728b6bf572a33879
                  • Opcode Fuzzy Hash: 7d754ebe75ecbddff2241da81080734a4b983baa83fe5f40215fc82514c580b2
                  • Instruction Fuzzy Hash: 9C31D472A10A108FD368CE6ED989657F7E1EB98344B41867EE859D3B80C6B8F841C7C4
                  Function 05E957C0 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41937bdf8deba48742a30bd8e44385cb2f5c864218d44816631dd7c25b15724f
                  • Instruction ID: 694d9f207fa76e16c9978f07dd101c6956df292dff26065e677de1d0ccbfca18
                  • Opcode Fuzzy Hash: 41937bdf8deba48742a30bd8e44385cb2f5c864218d44816631dd7c25b15724f
                  • Instruction Fuzzy Hash: 3031A235715A45FFDB56DB24DA44EA9BBA2FF44304F446066E98287B51EB30E830CB80
                  Function 05ECA6C7 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                  • Instruction ID: 87942de59208c1b4efbfece7165576824f55d1b4a64af9ab170d0e8719f11eff
                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                  • Instruction Fuzzy Hash: 4E312872B04B04AFD760CF69CE40B67BBF9BF08A50F08197DA59AC3650E630E9018B60
                  Function 05EE7190 Relevance: .1, Instructions: 89COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                  • Instruction ID: 25b0d024abb1f28ee5c9076b20966aac59a88add5b983fea6585c7d99957f93b
                  • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                  • Instruction Fuzzy Hash: 78317875604346CFC710CF28C880956FBF6FF89354B2986A9E9999B325E730ED06CB91
                  Function 05E8E420 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 88e877f774708a1921e92dc7c51b9617c7f7d448aa0b6f94c6fac27c122a83fd
                  • Instruction ID: 144bd73147c03a6ca72cb0e54a21f463d34f1acbfe6b3ddf1e3782c9026dc0c4
                  • Opcode Fuzzy Hash: 88e877f774708a1921e92dc7c51b9617c7f7d448aa0b6f94c6fac27c122a83fd
                  • Instruction Fuzzy Hash: B731C732A0052C9BEB31EB14CC41FFAB77EAB05740F0110A1E5CDA7290D674AE848FA0
                  Function 05E8C156 Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: de0ae12af20e0b55e7406a562e7b2b26b4eed298f946decc7f5e747c9f1a61cb
                  • Instruction ID: 22c014735d039ea4bfea352469a5175a1f272b91a960d54925db1173d7a6a4bf
                  • Opcode Fuzzy Hash: de0ae12af20e0b55e7406a562e7b2b26b4eed298f946decc7f5e747c9f1a61cb
                  • Instruction Fuzzy Hash: 413149B66002009BDB20AF24CD45BB977B5FF41308F5491ADD8CA9F381EE74D982CB90
                  Function 05EC4588 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                  • Instruction ID: ca5f04eacdfac0aada9df411c71072e0ddc1edff4bb858a24732e5f090b600e9
                  • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                  • Instruction Fuzzy Hash: 6D217431B00608EBCF15CF58CA94A8EBBB5FF48715F1090A9ED559F285D671EA068B50
                  Function 05EC44B0 Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7befba3a1b45a808d85027a5e563e32b0a7af1295ad93884a39479ee8775bae0
                  • Instruction ID: 9f01f23d9a3fb0db41d4001cf646cdacf891d26439f5d0634b91ca7d9256409e
                  • Opcode Fuzzy Hash: 7befba3a1b45a808d85027a5e563e32b0a7af1295ad93884a39479ee8775bae0
                  • Instruction Fuzzy Hash: 9521D1726087059BCB21CF18C950B6BBBE5FB88721F05456DFCD59B280D770EA028BA1
                  Function 05F0E609 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b7ec5e884b697a1101a38c57a83f7193dceb9a1abd5129af687704555425d3d
                  • Instruction ID: 6a85a4dc11f8980f0b6a3f6fd08c7ae8bc14f5b75423209c27bf6c2a744b792a
                  • Opcode Fuzzy Hash: 4b7ec5e884b697a1101a38c57a83f7193dceb9a1abd5129af687704555425d3d
                  • Instruction Fuzzy Hash: D231B175A20205EFCB14CF18D484DAEB7BAFF94304B195859F94ADB390E735EA40CB90
                  Function 05F603E6 Relevance: .1, Instructions: 86COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: de43689cb7cd3acdedd21827362674e41b43d102a28f2f1d8ec310428e384efd
                  • Instruction ID: 4d33285caf1ca69e11431452318f46f5200eecaee5fa19676427f5ae2e257bd3
                  • Opcode Fuzzy Hash: de43689cb7cd3acdedd21827362674e41b43d102a28f2f1d8ec310428e384efd
                  • Instruction Fuzzy Hash: 92316171B14119AFCF14CBA4C998ABFBBBEFB88244F114129E906E7240DF346D04CBA0
                  Function 05ECD530 Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9f8ab1e57783983588841470ad48a3d4b6fa7779903ccca2d9a99c5147794b2b
                  • Instruction ID: 8884254c138edfa5e456b833f6d61a948c31827535392d6d42c744a42969f63c
                  • Opcode Fuzzy Hash: 9f8ab1e57783983588841470ad48a3d4b6fa7779903ccca2d9a99c5147794b2b
                  • Instruction Fuzzy Hash: D3213772A043449BC610EB34CE48F677BEABB54654F001829FA85DB290EB39E801C7A5
                  Function 05F60591 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf58bf3e9cf4c50aa2b362cd5654ef019f68b4d71e57f6d08b64b0b2aa7e7f71
                  • Instruction ID: 361a9136e0ff01804bebae0183e056ce6a042b5793fa1b95aae02c97f18e772f
                  • Opcode Fuzzy Hash: bf58bf3e9cf4c50aa2b362cd5654ef019f68b4d71e57f6d08b64b0b2aa7e7f71
                  • Instruction Fuzzy Hash: C621F332A142058FD728CE29C888A76B7AAFFC4310F654478E905CB281DF79FC45C750
                  Function 05E93616 Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c7e08b98b2c3a9fe1f93d2660d2dc7018b4baea1bb25919a571e2bf79aabf21
                  • Instruction ID: 9f37cf8e9ab46f6d4f954e7b4987229c3455b4da1f56c7ec663298281bca3bfd
                  • Opcode Fuzzy Hash: 5c7e08b98b2c3a9fe1f93d2660d2dc7018b4baea1bb25919a571e2bf79aabf21
                  • Instruction Fuzzy Hash: 682125362056909FDF25EF14C948B7ABBA2FF88B14F002D19E9C15BA41DA70E804CBC2
                  Function 05F106F1 Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 64e3dd07ab1f5ef8bd0c589ea91aa50d2f38c28127c15d712af741a8ac8065c7
                  • Instruction ID: ad22d26b7d4e2998be3b5f187f09a7f4e680d2ea9513ce3ea06be969bfc0d280
                  • Opcode Fuzzy Hash: 64e3dd07ab1f5ef8bd0c589ea91aa50d2f38c28127c15d712af741a8ac8065c7
                  • Instruction Fuzzy Hash: E8219172E00629ABCF14DF59C885ABEB7F9FF48740B540069F841AB250DB78AD41CBA4
                  Function 05EC9660 Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 23dbbffaeb732239d4cb395f2ed28a3089e855d87528771cdd1fcacf7d684754
                  • Instruction ID: 34df02d00b70169382faffd820ad049d57e3d2fb191da1842ccec1b9b87e9360
                  • Opcode Fuzzy Hash: 23dbbffaeb732239d4cb395f2ed28a3089e855d87528771cdd1fcacf7d684754
                  • Instruction Fuzzy Hash: 792123316006009BDF31AA20C944F777BA3BF44324F14265CE4D6CA9E1EB29F842DB52
                  Function 05F1019F Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38d1d6b454f62e6e2dd63d74ac610f7fa9194d077f3adb7fefbd2b4bf3f282c5
                  • Instruction ID: 78e463012d2bd18bd2a0317522856f85d3690bbb3686bc22bd16ac7de49beb97
                  • Opcode Fuzzy Hash: 38d1d6b454f62e6e2dd63d74ac610f7fa9194d077f3adb7fefbd2b4bf3f282c5
                  • Instruction Fuzzy Hash: 6B219C72A00644FFD715DFA8C948F6AB7A8FF48740F144069F945DB691EA38ED40CB68
                  Function 05F0D0C0 Relevance: .1, Instructions: 73COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                  • Instruction ID: 0f15722fa224433373308891a793be78ee651341e9f7edb1a32f6dee274eb5cc
                  • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                  • Instruction Fuzzy Hash: 1C21B072A44704ABE321DF28CC41B5BBBA5FF88720F14052AF949DB3E1D634E80197A9
                  Function 05F601AA Relevance: .1, Instructions: 71COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09885120b2e37927a4720b026c5945317e9e98c4ed06fd6c038a2d23445ee74a
                  • Instruction ID: 94d1556c1045e7ccd8c349e6aa64ed6d20f7494e1807394983661c36705250e4
                  • Opcode Fuzzy Hash: 09885120b2e37927a4720b026c5945317e9e98c4ed06fd6c038a2d23445ee74a
                  • Instruction Fuzzy Hash: ED2106712142504FDB05CB5A88F48B6BFE9EFD616571981E6E8C4CB343D528D907C7A0
                  Function 05EB15A9 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                  • Instruction ID: b60462595bd5378a719d199c0a251eaf10f1a3d3f308191cb096d2d515b8d3ff
                  • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                  • Instruction Fuzzy Hash: 4B210472605685CBF726CFA9C858FA277EABF04258F0914B0DDCA8F292FA64DC40C750
                  Function 05E8B765 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: fc5b838b4fcee862175f0f1ecf2224080b630d6ad10ca48f6ce6ae0c18881bc6
                  • Instruction ID: f703cdf6a67a873ba36a6202f373e37ef3243158e39ae865e31c654647fc842a
                  • Opcode Fuzzy Hash: fc5b838b4fcee862175f0f1ecf2224080b630d6ad10ca48f6ce6ae0c18881bc6
                  • Instruction Fuzzy Hash: 97217C32610A40DFD721EF68C945F2AB7FAFF18708F14496CE18A9B661CB34E801CB54
                  Function 05F5EE26 Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2f589acef8b933d9ed816a949b69933c7a1e1c2f413f1ba47cde24f7d67af0a
                  • Instruction ID: 28d0ec890530c256ff5ae2dc97a294728313ffd2197e266a53b7d5ad8b91387c
                  • Opcode Fuzzy Hash: f2f589acef8b933d9ed816a949b69933c7a1e1c2f413f1ba47cde24f7d67af0a
                  • Instruction Fuzzy Hash: 2921B7336204269B9B18CF3CD805476F7E6EFCC31535A427AEA12DB254EB74BD118684
                  Function 05E98770 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab805f61bdc2eaafbaab6917cd84f590bb52071f66540f58be311550e28db767
                  • Instruction ID: 9f9b959b6963948c5fed33fa5a84e6d5a36bf7ac5a2b22334b029f8dc62f1c47
                  • Opcode Fuzzy Hash: ab805f61bdc2eaafbaab6917cd84f590bb52071f66540f58be311550e28db767
                  • Instruction Fuzzy Hash: B311017A7086109BDF19CF49C5C0A66B7EABF4B714B1890A9EC09EF225D6B2D901C790
                  Function 05EC0124 Relevance: .1, Instructions: 68COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                  • Instruction ID: f9f783545bb384e5e2ab297874bed7e52f02c19620ca848046c2f6a33a21461a
                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                  • Instruction Fuzzy Hash: 0A11D072600714EFE7229E95CD49FAEBBB9EB80754F10406DE6848B180D671ED46CB60
                  Function 05E93720 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 33f12930f606693bedc37c2f2a64fb7e39da7e82b53f4fdab83a76b6f51ad741
                  • Instruction ID: 20634eeea85be58023fee7fab9a1b8a7bc31822a42c341644573215d2c24eb0b
                  • Opcode Fuzzy Hash: 33f12930f606693bedc37c2f2a64fb7e39da7e82b53f4fdab83a76b6f51ad741
                  • Instruction Fuzzy Hash: 6521C27AA042098BFF19DF6DC4487EEB7B4FB8831CF299418D892572D0CBB89945C754
                  Function 05E980E9 Relevance: .1, Instructions: 66COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7a930eb645e82a33901dc9fc4de726ac3fd49abd465c9349e9c69cbe947632ab
                  • Instruction ID: 92cd430b530cad6b2649cd4a8b64633476e7174cffd722f841eaf6109b2deea0
                  • Opcode Fuzzy Hash: 7a930eb645e82a33901dc9fc4de726ac3fd49abd465c9349e9c69cbe947632ab
                  • Instruction Fuzzy Hash: 5D216F75A04205DFCB18CF59C581AAEBBB6FB89318F24416ED545AB320DB71AD06CBD0
                  Function 05EC674D Relevance: .1, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5f53273ecc8038491925c62afc4b033767ee17347be58a37e932575cbcc483b3
                  • Instruction ID: 8571e286583bb668fa1e460610c33f1a5b9ba866ae36669e04bdb5e09e534dfe
                  • Opcode Fuzzy Hash: 5f53273ecc8038491925c62afc4b033767ee17347be58a37e932575cbcc483b3
                  • Instruction Fuzzy Hash: D3216A76604A00EFDB20CF68C981FA7B7F9FF44254F40A86DE5AAC7651DA30E851CB60
                  Function 05EC66B0 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 481e0d15dde642cdf7b206dc5667d7e1e2e04c28dd93900686887d8b7f94533d
                  • Instruction ID: d2190eccfeba78f34c775353cb2b9eaf3b5c31e4e13ab883ea12ff7ffc4c86fe
                  • Opcode Fuzzy Hash: 481e0d15dde642cdf7b206dc5667d7e1e2e04c28dd93900686887d8b7f94533d
                  • Instruction Fuzzy Hash: 88119D77A01204DBCB24CF99C680A6ABFE6AF84610B0154BDE9859B310EA34DD01CB90
                  Function 05F5FF09 Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7427709c6f801ed22491c744f69def182555b14348861e5a36aac0650cd303ba
                  • Instruction ID: 5a3e30416f921a6450c32ced76266dbb97c15e73e60a0cfb1070bbc484daad60
                  • Opcode Fuzzy Hash: 7427709c6f801ed22491c744f69def182555b14348861e5a36aac0650cd303ba
                  • Instruction Fuzzy Hash: 6421B2B1A102159FDB54CF39E885B12BBE5FB4C315B458ABAE90CCF206E770E844DB90
                  Function 05EB27ED Relevance: .1, Instructions: 58COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67cb4c70bbcfc342cc3862e171fa5d5e04cd5c684c5a70c086d0239b6d9e9108
                  • Instruction ID: 8ecb2cccddd1a160f787b2c8666007e2c36a2de9381f40990cff62e75409c116
                  • Opcode Fuzzy Hash: 67cb4c70bbcfc342cc3862e171fa5d5e04cd5c684c5a70c086d0239b6d9e9108
                  • Instruction Fuzzy Hash: 63012B75705684ABF326A669DC48FA7778DFF44399F0910B4FA858F250E964DC00C361
                  Function 05F4D6F0 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                  • Instruction ID: 6e57d29c407b4905428da2eef94032048d366d5b00c05efc68dbc11049772af8
                  • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                  • Instruction Fuzzy Hash: 5C016176B04109AB9F05EAA6CA84DAF7FBDEF85A54F000459A905D7240E734EE41CBA0
                  Function 05E94690 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69d4abf4f588818dd5ff0ab172bf57c79738c92a6bea0153016ee54cfd61b2ea
                  • Instruction ID: 5209f422aca74cfbc746884533f55ba0e1084504fcb7d1a2e2f0304d39837e50
                  • Opcode Fuzzy Hash: 69d4abf4f588818dd5ff0ab172bf57c79738c92a6bea0153016ee54cfd61b2ea
                  • Instruction Fuzzy Hash: 6011C67B254648AFDF2ACF59D844F5677A5FB89768F005115F8858B290C774E801CF60
                  Function 05EBB052 Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: df5ecee84d5eec40066504deb121b105df19c9b50fa533538c015691832748d2
                  • Instruction ID: 40ec5717f54dde0ca7c738120062452567fe233bd2c847340894fe50bbf2ec7b
                  • Opcode Fuzzy Hash: df5ecee84d5eec40066504deb121b105df19c9b50fa533538c015691832748d2
                  • Instruction Fuzzy Hash: 1801F972B04300BBF720AF699C85FFBB7EDDF84215F041038E686D3241EAB0E9018621
                  Function 05EC6620 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2c05b06889e660234666bb34d40c6e266d330d95ed440fe04c9afabe9f38b987
                  • Instruction ID: 6b13c8f18c3be83674c5f1269d2da239522d5dad5f955b517a9e051daf3e6fbf
                  • Opcode Fuzzy Hash: 2c05b06889e660234666bb34d40c6e266d330d95ed440fe04c9afabe9f38b987
                  • Instruction Fuzzy Hash: CA118676A00715ABDB21DF69CE80B5FFBB9FF44744F501499D946AB201D734ED028B60
                  Function 05EBE53E Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                  • Instruction ID: b40179d46b1279cb6d34b0e0f1a2d2b0cdcc8276d10751fe9d5480a12456755d
                  • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                  • Instruction Fuzzy Hash: E5112972706AC1DBF72287A8D444BE577D9BB0074CF0924A0DEC18B681FB28D941C360
                  Function 05F0E1D0 Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b82f1e01672e524df14caf12a4804f182a7b97fe247414ac2b0355b1bc316c4
                  • Instruction ID: 41d81638929a161cf264c2add5afc86cf1794dafd5c1c9a2b82d5bebade96081
                  • Opcode Fuzzy Hash: 2b82f1e01672e524df14caf12a4804f182a7b97fe247414ac2b0355b1bc316c4
                  • Instruction Fuzzy Hash: DC11AD32741640EFDB26EF19CD84F56B7B8FF48B84F2414A5FA059B6A1C235ED01CAA0
                  Function 05E9208A Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                  • Instruction ID: 3195141fdd9a3ba0d41c4852963c37d50c66cbea17f0085270ebbc42e4bce5cb
                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                  • Instruction Fuzzy Hash: FB012837300200ABEF189E29D884FA2776BBFC4704F1564A5EE928F245EA71D881C790
                  Function 05ECE5CF Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fb691d828d562a370c09cbd27e484a2bb4fd9c0a05bda72b4b98c2f5589d4276
                  • Instruction ID: 1b26f61b534d1435fbe93b0beb03f83977fd963e5c22b3be3e8240653baa5b88
                  • Opcode Fuzzy Hash: fb691d828d562a370c09cbd27e484a2bb4fd9c0a05bda72b4b98c2f5589d4276
                  • Instruction Fuzzy Hash: B9018472741900BFD311BB79CD88E57BBACFF896507041525B24997951EB68FC01C6A0
                  Function 05ED20F0 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 542beaaafc54f3426585b3359df920ae4e4cc3c80829c54b7af8912214a6c82a
                  • Instruction ID: 836a256953074260e04ff22bb557cd87b8d6b5f83fbea78b6a265f1ccb1865a9
                  • Opcode Fuzzy Hash: 542beaaafc54f3426585b3359df920ae4e4cc3c80829c54b7af8912214a6c82a
                  • Instruction Fuzzy Hash: 1A116175A0020CAFDF15DF64C855EAEBBB6EB44640F008059F94197290EA35AE12CBA0
                  Function 05E8C020 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                  • Instruction ID: cdab4ea7449cf50f2af0d8a20d5859acb20c4d106448beeb88b1b039461cb69e
                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                  • Instruction Fuzzy Hash: 3401F932200704DFEB22EAA5C904FB777EAFFC5254F14641DA5CE8B540EA70E806CB60
                  Function 05F4F5BE Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e06a00c72ac120c2ca35f250ca8d51b0a9fdd58d3ccdcbfa96aac35126de3ecd
                  • Instruction ID: a49fae4086f794070fa6bedb0c85ad25dc51a5d486dc7af8f612d3d03b17eb37
                  • Opcode Fuzzy Hash: e06a00c72ac120c2ca35f250ca8d51b0a9fdd58d3ccdcbfa96aac35126de3ecd
                  • Instruction Fuzzy Hash: C4017171E10248EFDB14EFA9D945FAEBBB8EF44700F004466B944EB390DA74DA01CBA5
                  Function 05F4F453 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41dd74a015e43dbabbafbaa1329427e7428832a7a18ffd49a48744644a64d3d1
                  • Instruction ID: 63503881be4dc44ae07a77c4f066d51828e3cc34316c09c9dc51a680d8e0c27f
                  • Opcode Fuzzy Hash: 41dd74a015e43dbabbafbaa1329427e7428832a7a18ffd49a48744644a64d3d1
                  • Instruction Fuzzy Hash: DB017171E10248AFDB14EFA9D845FAEBBB8EF44710F404066B944EB391DA74DA01CBA5
                  Function 05ECD1D0 Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                  • Instruction ID: 0aefd9bcba97ee6aa0ddd3d5de2344372aae736dc7c4f71d941c5b7fbf8fe4ad
                  • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                  • Instruction Fuzzy Hash: 0D014CB2B041849BDB19DA54FE04F757756EB84634F1471ADFD528B2C0DB75D802C790
                  Function 05EAE016 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                  • Instruction ID: 2a4680034b5896526f18ef169342e5411d6dec8a2f96530cb083e299cd936844
                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                  • Instruction Fuzzy Hash: 47017C72214680DFE322CA2DC988F66B7DDFF44B54F0914A1E886CF692D668EC40C621
                  Function 05E92582 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f80a8e4b691f0e3ce71d1b4767970635cbd1eeafc2283596e945e42f578e4500
                  • Instruction ID: 3e32b78c9adeff4b476635b23f2f8e6a20cb332363927b896fd9da78bb12b0b4
                  • Opcode Fuzzy Hash: f80a8e4b691f0e3ce71d1b4767970635cbd1eeafc2283596e945e42f578e4500
                  • Instruction Fuzzy Hash: 7CF0F433B41B10BBCB35DF568D44F57BAAAEB84B90F108429A68597640DA30ED01CAB0
                  Function 05F5972B Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                  Function 05F65636 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 181984abf80643d10f93b37c4b4b27c1b52cd2d1d6a3006603bb4e79eaa07f22
                  • Instruction ID: 5d3b63070fb06149be5280b8b9dc33867f8eb0a3c8c1e0e27d9579049fe9bd09
                  • Opcode Fuzzy Hash: 181984abf80643d10f93b37c4b4b27c1b52cd2d1d6a3006603bb4e79eaa07f22
                  • Instruction Fuzzy Hash: 0C118075E10249EFCB04DFA8D445AAEB7B4FF18304F10845AB815EB391E734DA02CB64
                  Function 05F65537 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 681e65e24fe1832a2aaabd9466d66379925d24746439c81e568fe028b953e9c7
                  • Instruction ID: 08c042c08b18637cb17bf458d996f2d00972f2db5baa50e389cada1aa99a8190
                  • Opcode Fuzzy Hash: 681e65e24fe1832a2aaabd9466d66379925d24746439c81e568fe028b953e9c7
                  • Instruction Fuzzy Hash: 87111BB1A10249DFDB04DFA9D545BADFBF4BF08304F04426AE549EB382EA38D941CB90
                  Function 05EC5734 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                  • Instruction ID: 0ac03a450eb6a8b045a136a662df0399c1142442b4c8e406e6d2e769ccd6244f
                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                  • Instruction Fuzzy Hash: 1EF04F33A00210AFE319CF1CC980F6ABBEDEB04284F0040AED401DB230E270EE01CA90
                  Function 05F65152 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0fd3b3cb35183c0d294e9d34e87505992d44620f0abc0324f37dd323112b476c
                  • Instruction ID: 1bc4013bf45d818e0befdd844e1a4e7c62f342de434ca1d0473d76fe78e93197
                  • Opcode Fuzzy Hash: 0fd3b3cb35183c0d294e9d34e87505992d44620f0abc0324f37dd323112b476c
                  • Instruction Fuzzy Hash: 730121B1A1024D9BDB00DFA9D9459EEBBB8FF48300F10405AF501F7350E674AA018BA4
                  Function 05F650D9 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c89bf69ba8ff85763219c3002d96ae00433d06bd9381645628f8c3a7ec030a41
                  • Instruction ID: 8023f6e26a60870baa3e1c24dc22e18b8e28622196f55f96b7e94ea7ea9ea13d
                  • Opcode Fuzzy Hash: c89bf69ba8ff85763219c3002d96ae00433d06bd9381645628f8c3a7ec030a41
                  • Instruction Fuzzy Hash: BA012CB1A1020DABDB00DFA9D9459EEBBB8EF48300F50445AF501F7390EA74A9018BA4
                  Function 05F65060 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fbfb1a7066995bef8a5d48e2dc517a837bc1540932a3a719f8a3fe02b037e52d
                  • Instruction ID: e53876a181194e9aa82c6d8cd0f5d35c710cb79884884dcff1fccbc521e5857b
                  • Opcode Fuzzy Hash: fbfb1a7066995bef8a5d48e2dc517a837bc1540932a3a719f8a3fe02b037e52d
                  • Instruction Fuzzy Hash: F3012CB2A1024DABCB04DFA9D9459EEBBB8EF48300F50405AF901F7391D674EA018BA5
                  Function 05EBC073 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                  • Instruction ID: d0c6f81076b1fc267452fc9660affab520a56f5d20abeced4d9da1580b49c259
                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                  • Instruction Fuzzy Hash: A3F0C2B3600611ABE334CF4DDC40E57F7EAEBC0A80F148129A549CB220EA71ED05CB90
                  Function 05F4F78A Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fc056f89da9b48cfd92d865172c7ed737b77f8b783d0f8ea7b585ceb50298d68
                  • Instruction ID: 80f490be04ad4c262f7ce2e7427c96787adfc7b08b683c31ba63c32d4c7abeb9
                  • Opcode Fuzzy Hash: fc056f89da9b48cfd92d865172c7ed737b77f8b783d0f8ea7b585ceb50298d68
                  • Instruction Fuzzy Hash: 230100B5E0024D9FCB04DFA9D545AAEBBF4FF08304F108465A855E7351E678DA00CB61
                  Function 05F661E5 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dc7dbb8e7bb0dd96ec196bc5c92b5a5cb4953a9a0fd66db2b182f8b2f4bc27ee
                  • Instruction ID: feb97fadc690ecae5cd965314ec20ba48a8733f9a184c54dc9cec3dbb84badff
                  • Opcode Fuzzy Hash: dc7dbb8e7bb0dd96ec196bc5c92b5a5cb4953a9a0fd66db2b182f8b2f4bc27ee
                  • Instruction Fuzzy Hash: 38014F71A1024DDBDF04DFA9D445AEEBBB8AF48310F14405AF501FB290DB78EA02CBA5
                  Function 05F1A4B0 Relevance: .0, Instructions: 40COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b71020b916fb559082a308bce9a0165d8817b3690aa50e9349a44cce1880bac3
                  • Instruction ID: 98bede5c0bacdb1ea5b4d0c7deef3e67cc03b93de73427c3372974f75a8523a2
                  • Opcode Fuzzy Hash: b71020b916fb559082a308bce9a0165d8817b3690aa50e9349a44cce1880bac3
                  • Instruction Fuzzy Hash: F5019A36515109EBCF129F84DC40EEE3F66FB4C754F058105FE1966220C63AD970EB81
                  Function 05EC656A Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e6464811d49ed21c75b920d325a67bff548b885f747b5221624b2c2736c8f8ab
                  • Instruction ID: eff82cfc60ab3541c9f5c74ed3993cd1a997026856d1c524f7fb553f5773240f
                  • Opcode Fuzzy Hash: e6464811d49ed21c75b920d325a67bff548b885f747b5221624b2c2736c8f8ab
                  • Instruction Fuzzy Hash: B301F4717447C0DBE722977CCE0CF367BA9BB04B08F182994BAC28B6D5EB2CD4028110
                  Function 05E8C0F0 Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed5079f0845c173637beca60a4c4f0b20940e68e56ca6425c260bc0729baa806
                  • Instruction ID: 0d4c1bb281acc0badcbe627a9f3e9f0216a4122acd10d38a0892c4efceb25451
                  • Opcode Fuzzy Hash: ed5079f0845c173637beca60a4c4f0b20940e68e56ca6425c260bc0729baa806
                  • Instruction Fuzzy Hash: E0F0F0713543005BF614A6259C82F7232B6E7C1698F75A06AEACD8F2D0FA70EC0183A4
                  Function 05F653FC Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5b920d4b2e240a241483292b03f22aab90c2d7c2cfab38bf5103e1d9aba8034f
                  • Instruction ID: 7491f0ad253e99a39704a6284b802fd3bf824d87200f66f4404c06395e28beb6
                  • Opcode Fuzzy Hash: 5b920d4b2e240a241483292b03f22aab90c2d7c2cfab38bf5103e1d9aba8034f
                  • Instruction Fuzzy Hash: 500121B0E00209DFDB04DFA9D555B9EF7F4FF08300F1481A5A519EB381EA749A418BA1
                  Function 05F63749 Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                  • Instruction ID: 198bc9d591dc2b853d82756d67442cec789bd16d4988865de176b2bd7119bb94
                  • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                  • Instruction Fuzzy Hash: FDF04FB6A40204BFE711EB64CD41FEAB7BCEB04710F00056AAA56D71D0EA70EA44CBA1
                  Function 05F655C9 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 24192207d80c3e493eb7d1792e88c06bc2e2866d15ac523d360c722090de451a
                  • Instruction ID: 1d0874e1d6e3671e97098217b61c7c71e7d3bcd308a475e4654b4971fc5b90e8
                  • Opcode Fuzzy Hash: 24192207d80c3e493eb7d1792e88c06bc2e2866d15ac523d360c722090de451a
                  • Instruction Fuzzy Hash: F0F04475A1024CEFDB04EFB8D545AADB7F4EF18300F504455B445EB380D674DA01CB54
                  Function 05F4F3E6 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f69c4e259ce8e1a7759878e344ca5137cf00b9162cef48d835e91c8321a26f4b
                  • Instruction ID: 0bd7dd4482273018c751526b1980ccd07d978e9409e191cc060c394a099c0df1
                  • Opcode Fuzzy Hash: f69c4e259ce8e1a7759878e344ca5137cf00b9162cef48d835e91c8321a26f4b
                  • Instruction Fuzzy Hash: CCF04471E0024CEFCB04DFA9D549A9EBBF4EF08300F404065B945EB391DA74DA01CB54
                  Function 05E947FB Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e069b15afe9dc11a4c8dac8a5d781b8ac9589bd1de6a3c3e8fadd7aceea1849e
                  • Instruction ID: 9ddbb4579a6c68e33fb88750fd43b2a8498df9a786bd9527acd3fabd9f26efe3
                  • Opcode Fuzzy Hash: e069b15afe9dc11a4c8dac8a5d781b8ac9589bd1de6a3c3e8fadd7aceea1849e
                  • Instruction Fuzzy Hash: 34F0F0319062D08EEF3ACB28C048FE177D5BB00768F086CEAE8CA87581D324D882C600
                  Function 05F4F6C7 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 623cac2fc7fe71a1ea1e95d8f147a176c6d0800d6fb213f1bc3e5dcd7059b0f9
                  • Instruction ID: 6db7302e81b4dc4f96c572554034a74309a6440d77a92536e9820ca7137f9fdd
                  • Opcode Fuzzy Hash: 623cac2fc7fe71a1ea1e95d8f147a176c6d0800d6fb213f1bc3e5dcd7059b0f9
                  • Instruction Fuzzy Hash: 86F06DB1A10248EFDB04EFA9D409EAEBBF4AF08304F004469E545EB391EA78E901CB54
                  Function 05F50115 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 72fcddeabc8872266a4a39270e295f80c167f437470b6239728082a901ced3e1
                  • Instruction ID: 0b30356bf4a1d88643d79178d8bad653d2893f94ba1893f44aab612215317940
                  • Opcode Fuzzy Hash: 72fcddeabc8872266a4a39270e295f80c167f437470b6239728082a901ced3e1
                  • Instruction Fuzzy Hash: 6FF027669296C406CB216B28789D7B13F6BA742234F0A1485DDB19F641DD7C8483C661
                  Function 05ECC5ED Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 521d4bffb89318fe486eda7d508618fa09227499e05fffc83ceefe895fd65b41
                  • Instruction ID: bd380081c6cd794a2e64e6d210a8c97e142de2b6ba4c0e2347aa02e675c69269
                  • Opcode Fuzzy Hash: 521d4bffb89318fe486eda7d508618fa09227499e05fffc83ceefe895fd65b41
                  • Instruction Fuzzy Hash: CFF0B4725156509BE722D724C348B617BD5BB40FA8F2874A9D4AE87612C264DC83C690
                  Function 05ED2619 Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                  • Instruction ID: ffee557299cdfcb06a65830fda47d7f7a7440f9dc812c12492f8c3a928dba459
                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                  • Instruction Fuzzy Hash: FEE0D8723006002BE7219E598CC4F47B76EEFC2B10F04407DB6045F252C9E2DC0A82B4
                  Function 05F654DB Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0844c3c4c64cd3f7def59e6cbea6e33915720d05079de2d97231494f3230b71d
                  • Instruction ID: 60c9f27c5a91d136919b470042765b29c4b6c2eb8941dd0719187e905c8f09a2
                  • Opcode Fuzzy Hash: 0844c3c4c64cd3f7def59e6cbea6e33915720d05079de2d97231494f3230b71d
                  • Instruction Fuzzy Hash: B1F08271A1024CABDF14EBB9D55AE9EBBB9AF08304F501458A541EB2C0EA78DD018728
                  Function 05F6547F Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 339f173375202cf023d159a60f2962a5662c11d282644f069ab322d08a095b6f
                  • Instruction ID: e6159b350473694a5752fa5177928aa711dc017a3aedaed7f20d626cb439482d
                  • Opcode Fuzzy Hash: 339f173375202cf023d159a60f2962a5662c11d282644f069ab322d08a095b6f
                  • Instruction Fuzzy Hash: D8F08271B11248ABDB04DBB9D55AE9EB7B8AF08304F501494E541FB3C0EA78D9018768
                  Function 05F4F72E Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 973eda77ed75be136731c0ca47f3aaed30fee18c8345d5d5421cb1bb0a5fa325
                  • Instruction ID: bd144a66e6ab74235b5874e2c211412f725c2232df085b4cf786ae042f9b6d18
                  • Opcode Fuzzy Hash: 973eda77ed75be136731c0ca47f3aaed30fee18c8345d5d5421cb1bb0a5fa325
                  • Instruction Fuzzy Hash: 00F08271A10248ABDF04DBB9D55AE9EBBB8EF08704F001454E542EB3C0E978D9018729
                  Function 05F651CB Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a83fa86c04165266379c32515224eebddcab6ba31b2efcb74123d3727c9f028
                  • Instruction ID: 71a785711b3979a271c9903138ae074ba4c39eb5aba1de88345f58d5acd60077
                  • Opcode Fuzzy Hash: 4a83fa86c04165266379c32515224eebddcab6ba31b2efcb74123d3727c9f028
                  • Instruction Fuzzy Hash: 64F089B1B1024C9BDB04DBB4D509E6EB7B4AF04304F440455B541EB2D0EA74D901C754
                  Function 05F0D070 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                  • Instruction ID: 2c645edc18d60c10251b9f49204f2862bbe26cb6a6815f3831393f8d6935fb2e
                  • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                  • Instruction Fuzzy Hash: B0F0E533A046146BC231AA598C05F5BFBACDBD5B70F24031ABA649B1D0DA70A902D7E6
                  Function 05EC55C0 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                  • Instruction ID: 489dbccfaca3577e561e4749dc6b6837f6dc1c08072cd939fc97b9e7d2c9c59c
                  • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                  • Instruction Fuzzy Hash: A0E0E533504614ABC6215B16DD04F52FB6BFF517B0F24451AA1D9175D08764FC12CAE4
                  Function 05E90710 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                  • Instruction ID: 11c0c5aafdac86b1f7ca8c9075b9668a1a90208236b48d2f1770bd46010d250a
                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                  • Instruction Fuzzy Hash: 62F0E53A304344DFEB1DDF15D048AE57BA9FB45360F041454EC828B340E731E991CB40
                  Function 05F637B6 Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                  • Instruction ID: 07b6c5b533fedd048c56a2847910125921c36fb19c10006580c9f7ad7c89e777
                  • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                  • Instruction Fuzzy Hash: 49E06D72614204BFE764DB58CD05FA673ACFB04720F140658B116970D0DAB4BE40CA60
                  Function 05E925E0 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 1fb8dbb58ef62d13efe9ecfe811d4d4df8847d4060e4f0c70a25de83f6f3af65
                  • Instruction ID: 2600a0e9bcdd1906dbc479735f6ec0abec0914a619ce1240d68c21fbe25f43ab
                  • Opcode Fuzzy Hash: 1fb8dbb58ef62d13efe9ecfe811d4d4df8847d4060e4f0c70a25de83f6f3af65
                  • Instruction Fuzzy Hash: 02E02233200984ABCB11BB29CC05F9ABBAAEF50360F000514B1958B190CB30AC00C794
                  Function 05F4B3D0 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                  • Instruction ID: 762bd371f27f7bbcb8b20f9e29fa2f5eb33296bae0e9e2139a9ea4daf607fbc8
                  • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                  • Instruction Fuzzy Hash: 43E0CD32384114BBDF226E50CC00F757B56EF407A0F204031FA4C5E650C575EC51DAD4
                  Function 05E92050 Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 384f5ed6322baf3181b595d567e7568ebd725b6c390f9b7b1e57d33ecea0ce08
                  • Instruction ID: 10c034d55392a56b3661e8d590bf832c6f607afdc24aff9dce00b3beb86027c8
                  • Opcode Fuzzy Hash: 384f5ed6322baf3181b595d567e7568ebd725b6c390f9b7b1e57d33ecea0ce08
                  • Instruction Fuzzy Hash: 41E08C332004946BCA15FB6DDD01F5A77AAEFA5360F100121B1908B690CA24AC41C794
                  Function 05E8B562 Relevance: .0, Instructions: 17COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                  • Instruction ID: 52c89b94c1fb73cfb5ddb63a9c3dd2b362b43bf414ff50159584ab661f2fb43b
                  • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                  • Instruction Fuzzy Hash: 4CD05B31261650AFD7317F15EE09F527A76AF80B10F15155870CD164F08661ED55C694
                  Function 05ECE59C Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                  • Instruction ID: 6c90f80de3ef068c591314d2d8b9e2c9b40ced35073492b6a33817f4d02309bd
                  • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                  • Instruction Fuzzy Hash: 25D0A7336045106FD731AA1CFC04FD373D9BB48720F150459B004C7050C364AC41C644
                  Function 05E8A0E3 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                  • Instruction ID: 9bdefee2f4c168257e9ac8762cbdc178e4f95ed57311c706f868ae7569e89119
                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                  • Instruction Fuzzy Hash: E9D02233316030A7DB28AB606C04FB3AA06AB80AA4F1A003E340E93800C0048C42C2E0
                  Function 05ECC700 Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                  • Instruction ID: 1eecaa291e3f7f6ae327397082426e70fb601bc0d2462725ab9a1ba8f9ff0c3b
                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                  • Instruction Fuzzy Hash: 64C01233290648AFD712ABA8CD01F02BBAAEB98B40F100421F2048B670C631F820EA94
                  Function 05EB340D Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                  • Instruction ID: 0190006ab7a83f5a1f38827146235b57b361b10c93d634ff535662022ef61699
                  • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                  • Instruction Fuzzy Hash: 49C08C712615807EFB3B5710CD06F3E3651BB0870BF94299CEAC12D4A1C3A8F8028228
                  Function 05E90750 Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                  • Instruction ID: d19fe0c1b41cd48ef6f65962961345ddb09dcca48deaf2f99ad03620e31f6f1e
                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                  • Instruction Fuzzy Hash: 6AC04C75711981CFDF15DB69D294F5577E4F748744F152890E845DB721E624FC01CA10
                  Function 05ED4650 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8746c733bf7565cf1509b78f7a07c93de41c078fd01ac48482e9b246dc8cd346
                  • Instruction ID: 10db4a1836cb38159f195e0186df4fa0f53c2142eac44e3ffea79bb27f125454
                  • Opcode Fuzzy Hash: 8746c733bf7565cf1509b78f7a07c93de41c078fd01ac48482e9b246dc8cd346
                  • Instruction Fuzzy Hash: E1900272A1550042418071584846406601597E13013D5D115A0994560C861889559269
                  Function 05ED3090 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1bb7af3a6c5d40f7b620ba151fb07c85303c1ce6f4f82e586558b0672a144cc4
                  • Instruction ID: f1321b4443f693ad4b61f5a7f775f7f2579f08ecbf9fb9a256151fb50be6e7dd
                  • Opcode Fuzzy Hash: 1bb7af3a6c5d40f7b620ba151fb07c85303c1ce6f4f82e586558b0672a144cc4
                  • Instruction Fuzzy Hash: 3B90023265540802D180715884567070016C7D0601F95D011A0464554D86168A6566B1
                  Function 05ED3010 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b1b0b3f7fb28cbb59432c40c586ac1b5f89e8a596e943839a37d2c5fb8c2ff5c
                  • Instruction ID: 83bbd1eaa023fea8518a4ca58e6c298a9ee32cac8b5c3bab4d6ca570a6f6acee
                  • Opcode Fuzzy Hash: b1b0b3f7fb28cbb59432c40c586ac1b5f89e8a596e943839a37d2c5fb8c2ff5c
                  • Instruction Fuzzy Hash: FE90023261584442D18072584846B0F411587E1202FD5D019A4596554CC91589555721
                  Function 05ED4340 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5aa4398370d19fd3a9304e68997c20db92288c3be4db6b18eacd3384c2370970
                  • Instruction ID: f2d41f854c231ee71c997bda2050709a1593d1827853cd0a0ba8c0f26c51cf2a
                  • Opcode Fuzzy Hash: 5aa4398370d19fd3a9304e68997c20db92288c3be4db6b18eacd3384c2370970
                  • Instruction Fuzzy Hash: 42900232A19800129180715848C6546401597E0301B95D011E0864554C8A148A565361
                  Function 05ED2DD0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0211a4c1eeb482895d2ea9335323434708bdedfc1c39b52909afac95fcb2f628
                  • Instruction ID: 5ffaec5f1dce78cf31e740b7b0e402f2e8be1f6eba72587f41e44f92081ece09
                  • Opcode Fuzzy Hash: 0211a4c1eeb482895d2ea9335323434708bdedfc1c39b52909afac95fcb2f628
                  • Instruction Fuzzy Hash: 02900232656441525585B1584446507401697E02417D5D012A1854950C85269956D621
                  Function 05ED2DB0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7b208616e541a557b240bb9499382affbf95ced646f2f44b34c04c66e466a182
                  • Instruction ID: 58763b6877d728c1944640f1f1d87c909413186abd0d93da306d5a74ca7d280b
                  • Opcode Fuzzy Hash: 7b208616e541a557b240bb9499382affbf95ced646f2f44b34c04c66e466a182
                  • Instruction Fuzzy Hash: 8790023265540402D18171584446606001997D0241FD5D012A0864554E86558B56AA61
                  Function 05ED3D70 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6679e816558b09909d13c65e46529648129907af6ca82c8fdba3ef9ef44149f3
                  • Instruction ID: 6cd24fa0de0f5c843a6bd0a2c60c54b0d8baa2d1ae18c47601c639d0c4acb79e
                  • Opcode Fuzzy Hash: 6679e816558b09909d13c65e46529648129907af6ca82c8fdba3ef9ef44149f3
                  • Instruction Fuzzy Hash: 5690023661540402D55071585846646005687D0301F95E411A0864558D865489A1A121
                  Function 05ED2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6860e7a8f24187576db90708c7c604dea42bcc421f9e546020142facae4d773b
                  • Instruction ID: 2905fb2b71d411a1b583e08b25ecf96704a976486ca9381902545ed3460682d8
                  • Opcode Fuzzy Hash: 6860e7a8f24187576db90708c7c604dea42bcc421f9e546020142facae4d773b
                  • Instruction Fuzzy Hash: 8790023271540003D1807158545A6064015D7E1301F95E011E0854554CD91589565222
                  Function 05ED2D00 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 22cb2cbfc55a21bcdd8889102973741253b71dcfda96c2fd01620e3e545026d3
                  • Instruction ID: dd789ae32ca74d1d38f72d874cb215d14e725425978b365084cc8832af0d40ed
                  • Opcode Fuzzy Hash: 22cb2cbfc55a21bcdd8889102973741253b71dcfda96c2fd01620e3e545026d3
                  • Instruction Fuzzy Hash: DD90023261944442D1407558544AA06001587D0205F95E011A14A4595DC6358951A131
                  Function 05ED2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ae95431e5ece464e010265e6fecf119c9b38745ac2eae02fba0242e3e230d67
                  • Instruction ID: 097592399b86f663b380c4259659faf2ee2ee423d8a82bbcbb3d909b978b9618
                  • Opcode Fuzzy Hash: 7ae95431e5ece464e010265e6fecf119c9b38745ac2eae02fba0242e3e230d67
                  • Instruction Fuzzy Hash: DA90023A62740002D1C07158544A60A001587D1202FD5E415A0455558CC91589695321
                  Function 05ED3D10 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6089bce41430a242e91ba0c8ea992573f14fb843ba5f7043c4e805d8b41cc873
                  • Instruction ID: 64a98ec12c7ef8a7f0a456653eba2e4c693a3100f3ff34566b9aa65efc95819a
                  • Opcode Fuzzy Hash: 6089bce41430a242e91ba0c8ea992573f14fb843ba5f7043c4e805d8b41cc873
                  • Instruction Fuzzy Hash: BB90023261640142958072585846A4E411587E1302BD5E415A0455554CC91489615221
                  Function 05ED2CF0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 48e6f0525ed69d2bc838cc925ef865cde63db8507bf6486a45b4df61c29d868b
                  • Instruction ID: bde337b0996327b621d6609baea19c55ebaaf1e131887df5d42c1ae1ce097bd5
                  • Opcode Fuzzy Hash: 48e6f0525ed69d2bc838cc925ef865cde63db8507bf6486a45b4df61c29d868b
                  • Instruction Fuzzy Hash: DC90023261540403D1407158554A707001587D0201F95E411A0864558DD65689516121
                  Function 05ED2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 991d55f612489a43f59d92d99e299da350399f36f90e7bdf88afa3c430461352
                  • Instruction ID: c7fe5622d3ecf1c62e25a9e98e95bef1434d8d0e94967fbb06549a186d1ad7ca
                  • Opcode Fuzzy Hash: 991d55f612489a43f59d92d99e299da350399f36f90e7bdf88afa3c430461352
                  • Instruction Fuzzy Hash: 70900232A1940402D1807158545A706002587D0201F95E011A0464554DC6598B5566A1
                  Function 05ED2C60 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e71e51444d892fdc31e57e5ac2cb241ab4625d1a9e8655070038ba696149896
                  • Instruction ID: f1822745e923875c83d8f1dc0925da4e27e71bb7f61437ed8449d0b6b5791d6d
                  • Opcode Fuzzy Hash: 2e71e51444d892fdc31e57e5ac2cb241ab4625d1a9e8655070038ba696149896
                  • Instruction Fuzzy Hash: C390023261540842D14071584446B46001587E0301F95D016A0564654D8615C9517521
                  Function 05ED2FE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f3f805dc4d28ae64081657ae9f121369e511abfd1b0871e8e2b74d1369f4a6b0
                  • Instruction ID: f9b1f4e98486ea4c5791fbd3c725408a6b469a05d061740faa0501ca8cabf7c2
                  • Opcode Fuzzy Hash: f3f805dc4d28ae64081657ae9f121369e511abfd1b0871e8e2b74d1369f4a6b0
                  • Instruction Fuzzy Hash: 23900232625C0042D24075684C56B07001587D0303F95D115A0594554CC91589615521
                  Function 05ED2FA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e93ad67cd27bad5e6201566ca8cce3d7097591cd909db6c8c7709dee7685d0f3
                  • Instruction ID: eff673136d1b2002693ed5521e79442fb29b3be8c41a0691f3b789bc9cfeb6d4
                  • Opcode Fuzzy Hash: e93ad67cd27bad5e6201566ca8cce3d7097591cd909db6c8c7709dee7685d0f3
                  • Instruction Fuzzy Hash: 7C90023261580402D1407158484A747001587D0302F95D011A55A4555E8665C9916531
                  Function 05ED2FB0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1fbfbc33477b39f2390df0dfb4cd0a58999eddb5f819a1641fc7b127b07e63f1
                  • Instruction ID: 89c2383fd9ee800e9d7017cec69becb270d31c58efabd55e11f246212f4bc3f4
                  • Opcode Fuzzy Hash: 1fbfbc33477b39f2390df0dfb4cd0a58999eddb5f819a1641fc7b127b07e63f1
                  • Instruction Fuzzy Hash: 23900232A15400424180716888869064015ABE1211795D121A0DD8550D855989655665
                  Function 05ED2F60 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6cfc46fc7be8c5045a594313b1ebc9f76e2ceff2d1762c78b9c5745a3aef1abc
                  • Instruction ID: 11bbf763943935c7144171b2e070d1c4e803de2ae04f858b7aa45fa09e8a00c9
                  • Opcode Fuzzy Hash: 6cfc46fc7be8c5045a594313b1ebc9f76e2ceff2d1762c78b9c5745a3aef1abc
                  • Instruction Fuzzy Hash: 8A90027262540042D14471584446706005587E1201F95D012A2594554CC5298D615125
                  Function 05ED2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6ab58658f4e1dd391ef8a7085acf381b6a5a429373696185737e1abd14fa1fd
                  • Instruction ID: 83e3c998f15975b4428adeb6fea19702f4855292d6a25201935a2c19e1720269
                  • Opcode Fuzzy Hash: b6ab58658f4e1dd391ef8a7085acf381b6a5a429373696185737e1abd14fa1fd
                  • Instruction Fuzzy Hash: 3090027275540442D14071584456B060015C7E1301F95D015E14A4554D8619CD526126
                  Function 05ED2EE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e84bde609958b9caa45e052f8dc60fc5f83c09775818fbe92a7472c114036418
                  • Instruction ID: 1557e6a37370251874ffd4749ff3c7698743891dd9e49526ec18428243170865
                  • Opcode Fuzzy Hash: e84bde609958b9caa45e052f8dc60fc5f83c09775818fbe92a7472c114036418
                  • Instruction Fuzzy Hash: 1F90027261580403D18075584846607001587D0302F95D011A24A4555E8A298D516135
                  Function 05ED2EA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 04e912b4846de3f0ce92dbf06a92b7f49d15afccb6755c857b647d8535ed46d7
                  • Instruction ID: f1474cc4d50075e66da2d051fa59514c474bb00d55c5d47d82fe12116e2f0e76
                  • Opcode Fuzzy Hash: 04e912b4846de3f0ce92dbf06a92b7f49d15afccb6755c857b647d8535ed46d7
                  • Instruction Fuzzy Hash: 0690027261540402D18071584446746001587D0301F95D011A54A4554E86598ED56665
                  Function 05ED2E80 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1b2dd88d9560d9232aee720672ac0c65103411ee5d2d6dd7201467917c24cb8f
                  • Instruction ID: 543c3f8ba26bc0af4ed04b62bee0508477f06927f9e451085a8492cc2d5ea151
                  • Opcode Fuzzy Hash: 1b2dd88d9560d9232aee720672ac0c65103411ee5d2d6dd7201467917c24cb8f
                  • Instruction Fuzzy Hash: C0900232A1540502D14171584446616001A87D0241FD5D022A1464555ECA258A92A131
                  Function 05ED2E30 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07110432f2e7490125219691f3bc0e9d7a749b5c1c555b2044b7119634ebc795
                  • Instruction ID: 33415a8a9858b5d6621ad6fe06243d8a3c6a05d393f6864439506d8161f06f26
                  • Opcode Fuzzy Hash: 07110432f2e7490125219691f3bc0e9d7a749b5c1c555b2044b7119634ebc795
                  • Instruction Fuzzy Hash: CD90023271540402D142715844566060019C7D1345FD5D012E1864555D86258A53A132
                  Function 05ED39B0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f630265c72f1e8ff4292a123d474078388a86b11f24e77cfd635483eddcefcff
                  • Instruction ID: 4ac93776020c2081b1720e807eb88da646ea4f909c2fa386ff1093d942ab8951
                  • Opcode Fuzzy Hash: f630265c72f1e8ff4292a123d474078388a86b11f24e77cfd635483eddcefcff
                  • Instruction Fuzzy Hash: 0790023265945102D190715C44466164015A7E0201F95D021A0C54594D855589556221
                  Function 05ED2BE0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1ac90d1c3dfe70e403c659ad1e07712a37fa7c0dfb1ac45f6f10f50bf0f36a0
                  • Instruction ID: 74a3284c215850582ca55901047fbb21becae2c68f6d7fbd0c39087382ca52b2
                  • Opcode Fuzzy Hash: e1ac90d1c3dfe70e403c659ad1e07712a37fa7c0dfb1ac45f6f10f50bf0f36a0
                  • Instruction Fuzzy Hash: CA90023261944842D18071584446A46002587D0305F95D011A04A4694D96258E55B661
                  Function 05ED2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6955fa2671a795914eb28c4e09445ebe0d897d5651fb624b750f696564cda0ec
                  • Instruction ID: e6d8bf7fd6fab73f10a3a45960d5baa07f486d7433110b282930f9ee99b2689d
                  • Opcode Fuzzy Hash: 6955fa2671a795914eb28c4e09445ebe0d897d5651fb624b750f696564cda0ec
                  • Instruction Fuzzy Hash: 3A90023261540802D1C07158444664A001587D1301FD5D015A0465654DCA158B5977A1
                  Function 05ED2BA0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7068f4e3739cb62a0b9e9d155ff986dae7ed67853841a7dfe0286341095595c7
                  • Instruction ID: 7ce7f3c71f4490212b13d7a283166ec4ae2e6e8ce9f8d9f7d524ce151e77a322
                  • Opcode Fuzzy Hash: 7068f4e3739cb62a0b9e9d155ff986dae7ed67853841a7dfe0286341095595c7
                  • Instruction Fuzzy Hash: 1F900232A1940802D19071584456746001587D0301F95D011A0464654D87558B5576A1
                  Function 05ED2B80 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c037718f37d6566c395a56d079d2ab7a4324e890c0638aa395a72fc835a23a3
                  • Instruction ID: bc7d1262c95595d676dbd032f4016470a9aa3de83f238a74fcf575a1f0878c22
                  • Opcode Fuzzy Hash: 0c037718f37d6566c395a56d079d2ab7a4324e890c0638aa395a72fc835a23a3
                  • Instruction Fuzzy Hash: A490023261540802D14471584846686001587D0301F95D011A6464655E966589917131
                  Function 05ED2AF0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c398e4e89d8f9ef44176178119a0db2185cef4428fbb41e7f8b5a171442d3445
                  • Instruction ID: 3cdcb72e55cf9710ab466fb408fd2c055d0708b5a2ac685caaf56ec9ab17c58f
                  • Opcode Fuzzy Hash: c398e4e89d8f9ef44176178119a0db2185cef4428fbb41e7f8b5a171442d3445
                  • Instruction Fuzzy Hash: A5900236635400020185B558064650B045597D63513D5D015F1856590CC62189655321
                  Function 05ED2AD0 Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: deea395daf2995b3aa15b30870c91d2051cb6ea7e0a2069bdf53ff1e254fc3ae
                  • Instruction ID: 976cc71e959c2fda11190a47b5c7f0402daaba091f285230af146f27fd68cb23
                  • Opcode Fuzzy Hash: deea395daf2995b3aa15b30870c91d2051cb6ea7e0a2069bdf53ff1e254fc3ae
                  • Instruction Fuzzy Hash: B6900437735400030145F55C07475070057C7D53513D5D031F1455550CD731CD715131
                  Function 05ED2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed3915c28f8126d503e792eecc06b2be2bc3852e3507d77839ba3587221bae41
                  • Instruction ID: cb7d8347a464fd22e15bb24b2b703abc5bd351835dffb3345b6db3f7bd5df426
                  • Opcode Fuzzy Hash: ed3915c28f8126d503e792eecc06b2be2bc3852e3507d77839ba3587221bae41
                  • Instruction Fuzzy Hash: 129002B2615540924540B2588446B0A451587E0201B95D016E1494560CC52589519135
                  Function 05ED2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction ID: 5df7d430ea4c8e0777fee461542ed982d1ecdf2179795b625398627247cde66f
                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction Fuzzy Hash:
                  Function 05ED2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: ___swprintf_l
                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                  • API String ID: 48624451-2108815105
                  • Opcode ID: 9bca72d999dc7f80decdfa04d29256c2574db73c2cfa2d7a903153a6e8463756
                  • Instruction ID: b89871f44f7f9a853aa2a459a39d53afbd0e8075296f8b6f129ea27309717a7a
                  • Opcode Fuzzy Hash: 9bca72d999dc7f80decdfa04d29256c2574db73c2cfa2d7a903153a6e8463756
                  • Instruction Fuzzy Hash: D5512BBAB04616BFDB20DF98C88097EF7B9BB08200754A169E5D9D7641E374DE0197F0
                  Function 05EC7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                  Download Yara Rule
                  Strings
                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05F04725
                  • Execute=1, xrefs: 05F04713
                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05F04655
                  • ExecuteOptions, xrefs: 05F046A0
                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 05F046FC
                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 05F04787
                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05F04742
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                  • API String ID: 0-484625025
                  • Opcode ID: bcea9a546aa0449d839ed16820003eed578847af6c06cbce9ef305d195ca5820
                  • Instruction ID: 14108e1ea5473aafaa745f9b8fbb5e06dafa906926c4badf49894ccbe0e50a7d
                  • Opcode Fuzzy Hash: bcea9a546aa0449d839ed16820003eed578847af6c06cbce9ef305d195ca5820
                  • Instruction Fuzzy Hash: A051073160021D6AEF10EBA49D89FB97BA9FB04305F0410EDE645A7180EB74DA42CF60
                  Function 05EDB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-$0$0
                  • API String ID: 1302938615-699404926
                  • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction ID: 7fd22b7a7ea6d98d10e467b95e10fceedc93a838177f4117506e8b7d8045f796
                  • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                  • Instruction Fuzzy Hash: 8981C235E092499BEF24CE68C4507FEFBAABF45354F1A6259D8E1A72C0E73584428F70
                  Function 05ECBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  • RTL: Re-Waiting, xrefs: 05F07BAC
                  • RTL: Resource at %p, xrefs: 05F07B8E
                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05F07B7F
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 0-871070163
                  • Opcode ID: 23de8d41f8fd493a10967245311a4e69093e14b09f900e70e702b22c3ba576d3
                  • Instruction ID: e7346daaa021269c0b307306d845b81a7c1f589f7c9d7524c28f93a2157ae50e
                  • Opcode Fuzzy Hash: 23de8d41f8fd493a10967245311a4e69093e14b09f900e70e702b22c3ba576d3
                  • Instruction Fuzzy Hash: 8441F2317057429FD720EE25CD41B6ABBEAFF88710F001A5DF89A9B380DB30E4068B91
                  Function 05ECB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 05F0728C
                  Strings
                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05F07294
                  • RTL: Re-Waiting, xrefs: 05F072C1
                  • RTL: Resource at %p, xrefs: 05F072A3
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-605551621
                  • Opcode ID: 9d3fb06da8a6f730155d247038a20f4742c73934bd3dfd232f5d83572fc8b7f2
                  • Instruction ID: 3c40cd38f230dfd95959dbeec4b9e598d2f1413de017452efe935cfd77c79837
                  • Opcode Fuzzy Hash: 9d3fb06da8a6f730155d247038a20f4742c73934bd3dfd232f5d83572fc8b7f2
                  • Instruction Fuzzy Hash: 47411231B09246ABC720EE24CD41F66B7AAFB44710F141698F895DB280EB34F812DBE0
                  Function 05ED7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID: __aulldvrm
                  • String ID: +$-
                  • API String ID: 1302938615-2137968064
                  • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction ID: 517d5891ebe5b24d2447046e58a01e67e3c7a140562a2d24d4c7fa9160899a02
                  • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                  • Instruction Fuzzy Hash: 6F917F70A042269AEB34DF69C881BBEF7A6FF44364F54651AE8D5A72C0E63099438770
                  Function 05E99126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2188520319.0000000005E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05E60000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_5e60000_ilasm.jbxd
                  Similarity
                  • API ID:
                  • String ID: $$@
                  • API String ID: 0-1194432280
                  • Opcode ID: 386f6ff6943ac8a050185a8b13f93df0ff650f768d2f2b2fc5f4ebf8a6999ef6
                  • Instruction ID: 88e169135ed77dbba5b543387f0f51cd432a34096de26242100c3b4bf25857a6
                  • Opcode Fuzzy Hash: 386f6ff6943ac8a050185a8b13f93df0ff650f768d2f2b2fc5f4ebf8a6999ef6
                  • Instruction Fuzzy Hash: F4812A76D002699BDB35CF54CC45BEEB7B5BB08714F0151EAAA4AB7240E7709E84CFA0