Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AWB-112-17259653.exe

Overview

General Information

Sample name:AWB-112-17259653.exe
Analysis ID:1465320
MD5:a45de4191ab20f3a4c96cb77374a4be9
SHA1:5fee92a85e47b8cac8391fda0374e1a44b00f966
SHA256:a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AWB-112-17259653.exe (PID: 1656 cmdline: "C:\Users\user\Desktop\AWB-112-17259653.exe" MD5: A45DE4191AB20F3A4C96CB77374A4BE9)
    • powershell.exe (PID: 5812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6284 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • AWB-112-17259653.exe (PID: 5100 cmdline: "C:\Users\user\Desktop\AWB-112-17259653.exe" MD5: A45DE4191AB20F3A4C96CB77374A4BE9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a8e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2db33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x17242:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      Process Memory Space: AWB-112-17259653.exe PID: 1656JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.AWB-112-17259653.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.AWB-112-17259653.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2db33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17242:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          4.2.AWB-112-17259653.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            4.2.AWB-112-17259653.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2cd33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16442:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB-112-17259653.exe", ParentImage: C:\Users\user\Desktop\AWB-112-17259653.exe, ParentProcessId: 1656, ParentProcessName: AWB-112-17259653.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", ProcessId: 5812, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB-112-17259653.exe", ParentImage: C:\Users\user\Desktop\AWB-112-17259653.exe, ParentProcessId: 1656, ParentProcessName: AWB-112-17259653.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", ProcessId: 5812, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\AWB-112-17259653.exe", ParentImage: C:\Users\user\Desktop\AWB-112-17259653.exe, ParentProcessId: 1656, ParentProcessName: AWB-112-17259653.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe", ProcessId: 5812, ProcessName: powershell.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: AWB-112-17259653.exeReversingLabs: Detection: 63%
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: AWB-112-17259653.exeJoe Sandbox ML: detected
            Source: AWB-112-17259653.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: AWB-112-17259653.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: EgVX.pdb source: AWB-112-17259653.exe
            Source: Binary string: wntdll.pdbUGP source: AWB-112-17259653.exe, 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: AWB-112-17259653.exe, AWB-112-17259653.exe, 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: EgVX.pdbSHA256 source: AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2128628775.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0042B043 NtClose,4_2_0042B043
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_012A2DF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_012A2C70
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A35C0 NtCreateMutant,LdrInitializeThunk,4_2_012A35C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A4340 NtSetContextThread,4_2_012A4340
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A4650 NtSuspendThread,4_2_012A4650
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2B60 NtClose,4_2_012A2B60
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2BA0 NtEnumerateValueKey,4_2_012A2BA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2B80 NtQueryInformationFile,4_2_012A2B80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2BE0 NtQueryValueKey,4_2_012A2BE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2BF0 NtAllocateVirtualMemory,4_2_012A2BF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2AB0 NtWaitForSingleObject,4_2_012A2AB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2AF0 NtWriteFile,4_2_012A2AF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2AD0 NtReadFile,4_2_012A2AD0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2D30 NtUnmapViewOfSection,4_2_012A2D30
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2D00 NtSetInformationFile,4_2_012A2D00
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2D10 NtMapViewOfSection,4_2_012A2D10
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2DB0 NtEnumerateKey,4_2_012A2DB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2DD0 NtDelayExecution,4_2_012A2DD0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2C00 NtQueryInformationProcess,4_2_012A2C00
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2C60 NtCreateKey,4_2_012A2C60
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2CA0 NtQueryInformationToken,4_2_012A2CA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2CF0 NtOpenProcess,4_2_012A2CF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2CC0 NtQueryVirtualMemory,4_2_012A2CC0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2F30 NtCreateSection,4_2_012A2F30
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2F60 NtCreateProcessEx,4_2_012A2F60
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2FA0 NtQuerySection,4_2_012A2FA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2FB0 NtResumeThread,4_2_012A2FB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2F90 NtProtectVirtualMemory,4_2_012A2F90
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2FE0 NtCreateFile,4_2_012A2FE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2E30 NtWriteVirtualMemory,4_2_012A2E30
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2EA0 NtAdjustPrivilegesToken,4_2_012A2EA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2E80 NtReadVirtualMemory,4_2_012A2E80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2EE0 NtQueueApcThread,4_2_012A2EE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A3010 NtOpenDirectoryObject,4_2_012A3010
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A3090 NtSetValueKey,4_2_012A3090
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A39B0 NtGetContextThread,4_2_012A39B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A3D10 NtOpenProcessToken,4_2_012A3D10
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A3D70 NtOpenThread,4_2_012A3D70
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_012CDF140_2_012CDF14
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_0663F6E80_2_0663F6E8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_066334080_2_06633408
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_06639FF00_2_06639FF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_066368580_2_06636858
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CED3B00_2_07CED3B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE74280_2_07CE7428
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE6FE00_2_07CE6FE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE8F480_2_07CE8F48
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CEED880_2_07CEED88
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE8B030_2_07CE8B03
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE8B100_2_07CE8B10
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE88A30_2_07CE88A3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE78600_2_07CE7860
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CE78700_2_07CE7870
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004011604_2_00401160
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004019744_2_00401974
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040212A4_2_0040212A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004021304_2_00402130
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004019804_2_00401980
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00402ADC4_2_00402ADC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00402AE04_2_00402AE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0042D4234_2_0042D423
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040FCEA4_2_0040FCEA
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040FCF34_2_0040FCF3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004025104_2_00402510
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_004165B34_2_004165B3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040FF134_2_0040FF13
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00402FE04_2_00402FE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040DF934_2_0040DF93
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012601004_2_01260100
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130A1184_2_0130A118
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F81584_2_012F8158
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013241A24_2_013241A2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013301AA4_2_013301AA
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013281CC4_2_013281CC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013020004_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132A3524_2_0132A352
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013303E64_2_013303E6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E3F04_2_0127E3F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013102744_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F02C04_2_012F02C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012705354_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013305914_2_01330591
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013144204_2_01314420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013224464_2_01322446
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131E4F64_2_0131E4F6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012707704_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012947504_2_01294750
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126C7C04_2_0126C7C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128C6E04_2_0128C6E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012869624_2_01286962
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A04_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0133A9A64_2_0133A9A6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012728404_2_01272840
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127A8404_2_0127A840
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012568B84_2_012568B8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E8F04_2_0129E8F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132AB404_2_0132AB40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01326BD74_2_01326BD7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA804_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127AD004_2_0127AD00
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130CD1F4_2_0130CD1F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01288DBF4_2_01288DBF
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126ADE04_2_0126ADE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270C004_2_01270C00
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310CB54_2_01310CB5
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260CF24_2_01260CF2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01312F304_2_01312F30
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012B2F284_2_012B2F28
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01290F304_2_01290F30
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E4F404_2_012E4F40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EEFA04_2_012EEFA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127CFE04_2_0127CFE0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01262FC84_2_01262FC8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132EE264_2_0132EE26
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270E594_2_01270E59
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132CE934_2_0132CE93
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282E904_2_01282E90
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132EEDB4_2_0132EEDB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A516C4_2_012A516C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125F1724_2_0125F172
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0133B16B4_2_0133B16B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127B1B04_2_0127B1B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132F0E04_2_0132F0E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013270E94_2_013270E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012770C04_2_012770C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131F0CC4_2_0131F0CC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132132D4_2_0132132D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125D34C4_2_0125D34C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012B739A4_2_012B739A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012752A04_2_012752A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013112ED4_2_013112ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128B2C04_2_0128B2C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013275714_2_01327571
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130D5B04_2_0130D5B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013395C34_2_013395C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132F43F4_2_0132F43F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012614604_2_01261460
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132F7B04_2_0132F7B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012B56304_2_012B5630
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013216CC4_2_013216CC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013059104_2_01305910
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012799504_2_01279950
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128B9504_2_0128B950
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DD8004_2_012DD800
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012738E04_2_012738E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132FB764_2_0132FB76
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128FB804_2_0128FB80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012ADBF94_2_012ADBF9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E5BF04_2_012E5BF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E3A6C4_2_012E3A6C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01327A464_2_01327A46
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132FA494_2_0132FA49
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012B5AA04_2_012B5AA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01311AA34_2_01311AA3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130DAAC4_2_0130DAAC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131DAC64_2_0131DAC6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01327D734_2_01327D73
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01273D404_2_01273D40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01321D5A4_2_01321D5A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128FDC04_2_0128FDC0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E9C324_2_012E9C32
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132FCF24_2_0132FCF2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132FF094_2_0132FF09
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132FFB14_2_0132FFB1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01271F924_2_01271F92
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01279EB04_2_01279EB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: String function: 012DEA12 appears 86 times
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: String function: 012A5130 appears 58 times
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: String function: 012EF290 appears 105 times
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: String function: 012B7E54 appears 111 times
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: String function: 0125B970 appears 280 times
            Source: AWB-112-17259653.exe, 00000000.00000000.2108684835.0000000000B9E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEgVX.exeP vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2128628775.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2151017299.0000000008810000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2126823780.000000000103E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2131167569.00000000040F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000000.00000002.2145333871.0000000007C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exe, 00000004.00000002.2375938389.000000000135D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exeBinary or memory string: OriginalFilenameEgVX.exeP vs AWB-112-17259653.exe
            Source: AWB-112-17259653.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: AWB-112-17259653.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, MVNbS7YAua6xYK1j6j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, MVNbS7YAua6xYK1j6j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, QwZ6KtOiXSFKDgNRZc.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, MVNbS7YAua6xYK1j6j.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/6@0/0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB-112-17259653.exe.logJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_03
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyopqlv1.tus.ps1Jump to behavior
            Source: AWB-112-17259653.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: AWB-112-17259653.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: AWB-112-17259653.exeReversingLabs: Detection: 63%
            Source: unknownProcess created: C:\Users\user\Desktop\AWB-112-17259653.exe "C:\Users\user\Desktop\AWB-112-17259653.exe"
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Users\user\Desktop\AWB-112-17259653.exe "C:\Users\user\Desktop\AWB-112-17259653.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Users\user\Desktop\AWB-112-17259653.exe "C:\Users\user\Desktop\AWB-112-17259653.exe"Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: AWB-112-17259653.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: AWB-112-17259653.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: AWB-112-17259653.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: EgVX.pdb source: AWB-112-17259653.exe
            Source: Binary string: wntdll.pdbUGP source: AWB-112-17259653.exe, 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: AWB-112-17259653.exe, AWB-112-17259653.exe, 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: EgVX.pdbSHA256 source: AWB-112-17259653.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, QwZ6KtOiXSFKDgNRZc.cs.Net Code: jivVeEEDft System.Reflection.Assembly.Load(byte[])
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, QwZ6KtOiXSFKDgNRZc.cs.Net Code: jivVeEEDft System.Reflection.Assembly.Load(byte[])
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, QwZ6KtOiXSFKDgNRZc.cs.Net Code: jivVeEEDft System.Reflection.Assembly.Load(byte[])
            Source: AWB-112-17259653.exeStatic PE information: 0xB44B1A61 [Sat Nov 7 12:00:33 2065 UTC]
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CEA098 pushad ; iretd 0_2_07CEA0A5
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 0_2_07CEDC50 pushfd ; retf 0_2_07CEDC51
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0041893B push esp; ret 4_2_0041894E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00403250 push eax; ret 4_2_00403252
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040B2D4 pushad ; iretd 4_2_0040B2DC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040CB57 push esi; ret 4_2_0040CB58
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040750C push 4EACA0F1h; retf 4_2_00407511
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040165A push eax; iretd 4_2_0040165E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0040A60E push eax; ret 4_2_0040A60F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00401EE0 pushad ; ret 4_2_00401EF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00415F43 push edx; retf 4_2_00415F90
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0041870B pushfd ; iretd 4_2_0041870D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012609AD push ecx; mov dword ptr [esp], ecx4_2_012609B6
            Source: AWB-112-17259653.exeStatic PE information: section name: .text entropy: 7.914772972826564
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, wn7NjxRg9A3yPfh9de.csHigh entropy of concatenated method names: 'Dispose', 'VyWI2GT8e2', 'ja53qARL5y', 'PGoRRDvb5U', 'td8I8qUO11', 'k21IzpZj2f', 'ProcessDialogKey', 'HAd3NoI6oR', 'krF3I1J8Gr', 'WyD33G5qdD'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, Yn2P1rDnZhXsFSYQK7.csHigh entropy of concatenated method names: 'zqYeL3IoS', 'Ss1EFbrhC', 'SsPTJ5ykM', 'ASytG7IbL', 'uADduXHcJ', 'JI6lE281Y', 'CB6AAP8wB5i0EQ5BfH', 'ehnEC1hZDTdnZ6K3od', 'AgA5YvsBl', 'FV3iE9w1k'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, gc2Jf5VFTTNMixvIjQ.csHigh entropy of concatenated method names: 'ToString', 'UfUwxulvPW', 'yiawqYMHkl', 'zgDwL4WZ2Q', 'EI0w1mK6Og', 'w8GwnIuoLn', 'kxfwBL5Q8y', 'fWEwfe5NG9', 'Uamw7O08S6', 'jSawjNnFfD'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, Sb8UVTo535pfMQy9oP.csHigh entropy of concatenated method names: 'l8ikpk0oKb', 'vRBkS7NqYc', 'UP0km9OIAf', 'mkmm85xnst', 'X2Rmz2A0SB', 'F2rkNL8xV7', 'J8WkIod7Gu', 'Xu4k3vJusw', 'Bo0kyuwdwO', 'lgHkVv5FDi'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, RfPwSCaQXqGyr7UCBl.csHigh entropy of concatenated method names: 'a1HgIjclqx', 'UI3gym0DtQ', 'beYgV6dggy', 'xgNgpovwFv', 'EQ8gOyRTLX', 'mw0gWYVf9v', 'QLRgmVSwjo', 'zgA5Jq3p8w', 'yu05vGeRGw', 'K9w529Gypi'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, NW7ekNLb5u6DkbIl8Z.csHigh entropy of concatenated method names: 'hxa5pUiaga', 'eFQ5Obgr7v', 'oSb5SryeHt', 'TwA5WveWEC', 'Jpt5mrB0O3', 'yfl5kXuvBJ', 'c3J5MhrPq6', 'Rdo5YIUxu9', 'qdw56aNASK', 'Ags50F18ia'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, zCsdPQzwnAUEIpyrY2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Qg9gFtQnEV', 'BM2gKie6EJ', 'UOpgwku3R6', 'jWvgQI2m5h', 'fqHg5SDJ8X', 'dUTggqTwAy', 'WDbgiYkEPM'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, MVNbS7YAua6xYK1j6j.csHigh entropy of concatenated method names: 'Y2NOHFii9v', 'VhpOsvxrTZ', 'IivOXRCEpE', 'wY8OZFXsOp', 'AjQOhUo8x6', 'OnTO4hm6p5', 'nJsOJ0JvRm', 'i1SOvSBgie', 'p7PO2SiLEu', 'SegO8mtFJq'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, cvwxBUFrZRvu9WHg0I.csHigh entropy of concatenated method names: 'EF4QvhPRKl', 'Q60Q8AOK7A', 'R3k5Nou2Ea', 'JfO5IJ9TSO', 'tHSQxrFTH2', 'K4yQredeZO', 'JyTQoGEaHC', 'xwcQHGpBm3', 'eTYQsJ52R2', 'iMeQX1XPFT'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, xK1LuVfefbWaqBtOyw.csHigh entropy of concatenated method names: 'rcF5PB4kmM', 'hBb5qetio5', 'Xiv5L6dG6o', 'sn651kKqxj', 'YnH5HW3oL1', 'hFb5n976ds', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, V1sHTExdCQbJeZPfqM.csHigh entropy of concatenated method names: 'xhMWG0Epn6', 'XiaWtEhG1x', 'QCZSLtVtAN', 'TMGS1Wl8MM', 'PrwSnOTNyp', 'P1xSBLMEyk', 'XrtSfNKHQ0', 'TssS7lvGr4', 'svySjFIOLp', 'nx5SC8SsI8'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, dQesEKlmmDcV6K05mh.csHigh entropy of concatenated method names: 'NM2ma5tAqA', 'WVFmu3MSFx', 'CV8me8AbEG', 'zj5mE6oZuL', 'zQqmTVnE05', 'XDKmtBAoHU', 'fKJmd36ngZ', 'KdamlIAjAp', 'L4hOFHcVoR51K6BADqk', 'fQCKd9cB4EI6E3V42bW'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, NiFZsGrqbQlOfG1rAd.csHigh entropy of concatenated method names: 'n1qSE3nG44', 'MUXSTcZFDA', 'dyMSbiTc5Y', 'NeoSdvfIkA', 'orcSKu79lW', 'ICRSwjSfJS', 'RK9SQQIrbf', 'MQ5S5enmSY', 'kX4SguE198', 'fWfSi1Nxrk'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, DjePJLjfgaHDtHuAxh.csHigh entropy of concatenated method names: 'hv8IkdEXj5', 'drBIMq0OCo', 'eZJI6dGOwh', 'Yi6I0UOxhO', 'mJiIKbytba', 'w9mIw9Lr8l', 'z1jOi42FrDk5nwCngU', 'GjSaQIxMvTYieOvVlA', 'ADbIIpaJkO', 'drYIyhv89Z'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, QwZ6KtOiXSFKDgNRZc.csHigh entropy of concatenated method names: 'ehBycZAA1p', 'uV1ypAKrb6', 'tubyOm9n28', 'egCySeODob', 'vS0yW7vc1a', 'RKHymOK6Id', 'LMHykKRH3U', 'Aa5yMalODS', 'XoEyYFVdp2', 'kWKy6ul9XD'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, zW2lPRW3pJCVnbU1e1.csHigh entropy of concatenated method names: 'g4JmcHoIdx', 'uPtmO3diZH', 'SnZmWvQ87B', 'OKZmkCnnw3', 'SYbmM6qNNC', 'LxHWheJjY2', 'GeHW4G8Xa5', 'uPKWJEPFQX', 'tuoWvN4o7e', 'ebdW2KI3dB'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, fUcPXMX7lSxFMystF0j.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DNEiHmtZqw', 'd8PisWQ1mQ', 'KPKiXu61EE', 'SmriZttCYm', 'n2gihD34gd', 'DRji49hAvq', 'FnpiJLc8V7'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, LRTmIEJuAxYQRwkB1i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'qpg32cuHB1', 'Yck38Zt2yg', 'dFP3zfTSxs', 'E1JyN4PeY6', 'OCKyI31CGY', 'lYcy3OUAtY', 'pmoyyhZlHl', 'WybDR0wYGH1ATPMdGFB'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, B3j4FUnxpY4wXtuNFU.csHigh entropy of concatenated method names: 'uixKCQZYVE', 'mj9Kr908tl', 'VxMKHpvvkL', 'AubKsVpqZt', 'hdUKqJc1CS', 'vR5KLtVFBu', 'PHQK1rXFjn', 'DQWKnhNS8G', 'CAQKBnUlZ6', 'fF8KfvSRpl'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, YXDaZdddCfMNIqFb4S.csHigh entropy of concatenated method names: 'hYRRLNcAIPvpc1ZalDP', 'PDnbL7cI7o8Rl8NSCwk', 'rx9m5STkoc', 'e3Amg17e6Q', 'uBCmis0sCp', 'aqRH6gcnN1YO4a5G72H', 'ILjBkecpWVFRuO1JaqG'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, OejkQGXPKdiBEca2XrE.csHigh entropy of concatenated method names: 'pIPgumTgep', 'TXCgAhgbSe', 'h3AgejaPmT', 'fHggEwudJF', 'gUBgGGOTEq', 'z1pgTH72rw', 'tcIgtg6AiQ', 'Vq8gbaDanD', 'nOxgdYB9OW', 'AroglAmCPd'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, uoP1nGghhnxsuNO8QV.csHigh entropy of concatenated method names: 'niGQ6YjslI', 'mIRQ0Kqcy5', 'ToString', 'auWQpuTYRK', 'm7HQOKyPJI', 'HlhQS2KMNe', 'daHQWuLNWE', 'aYPQmGHJbj', 'cp3QkVRP7K', 'hrlQM6DFDs'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, kDLQOeAwKUBNUhm28w.csHigh entropy of concatenated method names: 'XR5kuX7YPh', 'pAbkATCLMN', 'vUPkegfMUw', 'wjKkEbYuwa', 'et1kGLeHSS', 'JVfkTLfMvs', 'FkpktquOw1', 'Iy8kb7HcMM', 'oNikdTtwmO', 'xOcklDtA2Z'
            Source: 0.2.AWB-112-17259653.exe.428c250.1.raw.unpack, w1HdCvs7hHDCLl9IpC.csHigh entropy of concatenated method names: 'KrTFbc3Wrp', 'IOpFdBEQvw', 'ByPFPRvAYk', 'o4LFqbsdH9', 'jQvF1pXLcc', 'mLQFnv6AIp', 'TckFfAkq2O', 'nqkF7fxXWw', 'kOJFCQFtJk', 'DlvFxg9pBc'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, wn7NjxRg9A3yPfh9de.csHigh entropy of concatenated method names: 'Dispose', 'VyWI2GT8e2', 'ja53qARL5y', 'PGoRRDvb5U', 'td8I8qUO11', 'k21IzpZj2f', 'ProcessDialogKey', 'HAd3NoI6oR', 'krF3I1J8Gr', 'WyD33G5qdD'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, Yn2P1rDnZhXsFSYQK7.csHigh entropy of concatenated method names: 'zqYeL3IoS', 'Ss1EFbrhC', 'SsPTJ5ykM', 'ASytG7IbL', 'uADduXHcJ', 'JI6lE281Y', 'CB6AAP8wB5i0EQ5BfH', 'ehnEC1hZDTdnZ6K3od', 'AgA5YvsBl', 'FV3iE9w1k'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, gc2Jf5VFTTNMixvIjQ.csHigh entropy of concatenated method names: 'ToString', 'UfUwxulvPW', 'yiawqYMHkl', 'zgDwL4WZ2Q', 'EI0w1mK6Og', 'w8GwnIuoLn', 'kxfwBL5Q8y', 'fWEwfe5NG9', 'Uamw7O08S6', 'jSawjNnFfD'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, Sb8UVTo535pfMQy9oP.csHigh entropy of concatenated method names: 'l8ikpk0oKb', 'vRBkS7NqYc', 'UP0km9OIAf', 'mkmm85xnst', 'X2Rmz2A0SB', 'F2rkNL8xV7', 'J8WkIod7Gu', 'Xu4k3vJusw', 'Bo0kyuwdwO', 'lgHkVv5FDi'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, RfPwSCaQXqGyr7UCBl.csHigh entropy of concatenated method names: 'a1HgIjclqx', 'UI3gym0DtQ', 'beYgV6dggy', 'xgNgpovwFv', 'EQ8gOyRTLX', 'mw0gWYVf9v', 'QLRgmVSwjo', 'zgA5Jq3p8w', 'yu05vGeRGw', 'K9w529Gypi'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, NW7ekNLb5u6DkbIl8Z.csHigh entropy of concatenated method names: 'hxa5pUiaga', 'eFQ5Obgr7v', 'oSb5SryeHt', 'TwA5WveWEC', 'Jpt5mrB0O3', 'yfl5kXuvBJ', 'c3J5MhrPq6', 'Rdo5YIUxu9', 'qdw56aNASK', 'Ags50F18ia'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, zCsdPQzwnAUEIpyrY2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Qg9gFtQnEV', 'BM2gKie6EJ', 'UOpgwku3R6', 'jWvgQI2m5h', 'fqHg5SDJ8X', 'dUTggqTwAy', 'WDbgiYkEPM'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, MVNbS7YAua6xYK1j6j.csHigh entropy of concatenated method names: 'Y2NOHFii9v', 'VhpOsvxrTZ', 'IivOXRCEpE', 'wY8OZFXsOp', 'AjQOhUo8x6', 'OnTO4hm6p5', 'nJsOJ0JvRm', 'i1SOvSBgie', 'p7PO2SiLEu', 'SegO8mtFJq'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, cvwxBUFrZRvu9WHg0I.csHigh entropy of concatenated method names: 'EF4QvhPRKl', 'Q60Q8AOK7A', 'R3k5Nou2Ea', 'JfO5IJ9TSO', 'tHSQxrFTH2', 'K4yQredeZO', 'JyTQoGEaHC', 'xwcQHGpBm3', 'eTYQsJ52R2', 'iMeQX1XPFT'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, xK1LuVfefbWaqBtOyw.csHigh entropy of concatenated method names: 'rcF5PB4kmM', 'hBb5qetio5', 'Xiv5L6dG6o', 'sn651kKqxj', 'YnH5HW3oL1', 'hFb5n976ds', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, V1sHTExdCQbJeZPfqM.csHigh entropy of concatenated method names: 'xhMWG0Epn6', 'XiaWtEhG1x', 'QCZSLtVtAN', 'TMGS1Wl8MM', 'PrwSnOTNyp', 'P1xSBLMEyk', 'XrtSfNKHQ0', 'TssS7lvGr4', 'svySjFIOLp', 'nx5SC8SsI8'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, dQesEKlmmDcV6K05mh.csHigh entropy of concatenated method names: 'NM2ma5tAqA', 'WVFmu3MSFx', 'CV8me8AbEG', 'zj5mE6oZuL', 'zQqmTVnE05', 'XDKmtBAoHU', 'fKJmd36ngZ', 'KdamlIAjAp', 'L4hOFHcVoR51K6BADqk', 'fQCKd9cB4EI6E3V42bW'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, NiFZsGrqbQlOfG1rAd.csHigh entropy of concatenated method names: 'n1qSE3nG44', 'MUXSTcZFDA', 'dyMSbiTc5Y', 'NeoSdvfIkA', 'orcSKu79lW', 'ICRSwjSfJS', 'RK9SQQIrbf', 'MQ5S5enmSY', 'kX4SguE198', 'fWfSi1Nxrk'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, DjePJLjfgaHDtHuAxh.csHigh entropy of concatenated method names: 'hv8IkdEXj5', 'drBIMq0OCo', 'eZJI6dGOwh', 'Yi6I0UOxhO', 'mJiIKbytba', 'w9mIw9Lr8l', 'z1jOi42FrDk5nwCngU', 'GjSaQIxMvTYieOvVlA', 'ADbIIpaJkO', 'drYIyhv89Z'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, QwZ6KtOiXSFKDgNRZc.csHigh entropy of concatenated method names: 'ehBycZAA1p', 'uV1ypAKrb6', 'tubyOm9n28', 'egCySeODob', 'vS0yW7vc1a', 'RKHymOK6Id', 'LMHykKRH3U', 'Aa5yMalODS', 'XoEyYFVdp2', 'kWKy6ul9XD'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, zW2lPRW3pJCVnbU1e1.csHigh entropy of concatenated method names: 'g4JmcHoIdx', 'uPtmO3diZH', 'SnZmWvQ87B', 'OKZmkCnnw3', 'SYbmM6qNNC', 'LxHWheJjY2', 'GeHW4G8Xa5', 'uPKWJEPFQX', 'tuoWvN4o7e', 'ebdW2KI3dB'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, fUcPXMX7lSxFMystF0j.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DNEiHmtZqw', 'd8PisWQ1mQ', 'KPKiXu61EE', 'SmriZttCYm', 'n2gihD34gd', 'DRji49hAvq', 'FnpiJLc8V7'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, LRTmIEJuAxYQRwkB1i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'qpg32cuHB1', 'Yck38Zt2yg', 'dFP3zfTSxs', 'E1JyN4PeY6', 'OCKyI31CGY', 'lYcy3OUAtY', 'pmoyyhZlHl', 'WybDR0wYGH1ATPMdGFB'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, B3j4FUnxpY4wXtuNFU.csHigh entropy of concatenated method names: 'uixKCQZYVE', 'mj9Kr908tl', 'VxMKHpvvkL', 'AubKsVpqZt', 'hdUKqJc1CS', 'vR5KLtVFBu', 'PHQK1rXFjn', 'DQWKnhNS8G', 'CAQKBnUlZ6', 'fF8KfvSRpl'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, YXDaZdddCfMNIqFb4S.csHigh entropy of concatenated method names: 'hYRRLNcAIPvpc1ZalDP', 'PDnbL7cI7o8Rl8NSCwk', 'rx9m5STkoc', 'e3Amg17e6Q', 'uBCmis0sCp', 'aqRH6gcnN1YO4a5G72H', 'ILjBkecpWVFRuO1JaqG'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, OejkQGXPKdiBEca2XrE.csHigh entropy of concatenated method names: 'pIPgumTgep', 'TXCgAhgbSe', 'h3AgejaPmT', 'fHggEwudJF', 'gUBgGGOTEq', 'z1pgTH72rw', 'tcIgtg6AiQ', 'Vq8gbaDanD', 'nOxgdYB9OW', 'AroglAmCPd'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, uoP1nGghhnxsuNO8QV.csHigh entropy of concatenated method names: 'niGQ6YjslI', 'mIRQ0Kqcy5', 'ToString', 'auWQpuTYRK', 'm7HQOKyPJI', 'HlhQS2KMNe', 'daHQWuLNWE', 'aYPQmGHJbj', 'cp3QkVRP7K', 'hrlQM6DFDs'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, kDLQOeAwKUBNUhm28w.csHigh entropy of concatenated method names: 'XR5kuX7YPh', 'pAbkATCLMN', 'vUPkegfMUw', 'wjKkEbYuwa', 'et1kGLeHSS', 'JVfkTLfMvs', 'FkpktquOw1', 'Iy8kb7HcMM', 'oNikdTtwmO', 'xOcklDtA2Z'
            Source: 0.2.AWB-112-17259653.exe.8810000.5.raw.unpack, w1HdCvs7hHDCLl9IpC.csHigh entropy of concatenated method names: 'KrTFbc3Wrp', 'IOpFdBEQvw', 'ByPFPRvAYk', 'o4LFqbsdH9', 'jQvF1pXLcc', 'mLQFnv6AIp', 'TckFfAkq2O', 'nqkF7fxXWw', 'kOJFCQFtJk', 'DlvFxg9pBc'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, wn7NjxRg9A3yPfh9de.csHigh entropy of concatenated method names: 'Dispose', 'VyWI2GT8e2', 'ja53qARL5y', 'PGoRRDvb5U', 'td8I8qUO11', 'k21IzpZj2f', 'ProcessDialogKey', 'HAd3NoI6oR', 'krF3I1J8Gr', 'WyD33G5qdD'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, Yn2P1rDnZhXsFSYQK7.csHigh entropy of concatenated method names: 'zqYeL3IoS', 'Ss1EFbrhC', 'SsPTJ5ykM', 'ASytG7IbL', 'uADduXHcJ', 'JI6lE281Y', 'CB6AAP8wB5i0EQ5BfH', 'ehnEC1hZDTdnZ6K3od', 'AgA5YvsBl', 'FV3iE9w1k'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, gc2Jf5VFTTNMixvIjQ.csHigh entropy of concatenated method names: 'ToString', 'UfUwxulvPW', 'yiawqYMHkl', 'zgDwL4WZ2Q', 'EI0w1mK6Og', 'w8GwnIuoLn', 'kxfwBL5Q8y', 'fWEwfe5NG9', 'Uamw7O08S6', 'jSawjNnFfD'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, Sb8UVTo535pfMQy9oP.csHigh entropy of concatenated method names: 'l8ikpk0oKb', 'vRBkS7NqYc', 'UP0km9OIAf', 'mkmm85xnst', 'X2Rmz2A0SB', 'F2rkNL8xV7', 'J8WkIod7Gu', 'Xu4k3vJusw', 'Bo0kyuwdwO', 'lgHkVv5FDi'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, RfPwSCaQXqGyr7UCBl.csHigh entropy of concatenated method names: 'a1HgIjclqx', 'UI3gym0DtQ', 'beYgV6dggy', 'xgNgpovwFv', 'EQ8gOyRTLX', 'mw0gWYVf9v', 'QLRgmVSwjo', 'zgA5Jq3p8w', 'yu05vGeRGw', 'K9w529Gypi'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, NW7ekNLb5u6DkbIl8Z.csHigh entropy of concatenated method names: 'hxa5pUiaga', 'eFQ5Obgr7v', 'oSb5SryeHt', 'TwA5WveWEC', 'Jpt5mrB0O3', 'yfl5kXuvBJ', 'c3J5MhrPq6', 'Rdo5YIUxu9', 'qdw56aNASK', 'Ags50F18ia'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, zCsdPQzwnAUEIpyrY2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Qg9gFtQnEV', 'BM2gKie6EJ', 'UOpgwku3R6', 'jWvgQI2m5h', 'fqHg5SDJ8X', 'dUTggqTwAy', 'WDbgiYkEPM'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, MVNbS7YAua6xYK1j6j.csHigh entropy of concatenated method names: 'Y2NOHFii9v', 'VhpOsvxrTZ', 'IivOXRCEpE', 'wY8OZFXsOp', 'AjQOhUo8x6', 'OnTO4hm6p5', 'nJsOJ0JvRm', 'i1SOvSBgie', 'p7PO2SiLEu', 'SegO8mtFJq'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, cvwxBUFrZRvu9WHg0I.csHigh entropy of concatenated method names: 'EF4QvhPRKl', 'Q60Q8AOK7A', 'R3k5Nou2Ea', 'JfO5IJ9TSO', 'tHSQxrFTH2', 'K4yQredeZO', 'JyTQoGEaHC', 'xwcQHGpBm3', 'eTYQsJ52R2', 'iMeQX1XPFT'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, xK1LuVfefbWaqBtOyw.csHigh entropy of concatenated method names: 'rcF5PB4kmM', 'hBb5qetio5', 'Xiv5L6dG6o', 'sn651kKqxj', 'YnH5HW3oL1', 'hFb5n976ds', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, V1sHTExdCQbJeZPfqM.csHigh entropy of concatenated method names: 'xhMWG0Epn6', 'XiaWtEhG1x', 'QCZSLtVtAN', 'TMGS1Wl8MM', 'PrwSnOTNyp', 'P1xSBLMEyk', 'XrtSfNKHQ0', 'TssS7lvGr4', 'svySjFIOLp', 'nx5SC8SsI8'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, dQesEKlmmDcV6K05mh.csHigh entropy of concatenated method names: 'NM2ma5tAqA', 'WVFmu3MSFx', 'CV8me8AbEG', 'zj5mE6oZuL', 'zQqmTVnE05', 'XDKmtBAoHU', 'fKJmd36ngZ', 'KdamlIAjAp', 'L4hOFHcVoR51K6BADqk', 'fQCKd9cB4EI6E3V42bW'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, NiFZsGrqbQlOfG1rAd.csHigh entropy of concatenated method names: 'n1qSE3nG44', 'MUXSTcZFDA', 'dyMSbiTc5Y', 'NeoSdvfIkA', 'orcSKu79lW', 'ICRSwjSfJS', 'RK9SQQIrbf', 'MQ5S5enmSY', 'kX4SguE198', 'fWfSi1Nxrk'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, DjePJLjfgaHDtHuAxh.csHigh entropy of concatenated method names: 'hv8IkdEXj5', 'drBIMq0OCo', 'eZJI6dGOwh', 'Yi6I0UOxhO', 'mJiIKbytba', 'w9mIw9Lr8l', 'z1jOi42FrDk5nwCngU', 'GjSaQIxMvTYieOvVlA', 'ADbIIpaJkO', 'drYIyhv89Z'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, QwZ6KtOiXSFKDgNRZc.csHigh entropy of concatenated method names: 'ehBycZAA1p', 'uV1ypAKrb6', 'tubyOm9n28', 'egCySeODob', 'vS0yW7vc1a', 'RKHymOK6Id', 'LMHykKRH3U', 'Aa5yMalODS', 'XoEyYFVdp2', 'kWKy6ul9XD'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, zW2lPRW3pJCVnbU1e1.csHigh entropy of concatenated method names: 'g4JmcHoIdx', 'uPtmO3diZH', 'SnZmWvQ87B', 'OKZmkCnnw3', 'SYbmM6qNNC', 'LxHWheJjY2', 'GeHW4G8Xa5', 'uPKWJEPFQX', 'tuoWvN4o7e', 'ebdW2KI3dB'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, fUcPXMX7lSxFMystF0j.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DNEiHmtZqw', 'd8PisWQ1mQ', 'KPKiXu61EE', 'SmriZttCYm', 'n2gihD34gd', 'DRji49hAvq', 'FnpiJLc8V7'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, LRTmIEJuAxYQRwkB1i.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'qpg32cuHB1', 'Yck38Zt2yg', 'dFP3zfTSxs', 'E1JyN4PeY6', 'OCKyI31CGY', 'lYcy3OUAtY', 'pmoyyhZlHl', 'WybDR0wYGH1ATPMdGFB'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, B3j4FUnxpY4wXtuNFU.csHigh entropy of concatenated method names: 'uixKCQZYVE', 'mj9Kr908tl', 'VxMKHpvvkL', 'AubKsVpqZt', 'hdUKqJc1CS', 'vR5KLtVFBu', 'PHQK1rXFjn', 'DQWKnhNS8G', 'CAQKBnUlZ6', 'fF8KfvSRpl'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, YXDaZdddCfMNIqFb4S.csHigh entropy of concatenated method names: 'hYRRLNcAIPvpc1ZalDP', 'PDnbL7cI7o8Rl8NSCwk', 'rx9m5STkoc', 'e3Amg17e6Q', 'uBCmis0sCp', 'aqRH6gcnN1YO4a5G72H', 'ILjBkecpWVFRuO1JaqG'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, OejkQGXPKdiBEca2XrE.csHigh entropy of concatenated method names: 'pIPgumTgep', 'TXCgAhgbSe', 'h3AgejaPmT', 'fHggEwudJF', 'gUBgGGOTEq', 'z1pgTH72rw', 'tcIgtg6AiQ', 'Vq8gbaDanD', 'nOxgdYB9OW', 'AroglAmCPd'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, uoP1nGghhnxsuNO8QV.csHigh entropy of concatenated method names: 'niGQ6YjslI', 'mIRQ0Kqcy5', 'ToString', 'auWQpuTYRK', 'm7HQOKyPJI', 'HlhQS2KMNe', 'daHQWuLNWE', 'aYPQmGHJbj', 'cp3QkVRP7K', 'hrlQM6DFDs'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, kDLQOeAwKUBNUhm28w.csHigh entropy of concatenated method names: 'XR5kuX7YPh', 'pAbkATCLMN', 'vUPkegfMUw', 'wjKkEbYuwa', 'et1kGLeHSS', 'JVfkTLfMvs', 'FkpktquOw1', 'Iy8kb7HcMM', 'oNikdTtwmO', 'xOcklDtA2Z'
            Source: 0.2.AWB-112-17259653.exe.4310270.2.raw.unpack, w1HdCvs7hHDCLl9IpC.csHigh entropy of concatenated method names: 'KrTFbc3Wrp', 'IOpFdBEQvw', 'ByPFPRvAYk', 'o4LFqbsdH9', 'jQvF1pXLcc', 'mLQFnv6AIp', 'TckFfAkq2O', 'nqkF7fxXWw', 'kOJFCQFtJk', 'DlvFxg9pBc'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: AWB-112-17259653.exe PID: 1656, type: MEMORYSTR
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 2EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 4EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 89A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 99A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: 9B90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: AB90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A096E rdtsc 4_2_012A096E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 239890Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 239781Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeWindow / User API: threadDelayed 730Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeWindow / User API: threadDelayed 818Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6933Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2782Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeAPI coverage: 0.6 %
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 1936Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 1936Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 1936Thread sleep time: -239890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 1936Thread sleep time: -239781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 6528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3568Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exe TID: 5476Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 239890Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 239781Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: AWB-112-17259653.exe, 00000000.00000002.2126823780.00000000010C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A096E rdtsc 4_2_012A096E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_00417563 LdrLoadDll,4_2_00417563
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01290124 mov eax, dword ptr fs:[00000030h]4_2_01290124
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01320115 mov eax, dword ptr fs:[00000030h]4_2_01320115
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130A118 mov ecx, dword ptr fs:[00000030h]4_2_0130A118
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130A118 mov eax, dword ptr fs:[00000030h]4_2_0130A118
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130A118 mov eax, dword ptr fs:[00000030h]4_2_0130A118
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130A118 mov eax, dword ptr fs:[00000030h]4_2_0130A118
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov ecx, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov ecx, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov ecx, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov eax, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E10E mov ecx, dword ptr fs:[00000030h]4_2_0130E10E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334164 mov eax, dword ptr fs:[00000030h]4_2_01334164
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334164 mov eax, dword ptr fs:[00000030h]4_2_01334164
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F4144 mov eax, dword ptr fs:[00000030h]4_2_012F4144
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F4144 mov eax, dword ptr fs:[00000030h]4_2_012F4144
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F4144 mov ecx, dword ptr fs:[00000030h]4_2_012F4144
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F4144 mov eax, dword ptr fs:[00000030h]4_2_012F4144
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F4144 mov eax, dword ptr fs:[00000030h]4_2_012F4144
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266154 mov eax, dword ptr fs:[00000030h]4_2_01266154
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266154 mov eax, dword ptr fs:[00000030h]4_2_01266154
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125C156 mov eax, dword ptr fs:[00000030h]4_2_0125C156
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F8158 mov eax, dword ptr fs:[00000030h]4_2_012F8158
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A0185 mov eax, dword ptr fs:[00000030h]4_2_012A0185
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01304180 mov eax, dword ptr fs:[00000030h]4_2_01304180
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01304180 mov eax, dword ptr fs:[00000030h]4_2_01304180
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E019F mov eax, dword ptr fs:[00000030h]4_2_012E019F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E019F mov eax, dword ptr fs:[00000030h]4_2_012E019F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E019F mov eax, dword ptr fs:[00000030h]4_2_012E019F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E019F mov eax, dword ptr fs:[00000030h]4_2_012E019F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A197 mov eax, dword ptr fs:[00000030h]4_2_0125A197
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A197 mov eax, dword ptr fs:[00000030h]4_2_0125A197
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A197 mov eax, dword ptr fs:[00000030h]4_2_0125A197
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131C188 mov eax, dword ptr fs:[00000030h]4_2_0131C188
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131C188 mov eax, dword ptr fs:[00000030h]4_2_0131C188
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012901F8 mov eax, dword ptr fs:[00000030h]4_2_012901F8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013361E5 mov eax, dword ptr fs:[00000030h]4_2_013361E5
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013261C3 mov eax, dword ptr fs:[00000030h]4_2_013261C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013261C3 mov eax, dword ptr fs:[00000030h]4_2_013261C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE1D0 mov eax, dword ptr fs:[00000030h]4_2_012DE1D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE1D0 mov eax, dword ptr fs:[00000030h]4_2_012DE1D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE1D0 mov ecx, dword ptr fs:[00000030h]4_2_012DE1D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE1D0 mov eax, dword ptr fs:[00000030h]4_2_012DE1D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE1D0 mov eax, dword ptr fs:[00000030h]4_2_012DE1D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A020 mov eax, dword ptr fs:[00000030h]4_2_0125A020
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125C020 mov eax, dword ptr fs:[00000030h]4_2_0125C020
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6030 mov eax, dword ptr fs:[00000030h]4_2_012F6030
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E4000 mov ecx, dword ptr fs:[00000030h]4_2_012E4000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01302000 mov eax, dword ptr fs:[00000030h]4_2_01302000
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E016 mov eax, dword ptr fs:[00000030h]4_2_0127E016
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E016 mov eax, dword ptr fs:[00000030h]4_2_0127E016
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E016 mov eax, dword ptr fs:[00000030h]4_2_0127E016
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E016 mov eax, dword ptr fs:[00000030h]4_2_0127E016
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128C073 mov eax, dword ptr fs:[00000030h]4_2_0128C073
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01262050 mov eax, dword ptr fs:[00000030h]4_2_01262050
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6050 mov eax, dword ptr fs:[00000030h]4_2_012E6050
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012580A0 mov eax, dword ptr fs:[00000030h]4_2_012580A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F80A8 mov eax, dword ptr fs:[00000030h]4_2_012F80A8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013260B8 mov eax, dword ptr fs:[00000030h]4_2_013260B8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013260B8 mov ecx, dword ptr fs:[00000030h]4_2_013260B8
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126208A mov eax, dword ptr fs:[00000030h]4_2_0126208A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0125A0E3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E60E0 mov eax, dword ptr fs:[00000030h]4_2_012E60E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012680E9 mov eax, dword ptr fs:[00000030h]4_2_012680E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125C0F0 mov eax, dword ptr fs:[00000030h]4_2_0125C0F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A20F0 mov ecx, dword ptr fs:[00000030h]4_2_012A20F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E20DE mov eax, dword ptr fs:[00000030h]4_2_012E20DE
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01338324 mov eax, dword ptr fs:[00000030h]4_2_01338324
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01338324 mov ecx, dword ptr fs:[00000030h]4_2_01338324
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01338324 mov eax, dword ptr fs:[00000030h]4_2_01338324
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01338324 mov eax, dword ptr fs:[00000030h]4_2_01338324
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A30B mov eax, dword ptr fs:[00000030h]4_2_0129A30B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A30B mov eax, dword ptr fs:[00000030h]4_2_0129A30B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A30B mov eax, dword ptr fs:[00000030h]4_2_0129A30B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125C310 mov ecx, dword ptr fs:[00000030h]4_2_0125C310
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01280310 mov ecx, dword ptr fs:[00000030h]4_2_01280310
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130437C mov eax, dword ptr fs:[00000030h]4_2_0130437C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132A352 mov eax, dword ptr fs:[00000030h]4_2_0132A352
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01308350 mov ecx, dword ptr fs:[00000030h]4_2_01308350
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E2349 mov eax, dword ptr fs:[00000030h]4_2_012E2349
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov eax, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov eax, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov eax, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov ecx, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov eax, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E035C mov eax, dword ptr fs:[00000030h]4_2_012E035C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0133634F mov eax, dword ptr fs:[00000030h]4_2_0133634F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128438F mov eax, dword ptr fs:[00000030h]4_2_0128438F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128438F mov eax, dword ptr fs:[00000030h]4_2_0128438F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E388 mov eax, dword ptr fs:[00000030h]4_2_0125E388
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E388 mov eax, dword ptr fs:[00000030h]4_2_0125E388
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E388 mov eax, dword ptr fs:[00000030h]4_2_0125E388
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258397 mov eax, dword ptr fs:[00000030h]4_2_01258397
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258397 mov eax, dword ptr fs:[00000030h]4_2_01258397
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258397 mov eax, dword ptr fs:[00000030h]4_2_01258397
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012703E9 mov eax, dword ptr fs:[00000030h]4_2_012703E9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012963FF mov eax, dword ptr fs:[00000030h]4_2_012963FF
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E3F0 mov eax, dword ptr fs:[00000030h]4_2_0127E3F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E3F0 mov eax, dword ptr fs:[00000030h]4_2_0127E3F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E3F0 mov eax, dword ptr fs:[00000030h]4_2_0127E3F0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013043D4 mov eax, dword ptr fs:[00000030h]4_2_013043D4
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013043D4 mov eax, dword ptr fs:[00000030h]4_2_013043D4
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012683C0 mov eax, dword ptr fs:[00000030h]4_2_012683C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012683C0 mov eax, dword ptr fs:[00000030h]4_2_012683C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012683C0 mov eax, dword ptr fs:[00000030h]4_2_012683C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012683C0 mov eax, dword ptr fs:[00000030h]4_2_012683C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A3C0 mov eax, dword ptr fs:[00000030h]4_2_0126A3C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E3DB mov eax, dword ptr fs:[00000030h]4_2_0130E3DB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E3DB mov eax, dword ptr fs:[00000030h]4_2_0130E3DB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E3DB mov ecx, dword ptr fs:[00000030h]4_2_0130E3DB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130E3DB mov eax, dword ptr fs:[00000030h]4_2_0130E3DB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E63C0 mov eax, dword ptr fs:[00000030h]4_2_012E63C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131C3CD mov eax, dword ptr fs:[00000030h]4_2_0131C3CD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125823B mov eax, dword ptr fs:[00000030h]4_2_0125823B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01310274 mov eax, dword ptr fs:[00000030h]4_2_01310274
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264260 mov eax, dword ptr fs:[00000030h]4_2_01264260
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264260 mov eax, dword ptr fs:[00000030h]4_2_01264260
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264260 mov eax, dword ptr fs:[00000030h]4_2_01264260
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125826B mov eax, dword ptr fs:[00000030h]4_2_0125826B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131A250 mov eax, dword ptr fs:[00000030h]4_2_0131A250
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131A250 mov eax, dword ptr fs:[00000030h]4_2_0131A250
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E8243 mov eax, dword ptr fs:[00000030h]4_2_012E8243
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E8243 mov ecx, dword ptr fs:[00000030h]4_2_012E8243
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0133625D mov eax, dword ptr fs:[00000030h]4_2_0133625D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125A250 mov eax, dword ptr fs:[00000030h]4_2_0125A250
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266259 mov eax, dword ptr fs:[00000030h]4_2_01266259
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov eax, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov ecx, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov eax, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov eax, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov eax, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F62A0 mov eax, dword ptr fs:[00000030h]4_2_012F62A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E0283 mov eax, dword ptr fs:[00000030h]4_2_012E0283
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E0283 mov eax, dword ptr fs:[00000030h]4_2_012E0283
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E0283 mov eax, dword ptr fs:[00000030h]4_2_012E0283
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E284 mov eax, dword ptr fs:[00000030h]4_2_0129E284
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E284 mov eax, dword ptr fs:[00000030h]4_2_0129E284
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012702E1 mov eax, dword ptr fs:[00000030h]4_2_012702E1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012702E1 mov eax, dword ptr fs:[00000030h]4_2_012702E1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012702E1 mov eax, dword ptr fs:[00000030h]4_2_012702E1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A2C3 mov eax, dword ptr fs:[00000030h]4_2_0126A2C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A2C3 mov eax, dword ptr fs:[00000030h]4_2_0126A2C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A2C3 mov eax, dword ptr fs:[00000030h]4_2_0126A2C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A2C3 mov eax, dword ptr fs:[00000030h]4_2_0126A2C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A2C3 mov eax, dword ptr fs:[00000030h]4_2_0126A2C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013362D6 mov eax, dword ptr fs:[00000030h]4_2_013362D6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270535 mov eax, dword ptr fs:[00000030h]4_2_01270535
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E53E mov eax, dword ptr fs:[00000030h]4_2_0128E53E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E53E mov eax, dword ptr fs:[00000030h]4_2_0128E53E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E53E mov eax, dword ptr fs:[00000030h]4_2_0128E53E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E53E mov eax, dword ptr fs:[00000030h]4_2_0128E53E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E53E mov eax, dword ptr fs:[00000030h]4_2_0128E53E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6500 mov eax, dword ptr fs:[00000030h]4_2_012F6500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334500 mov eax, dword ptr fs:[00000030h]4_2_01334500
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129656A mov eax, dword ptr fs:[00000030h]4_2_0129656A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129656A mov eax, dword ptr fs:[00000030h]4_2_0129656A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129656A mov eax, dword ptr fs:[00000030h]4_2_0129656A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268550 mov eax, dword ptr fs:[00000030h]4_2_01268550
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268550 mov eax, dword ptr fs:[00000030h]4_2_01268550
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E05A7 mov eax, dword ptr fs:[00000030h]4_2_012E05A7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E05A7 mov eax, dword ptr fs:[00000030h]4_2_012E05A7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E05A7 mov eax, dword ptr fs:[00000030h]4_2_012E05A7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012845B1 mov eax, dword ptr fs:[00000030h]4_2_012845B1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012845B1 mov eax, dword ptr fs:[00000030h]4_2_012845B1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01294588 mov eax, dword ptr fs:[00000030h]4_2_01294588
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01262582 mov eax, dword ptr fs:[00000030h]4_2_01262582
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01262582 mov ecx, dword ptr fs:[00000030h]4_2_01262582
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E59C mov eax, dword ptr fs:[00000030h]4_2_0129E59C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C5ED mov eax, dword ptr fs:[00000030h]4_2_0129C5ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C5ED mov eax, dword ptr fs:[00000030h]4_2_0129C5ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012625E0 mov eax, dword ptr fs:[00000030h]4_2_012625E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E5E7 mov eax, dword ptr fs:[00000030h]4_2_0128E5E7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E5CF mov eax, dword ptr fs:[00000030h]4_2_0129E5CF
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E5CF mov eax, dword ptr fs:[00000030h]4_2_0129E5CF
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012665D0 mov eax, dword ptr fs:[00000030h]4_2_012665D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A5D0 mov eax, dword ptr fs:[00000030h]4_2_0129A5D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A5D0 mov eax, dword ptr fs:[00000030h]4_2_0129A5D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125C427 mov eax, dword ptr fs:[00000030h]4_2_0125C427
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E420 mov eax, dword ptr fs:[00000030h]4_2_0125E420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E420 mov eax, dword ptr fs:[00000030h]4_2_0125E420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125E420 mov eax, dword ptr fs:[00000030h]4_2_0125E420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E6420 mov eax, dword ptr fs:[00000030h]4_2_012E6420
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A430 mov eax, dword ptr fs:[00000030h]4_2_0129A430
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01298402 mov eax, dword ptr fs:[00000030h]4_2_01298402
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01298402 mov eax, dword ptr fs:[00000030h]4_2_01298402
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01298402 mov eax, dword ptr fs:[00000030h]4_2_01298402
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EC460 mov ecx, dword ptr fs:[00000030h]4_2_012EC460
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128A470 mov eax, dword ptr fs:[00000030h]4_2_0128A470
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128A470 mov eax, dword ptr fs:[00000030h]4_2_0128A470
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128A470 mov eax, dword ptr fs:[00000030h]4_2_0128A470
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131A456 mov eax, dword ptr fs:[00000030h]4_2_0131A456
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129E443 mov eax, dword ptr fs:[00000030h]4_2_0129E443
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128245A mov eax, dword ptr fs:[00000030h]4_2_0128245A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125645D mov eax, dword ptr fs:[00000030h]4_2_0125645D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012664AB mov eax, dword ptr fs:[00000030h]4_2_012664AB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012944B0 mov ecx, dword ptr fs:[00000030h]4_2_012944B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EA4B0 mov eax, dword ptr fs:[00000030h]4_2_012EA4B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0131A49A mov eax, dword ptr fs:[00000030h]4_2_0131A49A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012604E5 mov ecx, dword ptr fs:[00000030h]4_2_012604E5
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C720 mov eax, dword ptr fs:[00000030h]4_2_0129C720
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C720 mov eax, dword ptr fs:[00000030h]4_2_0129C720
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129273C mov eax, dword ptr fs:[00000030h]4_2_0129273C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129273C mov ecx, dword ptr fs:[00000030h]4_2_0129273C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129273C mov eax, dword ptr fs:[00000030h]4_2_0129273C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DC730 mov eax, dword ptr fs:[00000030h]4_2_012DC730
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C700 mov eax, dword ptr fs:[00000030h]4_2_0129C700
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260710 mov eax, dword ptr fs:[00000030h]4_2_01260710
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01290710 mov eax, dword ptr fs:[00000030h]4_2_01290710
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268770 mov eax, dword ptr fs:[00000030h]4_2_01268770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270770 mov eax, dword ptr fs:[00000030h]4_2_01270770
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129674D mov esi, dword ptr fs:[00000030h]4_2_0129674D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129674D mov eax, dword ptr fs:[00000030h]4_2_0129674D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129674D mov eax, dword ptr fs:[00000030h]4_2_0129674D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EE75D mov eax, dword ptr fs:[00000030h]4_2_012EE75D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260750 mov eax, dword ptr fs:[00000030h]4_2_01260750
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2750 mov eax, dword ptr fs:[00000030h]4_2_012A2750
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2750 mov eax, dword ptr fs:[00000030h]4_2_012A2750
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E4755 mov eax, dword ptr fs:[00000030h]4_2_012E4755
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012607AF mov eax, dword ptr fs:[00000030h]4_2_012607AF
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013147A0 mov eax, dword ptr fs:[00000030h]4_2_013147A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130678E mov eax, dword ptr fs:[00000030h]4_2_0130678E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012827ED mov eax, dword ptr fs:[00000030h]4_2_012827ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012827ED mov eax, dword ptr fs:[00000030h]4_2_012827ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012827ED mov eax, dword ptr fs:[00000030h]4_2_012827ED
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EE7E1 mov eax, dword ptr fs:[00000030h]4_2_012EE7E1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012647FB mov eax, dword ptr fs:[00000030h]4_2_012647FB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012647FB mov eax, dword ptr fs:[00000030h]4_2_012647FB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126C7C0 mov eax, dword ptr fs:[00000030h]4_2_0126C7C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E07C3 mov eax, dword ptr fs:[00000030h]4_2_012E07C3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127E627 mov eax, dword ptr fs:[00000030h]4_2_0127E627
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01296620 mov eax, dword ptr fs:[00000030h]4_2_01296620
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01298620 mov eax, dword ptr fs:[00000030h]4_2_01298620
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126262C mov eax, dword ptr fs:[00000030h]4_2_0126262C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE609 mov eax, dword ptr fs:[00000030h]4_2_012DE609
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127260B mov eax, dword ptr fs:[00000030h]4_2_0127260B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A2619 mov eax, dword ptr fs:[00000030h]4_2_012A2619
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A660 mov eax, dword ptr fs:[00000030h]4_2_0129A660
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A660 mov eax, dword ptr fs:[00000030h]4_2_0129A660
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132866E mov eax, dword ptr fs:[00000030h]4_2_0132866E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132866E mov eax, dword ptr fs:[00000030h]4_2_0132866E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01292674 mov eax, dword ptr fs:[00000030h]4_2_01292674
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0127C640 mov eax, dword ptr fs:[00000030h]4_2_0127C640
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C6A6 mov eax, dword ptr fs:[00000030h]4_2_0129C6A6
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012966B0 mov eax, dword ptr fs:[00000030h]4_2_012966B0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264690 mov eax, dword ptr fs:[00000030h]4_2_01264690
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264690 mov eax, dword ptr fs:[00000030h]4_2_01264690
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE6F2 mov eax, dword ptr fs:[00000030h]4_2_012DE6F2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE6F2 mov eax, dword ptr fs:[00000030h]4_2_012DE6F2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE6F2 mov eax, dword ptr fs:[00000030h]4_2_012DE6F2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE6F2 mov eax, dword ptr fs:[00000030h]4_2_012DE6F2
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E06F1 mov eax, dword ptr fs:[00000030h]4_2_012E06F1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E06F1 mov eax, dword ptr fs:[00000030h]4_2_012E06F1
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0129A6C7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A6C7 mov eax, dword ptr fs:[00000030h]4_2_0129A6C7
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E892A mov eax, dword ptr fs:[00000030h]4_2_012E892A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F892B mov eax, dword ptr fs:[00000030h]4_2_012F892B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE908 mov eax, dword ptr fs:[00000030h]4_2_012DE908
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DE908 mov eax, dword ptr fs:[00000030h]4_2_012DE908
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EC912 mov eax, dword ptr fs:[00000030h]4_2_012EC912
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258918 mov eax, dword ptr fs:[00000030h]4_2_01258918
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258918 mov eax, dword ptr fs:[00000030h]4_2_01258918
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A096E mov eax, dword ptr fs:[00000030h]4_2_012A096E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A096E mov edx, dword ptr fs:[00000030h]4_2_012A096E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012A096E mov eax, dword ptr fs:[00000030h]4_2_012A096E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01304978 mov eax, dword ptr fs:[00000030h]4_2_01304978
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01304978 mov eax, dword ptr fs:[00000030h]4_2_01304978
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01286962 mov eax, dword ptr fs:[00000030h]4_2_01286962
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01286962 mov eax, dword ptr fs:[00000030h]4_2_01286962
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01286962 mov eax, dword ptr fs:[00000030h]4_2_01286962
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EC97C mov eax, dword ptr fs:[00000030h]4_2_012EC97C
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E0946 mov eax, dword ptr fs:[00000030h]4_2_012E0946
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334940 mov eax, dword ptr fs:[00000030h]4_2_01334940
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012729A0 mov eax, dword ptr fs:[00000030h]4_2_012729A0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012609AD mov eax, dword ptr fs:[00000030h]4_2_012609AD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012609AD mov eax, dword ptr fs:[00000030h]4_2_012609AD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E89B3 mov esi, dword ptr fs:[00000030h]4_2_012E89B3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E89B3 mov eax, dword ptr fs:[00000030h]4_2_012E89B3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012E89B3 mov eax, dword ptr fs:[00000030h]4_2_012E89B3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EE9E0 mov eax, dword ptr fs:[00000030h]4_2_012EE9E0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012929F9 mov eax, dword ptr fs:[00000030h]4_2_012929F9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012929F9 mov eax, dword ptr fs:[00000030h]4_2_012929F9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132A9D3 mov eax, dword ptr fs:[00000030h]4_2_0132A9D3
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F69C0 mov eax, dword ptr fs:[00000030h]4_2_012F69C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126A9D0 mov eax, dword ptr fs:[00000030h]4_2_0126A9D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012949D0 mov eax, dword ptr fs:[00000030h]4_2_012949D0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130483A mov eax, dword ptr fs:[00000030h]4_2_0130483A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130483A mov eax, dword ptr fs:[00000030h]4_2_0130483A
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129A830 mov eax, dword ptr fs:[00000030h]4_2_0129A830
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov eax, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov eax, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov eax, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov ecx, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov eax, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01282835 mov eax, dword ptr fs:[00000030h]4_2_01282835
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EC810 mov eax, dword ptr fs:[00000030h]4_2_012EC810
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EE872 mov eax, dword ptr fs:[00000030h]4_2_012EE872
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EE872 mov eax, dword ptr fs:[00000030h]4_2_012EE872
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6870 mov eax, dword ptr fs:[00000030h]4_2_012F6870
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6870 mov eax, dword ptr fs:[00000030h]4_2_012F6870
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01272840 mov ecx, dword ptr fs:[00000030h]4_2_01272840
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01290854 mov eax, dword ptr fs:[00000030h]4_2_01290854
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264859 mov eax, dword ptr fs:[00000030h]4_2_01264859
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01264859 mov eax, dword ptr fs:[00000030h]4_2_01264859
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260887 mov eax, dword ptr fs:[00000030h]4_2_01260887
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012EC89D mov eax, dword ptr fs:[00000030h]4_2_012EC89D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C8F9 mov eax, dword ptr fs:[00000030h]4_2_0129C8F9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129C8F9 mov eax, dword ptr fs:[00000030h]4_2_0129C8F9
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132A8E4 mov eax, dword ptr fs:[00000030h]4_2_0132A8E4
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128E8C0 mov eax, dword ptr fs:[00000030h]4_2_0128E8C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_013308C0 mov eax, dword ptr fs:[00000030h]4_2_013308C0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128EB20 mov eax, dword ptr fs:[00000030h]4_2_0128EB20
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128EB20 mov eax, dword ptr fs:[00000030h]4_2_0128EB20
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01328B28 mov eax, dword ptr fs:[00000030h]4_2_01328B28
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01328B28 mov eax, dword ptr fs:[00000030h]4_2_01328B28
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DEB1D mov eax, dword ptr fs:[00000030h]4_2_012DEB1D
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334B00 mov eax, dword ptr fs:[00000030h]4_2_01334B00
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0125CB7E mov eax, dword ptr fs:[00000030h]4_2_0125CB7E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130EB50 mov eax, dword ptr fs:[00000030h]4_2_0130EB50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01332B57 mov eax, dword ptr fs:[00000030h]4_2_01332B57
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01332B57 mov eax, dword ptr fs:[00000030h]4_2_01332B57
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01332B57 mov eax, dword ptr fs:[00000030h]4_2_01332B57
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01332B57 mov eax, dword ptr fs:[00000030h]4_2_01332B57
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6B40 mov eax, dword ptr fs:[00000030h]4_2_012F6B40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012F6B40 mov eax, dword ptr fs:[00000030h]4_2_012F6B40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0132AB40 mov eax, dword ptr fs:[00000030h]4_2_0132AB40
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01308B42 mov eax, dword ptr fs:[00000030h]4_2_01308B42
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01258B50 mov eax, dword ptr fs:[00000030h]4_2_01258B50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01314B4B mov eax, dword ptr fs:[00000030h]4_2_01314B4B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01314B4B mov eax, dword ptr fs:[00000030h]4_2_01314B4B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01314BB0 mov eax, dword ptr fs:[00000030h]4_2_01314BB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01314BB0 mov eax, dword ptr fs:[00000030h]4_2_01314BB0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270BBE mov eax, dword ptr fs:[00000030h]4_2_01270BBE
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270BBE mov eax, dword ptr fs:[00000030h]4_2_01270BBE
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128EBFC mov eax, dword ptr fs:[00000030h]4_2_0128EBFC
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268BF0 mov eax, dword ptr fs:[00000030h]4_2_01268BF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268BF0 mov eax, dword ptr fs:[00000030h]4_2_01268BF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268BF0 mov eax, dword ptr fs:[00000030h]4_2_01268BF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012ECBF0 mov eax, dword ptr fs:[00000030h]4_2_012ECBF0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130EBD0 mov eax, dword ptr fs:[00000030h]4_2_0130EBD0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01280BCB mov eax, dword ptr fs:[00000030h]4_2_01280BCB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01280BCB mov eax, dword ptr fs:[00000030h]4_2_01280BCB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01280BCB mov eax, dword ptr fs:[00000030h]4_2_01280BCB
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260BCD mov eax, dword ptr fs:[00000030h]4_2_01260BCD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260BCD mov eax, dword ptr fs:[00000030h]4_2_01260BCD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01260BCD mov eax, dword ptr fs:[00000030h]4_2_01260BCD
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0128EA2E mov eax, dword ptr fs:[00000030h]4_2_0128EA2E
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129CA24 mov eax, dword ptr fs:[00000030h]4_2_0129CA24
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129CA38 mov eax, dword ptr fs:[00000030h]4_2_0129CA38
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01284A35 mov eax, dword ptr fs:[00000030h]4_2_01284A35
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01284A35 mov eax, dword ptr fs:[00000030h]4_2_01284A35
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012ECA11 mov eax, dword ptr fs:[00000030h]4_2_012ECA11
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129CA6F mov eax, dword ptr fs:[00000030h]4_2_0129CA6F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129CA6F mov eax, dword ptr fs:[00000030h]4_2_0129CA6F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0129CA6F mov eax, dword ptr fs:[00000030h]4_2_0129CA6F
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0130EA60 mov eax, dword ptr fs:[00000030h]4_2_0130EA60
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DCA72 mov eax, dword ptr fs:[00000030h]4_2_012DCA72
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012DCA72 mov eax, dword ptr fs:[00000030h]4_2_012DCA72
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01266A50 mov eax, dword ptr fs:[00000030h]4_2_01266A50
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270A5B mov eax, dword ptr fs:[00000030h]4_2_01270A5B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01270A5B mov eax, dword ptr fs:[00000030h]4_2_01270A5B
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268AA0 mov eax, dword ptr fs:[00000030h]4_2_01268AA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01268AA0 mov eax, dword ptr fs:[00000030h]4_2_01268AA0
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_012B6AA4 mov eax, dword ptr fs:[00000030h]4_2_012B6AA4
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_0126EA80 mov eax, dword ptr fs:[00000030h]4_2_0126EA80
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeCode function: 4_2_01334A80 mov eax, dword ptr fs:[00000030h]4_2_01334A80
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeMemory written: C:\Users\user\Desktop\AWB-112-17259653.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeProcess created: C:\Users\user\Desktop\AWB-112-17259653.exe "C:\Users\user\Desktop\AWB-112-17259653.exe"Jump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Users\user\Desktop\AWB-112-17259653.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\AWB-112-17259653.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.AWB-112-17259653.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		111
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
            Virtualization/Sandbox Evasion            		Security Account Manager41
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465320 Sample: AWB-112-17259653.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 22 Malicious sample detected (through community Yara rule) 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected FormBook 2->26 28 5 other signatures 2->28 7 AWB-112-17259653.exe 4 2->7         started        process3 file4 20 C:\Users\user\...\AWB-112-17259653.exe.log, ASCII 7->20 dropped 30 Adds a directory exclusion to Windows Defender 7->30 32 Injects a PE file into a foreign processes 7->32 11 powershell.exe 23 7->11         started        14 AWB-112-17259653.exe 7->14         started        signatures5 process6 signatures7 34 Loading BitLocker PowerShell Module 11->34 16 conhost.exe 11->16         started        18 WmiPrvSE.exe 11->18         started        process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            AWB-112-17259653.exe63%ReversingLabsWin32.Trojan.Leonem
            AWB-112-17259653.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAWB-112-17259653.exe, 00000000.00000002.2128628775.0000000002EB1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1465320
            Start date and time:2024-07-01 15:24:16 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 6s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:12
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:AWB-112-17259653.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@7/6@0/0
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 55
            • Number of non-executed functions: 276
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtCreateKey calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: AWB-112-17259653.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            09:25:04API Interceptor16x Sleep call for process: AWB-112-17259653.exe modified
            09:25:07API Interceptor20x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AWB-112-17259653.exe.log

            Download File
            Process:C:\Users\user\Desktop\AWB-112-17259653.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1500
            Entropy (8bit):5.345358309061185
            Encrypted:false
            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4VE4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAHQ
            MD5:215B3562F83C4FB9BBB129D2F9E59ADA
            SHA1:0534A53F6F42ECA7E56EB02E328A2025254AC511
            SHA-256:4CF4451F940D8D730D8209079E1404A1EAD1A36C33E69AB8AE43E0E7D33B4450
            SHA-512:E09A97CE89258E1BCDA4832E1348720EBCD462E0C81736CCAD8D99AB1AC60ECBAF5E1F552C4F0977F498D25E27739197D2A9C1EFFDEB7116020D106231EB7C43
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):2232
            Entropy (8bit):5.379552885213346
            Encrypted:false
            SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
            MD5:3E5712DC6AFCA8CF60C5CB8BE65E2089
            SHA1:CDBAF3935912EFB05DBE58CA89C5422F07B528A0
            SHA-256:B9F7E5F0AFD718D8585A8B37DD8C459ECDD4E7E68C5FE61631D89CDD3E229833
            SHA-512:1BD81033EB26CD0EE3DEF6F02FECB4097D878D61CAA5BEF6739C51E889B99C9E695BECF51719959D33F7BA9838E202ADD7EE4DD704D5163B584F4E8B8B7ECC38
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04ncsx0z.kpb.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f21pzxlq.13i.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnqxau3l.w4s.psm1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Reputation:high, very likely benign file
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xyopqlv1.tus.ps1

            Download File
            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):60
            Entropy (8bit):4.038920595031593
            Encrypted:false
            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
            MD5:D17FE0A3F47BE24A6453E9EF58C94641
            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
            Malicious:false
            Preview:# PowerShell test file to determine AppLocker lockdown mode

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.908049664398796
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            • Win32 Executable (generic) a (10002005/4) 49.75%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Windows Screen Saver (13104/52) 0.07%
            • Generic Win/DOS Executable (2004/3) 0.01%
            File name:AWB-112-17259653.exe
            File size:699'392 bytes
            MD5:a45de4191ab20f3a4c96cb77374a4be9
            SHA1:5fee92a85e47b8cac8391fda0374e1a44b00f966
            SHA256:a01dcf8636b3ad56545d228cf3e38c3554ab5622516d1fd9e52b55249ab7fbea
            SHA512:64a2a7ec8267f1c7e0fbc9d74c9b41d2d52187e407829d0a92b9fdabed9b2d14f7390696288cb9084860ca95645c11db91c68fdb466227559b89295b5a13bdc2
            SSDEEP:12288:N99glhtCbCawxue0hSqiiUdrW0fjqLjEbrhLehbe0EewOREkKJz5:N9wxz0hiqCeLjCdLehbeBOi
            TLSH:00E41244F3B96B12E97E9BF53831511007FD756A1124E7080FCA28DE2A3BF478A65B4B
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.K...............0.............r.... ........@.. ....................... ............@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x4ac072
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0xB44B1A61 [Sat Nov 7 12:00:33 2065 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xac01f0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5d4.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0xa9ef00x70.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000xaa0780xaa200315b225ea41786a2e907555f5ec1a03fFalse0.9204600247979426data7.914772972826564IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0xae0000x5d40x600f7b227a43e61f9f6c5a50cfb5030ed0eFalse0.4309895833333333data4.149952475681409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xb00000xc0x2007912ae18473cfeba15cd1d9804febb5fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0xae0900x344data0.430622009569378
            RT_MANIFEST0xae3e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 1, 2024 15:25:50.081741095 CEST5362652162.159.36.2192.168.2.6
            Jul 1, 2024 15:25:50.586822987 CEST53493481.1.1.1192.168.2.6

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:09:25:04
            Start date:01/07/2024
            Path:C:\Users\user\Desktop\AWB-112-17259653.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\AWB-112-17259653.exe"
            Imagebase:0xaf0000
            File size:699'392 bytes
            MD5 hash:A45DE4191AB20F3A4C96CB77374A4BE9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:09:25:05
            Start date:01/07/2024
            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\AWB-112-17259653.exe"
            Imagebase:0x530000
            File size:433'152 bytes
            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:09:25:05
            Start date:01/07/2024
            Path:C:\Users\user\Desktop\AWB-112-17259653.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\AWB-112-17259653.exe"
            Imagebase:0x830000
            File size:699'392 bytes
            MD5 hash:A45DE4191AB20F3A4C96CB77374A4BE9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2375838448.0000000001160000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
            Reputation:low
            Has exited:true

            General

            Target ID:5
            Start time:09:25:06
            Start date:01/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:09:25:09
            Start date:01/07/2024
            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Imagebase:0x7ff717f30000
            File size:496'640 bytes
            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:135
              Total number of Limit Nodes:14
              execution_graph 33659 7ceb0fe 33660 7ceb08c 33659->33660 33661 7ceb101 33659->33661 33673 7ceb9dd 33660->33673 33677 7ceb59f 33660->33677 33684 7ceb510 33660->33684 33688 7ceb783 33660->33688 33693 7ceb955 33660->33693 33698 7ceb824 33660->33698 33702 7ceba57 33660->33702 33707 7ceb6e7 33660->33707 33712 7ceb796 33660->33712 33716 7ceb5d8 33660->33716 33662 7ceb0de 33720 7ce98f8 33673->33720 33724 7ce98f0 33673->33724 33674 7ceb9fb 33674->33662 33729 7ce9818 33677->33729 33734 7ce9820 33677->33734 33678 7ceb5b9 33679 7cebabc 33678->33679 33738 7ce9768 33678->33738 33742 7ce9770 33678->33742 33679->33662 33746 7ce9c37 33684->33746 33750 7ce9c40 33684->33750 33689 7ceb959 33688->33689 33754 7ce99b8 33689->33754 33758 7ce99b3 33689->33758 33690 7cebeab 33694 7ceb959 33693->33694 33696 7ce99b8 WriteProcessMemory 33694->33696 33697 7ce99b3 WriteProcessMemory 33694->33697 33695 7cebeab 33696->33695 33697->33695 33700 7ce9818 Wow64SetThreadContext 33698->33700 33701 7ce9820 Wow64SetThreadContext 33698->33701 33699 7ceb83e 33699->33662 33700->33699 33701->33699 33703 7ceba64 33702->33703 33705 7ce99b8 WriteProcessMemory 33703->33705 33706 7ce99b3 WriteProcessMemory 33703->33706 33704 7cebd87 33705->33704 33706->33704 33708 7ceb6ed 33707->33708 33710 7ce9768 ResumeThread 33708->33710 33711 7ce9770 ResumeThread 33708->33711 33709 7cebabc 33709->33662 33710->33709 33711->33709 33714 7ce99b8 WriteProcessMemory 33712->33714 33715 7ce99b3 WriteProcessMemory 33712->33715 33713 7ceb7c4 33713->33662 33714->33713 33715->33713 33762 7ce9aa8 33716->33762 33766 7ce9aa3 33716->33766 33717 7ceb5fd 33717->33662 33721 7ce9938 VirtualAllocEx 33720->33721 33723 7ce9975 33721->33723 33723->33674 33725 7ce98cb 33724->33725 33726 7ce98f3 VirtualAllocEx 33724->33726 33725->33674 33728 7ce9975 33726->33728 33728->33674 33730 7ce981b Wow64SetThreadContext 33729->33730 33731 7ce97f3 33729->33731 33733 7ce98ad 33730->33733 33731->33678 33733->33678 33735 7ce9865 Wow64SetThreadContext 33734->33735 33737 7ce98ad 33735->33737 33737->33678 33739 7ce9770 ResumeThread 33738->33739 33741 7ce97e1 33739->33741 33741->33679 33743 7ce97b0 ResumeThread 33742->33743 33745 7ce97e1 33743->33745 33745->33679 33747 7ce9c3d CreateProcessA 33746->33747 33749 7ce9e8b 33747->33749 33749->33749 33751 7ce9cc9 CreateProcessA 33750->33751 33753 7ce9e8b 33751->33753 33753->33753 33755 7ce9a00 WriteProcessMemory 33754->33755 33757 7ce9a57 33755->33757 33757->33690 33759 7ce99b8 WriteProcessMemory 33758->33759 33761 7ce9a57 33759->33761 33761->33690 33763 7ce9af3 ReadProcessMemory 33762->33763 33765 7ce9b37 33763->33765 33765->33717 33767 7ce9aa8 ReadProcessMemory 33766->33767 33769 7ce9b37 33767->33769 33769->33717 33618 12c4668 33619 12c467a 33618->33619 33620 12c4686 33619->33620 33622 12c4779 33619->33622 33623 12c479d 33622->33623 33627 12c4888 33623->33627 33631 12c4879 33623->33631 33624 12c47a7 33624->33620 33629 12c48af 33627->33629 33628 12c498c 33628->33624 33629->33628 33635 12c44c4 33629->33635 33633 12c48af 33631->33633 33632 12c498c 33632->33624 33633->33632 33634 12c44c4 CreateActCtxA 33633->33634 33634->33632 33636 12c5918 CreateActCtxA 33635->33636 33638 12c59db 33636->33638 33647 12cd608 DuplicateHandle 33648 12cd69e 33647->33648 33639 7cec248 33640 7cec26e 33639->33640 33641 7cec3d3 33639->33641 33640->33641 33643 7ce2a28 33640->33643 33644 7cec4c8 PostMessageW 33643->33644 33646 7cec534 33644->33646 33646->33640 33649 12cd3c0 33650 12cd406 GetCurrentProcess 33649->33650 33652 12cd458 GetCurrentThread 33650->33652 33653 12cd451 33650->33653 33654 12cd48e 33652->33654 33655 12cd495 GetCurrentProcess 33652->33655 33653->33652 33654->33655 33656 12cd4cb 33655->33656 33657 12cd4f3 GetCurrentThreadId 33656->33657 33658 12cd524 33657->33658 33770 12cb050 33771 12cb05f 33770->33771 33774 12cb138 33770->33774 33782 12cb148 33770->33782 33775 12cb159 33774->33775 33776 12cb17c 33774->33776 33775->33776 33790 12cb3e0 33775->33790 33794 12cb3d1 33775->33794 33776->33771 33777 12cb174 33777->33776 33778 12cb380 GetModuleHandleW 33777->33778 33779 12cb3ad 33778->33779 33779->33771 33783 12cb17c 33782->33783 33784 12cb159 33782->33784 33783->33771 33784->33783 33788 12cb3e0 LoadLibraryExW 33784->33788 33789 12cb3d1 LoadLibraryExW 33784->33789 33785 12cb174 33785->33783 33786 12cb380 GetModuleHandleW 33785->33786 33787 12cb3ad 33786->33787 33787->33771 33788->33785 33789->33785 33791 12cb3f4 33790->33791 33793 12cb419 33791->33793 33798 12cae58 33791->33798 33793->33777 33795 12cb3e0 33794->33795 33796 12cb419 33795->33796 33797 12cae58 LoadLibraryExW 33795->33797 33796->33777 33797->33796 33799 12cb5a0 LoadLibraryExW 33798->33799 33801 12cb619 33799->33801 33801->33793

              Executed Functions

              Function 07CED3B0 Relevance: .4, Instructions: 407COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 839a88f91c4fc23e7339b41493d110fb95eafb8668d5a032cd38f81bc7502270
              • Instruction ID: 2345e9a5318a055964cb963aa890fef65276540ffd8c82aa8bf2fc937111629f
              • Opcode Fuzzy Hash: 839a88f91c4fc23e7339b41493d110fb95eafb8668d5a032cd38f81bc7502270
              • Instruction Fuzzy Hash: 4EE1EEB1B017058FDB29DB75C8A0BAEB7FAAF89700F14456DD1469B390DB34EA01CB51
              Function 012CD3BA Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 012CD43E
              • GetCurrentThread.KERNEL32 ref: 012CD47B
              • GetCurrentProcess.KERNEL32 ref: 012CD4B8
              • GetCurrentThreadId.KERNEL32 ref: 012CD511
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: f16fe760d9b13d70328d297f2ffa61c29f074fa10872caaf0097ff5433a81833
              • Instruction ID: 13df4aef4ccf3db3adb5455f0c3f377a10278f9dab947ea8e01f29fcef7b30f1
              • Opcode Fuzzy Hash: f16fe760d9b13d70328d297f2ffa61c29f074fa10872caaf0097ff5433a81833
              • Instruction Fuzzy Hash: 865146B091070ACFEB54CFA9D548BEEBBF1EF88304F208559E609A7350D774A944CB65
              Function 012CD3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
              • GetCurrentProcess.KERNEL32 ref: 012CD43E
              • GetCurrentThread.KERNEL32 ref: 012CD47B
              • GetCurrentProcess.KERNEL32 ref: 012CD4B8
              • GetCurrentThreadId.KERNEL32 ref: 012CD511
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Current$ProcessThread
              • String ID:
              • API String ID: 2063062207-0
              • Opcode ID: 7b05ab3de50ee05144120f3bdd1c84549fbd9f861411e70bf34d8b95f8877196
              • Instruction ID: bddfa915b1f19b3da995edacf4e0ab5795b3ca75f44082973d71ef3210c57e17
              • Opcode Fuzzy Hash: 7b05ab3de50ee05144120f3bdd1c84549fbd9f861411e70bf34d8b95f8877196
              • Instruction Fuzzy Hash: F85146B091074ACFEB14CFAAD548BDEBBF1EF88304F208559E609A7350D774A944CBA5
              Function 07CE9C37 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 44 7ce9c37-7ce9cd5 48 7ce9d0e-7ce9d2e 44->48 49 7ce9cd7-7ce9ce1 44->49 54 7ce9d67-7ce9d96 48->54 55 7ce9d30-7ce9d3a 48->55 49->48 50 7ce9ce3-7ce9ce5 49->50 52 7ce9d08-7ce9d0b 50->52 53 7ce9ce7-7ce9cf1 50->53 52->48 56 7ce9cf5-7ce9d04 53->56 57 7ce9cf3 53->57 65 7ce9dcf-7ce9e89 CreateProcessA 54->65 66 7ce9d98-7ce9da2 54->66 55->54 58 7ce9d3c-7ce9d3e 55->58 56->56 59 7ce9d06 56->59 57->56 60 7ce9d40-7ce9d4a 58->60 61 7ce9d61-7ce9d64 58->61 59->52 63 7ce9d4e-7ce9d5d 60->63 64 7ce9d4c 60->64 61->54 63->63 67 7ce9d5f 63->67 64->63 77 7ce9e8b-7ce9e91 65->77 78 7ce9e92-7ce9f18 65->78 66->65 68 7ce9da4-7ce9da6 66->68 67->61 70 7ce9da8-7ce9db2 68->70 71 7ce9dc9-7ce9dcc 68->71 72 7ce9db6-7ce9dc5 70->72 73 7ce9db4 70->73 71->65 72->72 74 7ce9dc7 72->74 73->72 74->71 77->78 88 7ce9f1a-7ce9f1e 78->88 89 7ce9f28-7ce9f2c 78->89 88->89 92 7ce9f20 88->92 90 7ce9f2e-7ce9f32 89->90 91 7ce9f3c-7ce9f40 89->91 90->91 93 7ce9f34 90->93 94 7ce9f42-7ce9f46 91->94 95 7ce9f50-7ce9f54 91->95 92->89 93->91 94->95 96 7ce9f48 94->96 97 7ce9f66-7ce9f6d 95->97 98 7ce9f56-7ce9f5c 95->98 96->95 99 7ce9f6f-7ce9f7e 97->99 100 7ce9f84 97->100 98->97 99->100 101 7ce9f85 100->101 101->101
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CE9E76
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 6c57a95b51e7fc8db3127a4773c5bfc43175bd2af60471bc79602aab2261d489
              • Instruction ID: bc62d8e62157b5983fd373b825c4e1fbdd859f15dce0f56c200ba5e35b7b2c28
              • Opcode Fuzzy Hash: 6c57a95b51e7fc8db3127a4773c5bfc43175bd2af60471bc79602aab2261d489
              • Instruction Fuzzy Hash: 52916FB1D0021ADFEF10CF68C8857EDBBB6BF49310F148569E809A7240DB749A85CF92
              Function 07CE9C40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 103 7ce9c40-7ce9cd5 105 7ce9d0e-7ce9d2e 103->105 106 7ce9cd7-7ce9ce1 103->106 111 7ce9d67-7ce9d96 105->111 112 7ce9d30-7ce9d3a 105->112 106->105 107 7ce9ce3-7ce9ce5 106->107 109 7ce9d08-7ce9d0b 107->109 110 7ce9ce7-7ce9cf1 107->110 109->105 113 7ce9cf5-7ce9d04 110->113 114 7ce9cf3 110->114 122 7ce9dcf-7ce9e89 CreateProcessA 111->122 123 7ce9d98-7ce9da2 111->123 112->111 115 7ce9d3c-7ce9d3e 112->115 113->113 116 7ce9d06 113->116 114->113 117 7ce9d40-7ce9d4a 115->117 118 7ce9d61-7ce9d64 115->118 116->109 120 7ce9d4e-7ce9d5d 117->120 121 7ce9d4c 117->121 118->111 120->120 124 7ce9d5f 120->124 121->120 134 7ce9e8b-7ce9e91 122->134 135 7ce9e92-7ce9f18 122->135 123->122 125 7ce9da4-7ce9da6 123->125 124->118 127 7ce9da8-7ce9db2 125->127 128 7ce9dc9-7ce9dcc 125->128 129 7ce9db6-7ce9dc5 127->129 130 7ce9db4 127->130 128->122 129->129 131 7ce9dc7 129->131 130->129 131->128 134->135 145 7ce9f1a-7ce9f1e 135->145 146 7ce9f28-7ce9f2c 135->146 145->146 149 7ce9f20 145->149 147 7ce9f2e-7ce9f32 146->147 148 7ce9f3c-7ce9f40 146->148 147->148 150 7ce9f34 147->150 151 7ce9f42-7ce9f46 148->151 152 7ce9f50-7ce9f54 148->152 149->146 150->148 151->152 153 7ce9f48 151->153 154 7ce9f66-7ce9f6d 152->154 155 7ce9f56-7ce9f5c 152->155 153->152 156 7ce9f6f-7ce9f7e 154->156 157 7ce9f84 154->157 155->154 156->157 158 7ce9f85 157->158 158->158
              APIs
              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CE9E76
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 5a98ee018497f5f51fe2d642be8115cde8305ac623420254c657fd118c170bb2
              • Instruction ID: 9b4c455cc3e5f60f6a20099d69a0f40ece76bd4d69ea7ab133b7cafcc95f81a3
              • Opcode Fuzzy Hash: 5a98ee018497f5f51fe2d642be8115cde8305ac623420254c657fd118c170bb2
              • Instruction Fuzzy Hash: 6C916FB1D0021ADFDF10CF68C8857EDBBB6BF49310F148569E809A7240DB749A85CF92
              Function 012CB148 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 160 12cb148-12cb157 161 12cb159-12cb166 call 12c9bb8 160->161 162 12cb183-12cb187 160->162 168 12cb17c 161->168 169 12cb168 161->169 164 12cb189-12cb193 162->164 165 12cb19b-12cb1dc 162->165 164->165 171 12cb1de-12cb1e6 165->171 172 12cb1e9-12cb1f7 165->172 168->162 215 12cb16e call 12cb3e0 169->215 216 12cb16e call 12cb3d1 169->216 171->172 173 12cb1f9-12cb1fe 172->173 174 12cb21b-12cb21d 172->174 176 12cb209 173->176 177 12cb200-12cb207 call 12cae00 173->177 178 12cb220-12cb227 174->178 175 12cb174-12cb176 175->168 179 12cb2b8-12cb378 175->179 180 12cb20b-12cb219 176->180 177->180 182 12cb229-12cb231 178->182 183 12cb234-12cb23b 178->183 210 12cb37a-12cb37d 179->210 211 12cb380-12cb3ab GetModuleHandleW 179->211 180->178 182->183 186 12cb23d-12cb245 183->186 187 12cb248-12cb251 call 12cae10 183->187 186->187 191 12cb25e-12cb263 187->191 192 12cb253-12cb25b 187->192 194 12cb265-12cb26c 191->194 195 12cb281-12cb28e 191->195 192->191 194->195 196 12cb26e-12cb27e call 12cae20 call 12cae30 194->196 201 12cb290-12cb2ae 195->201 202 12cb2b1-12cb2b7 195->202 196->195 201->202 210->211 212 12cb3ad-12cb3b3 211->212 213 12cb3b4-12cb3c8 211->213 212->213 215->175 216->175
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB39E
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 7d480a601d676e98d12039ba0986ad39910d10a581b2325ca20dca5f30ba8d09
              • Instruction ID: c5371cdaf2d356a63ed4c0ef3ef5964e8fe88388d17afe75e9d0907473c33437
              • Opcode Fuzzy Hash: 7d480a601d676e98d12039ba0986ad39910d10a581b2325ca20dca5f30ba8d09
              • Instruction Fuzzy Hash: D3714770A10B068FDB24DF69D45576ABBF2FF88740F008A2DD64AD7A40D774E849CB91
              Function 012C590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 217 12c590c-12c5916 218 12c5918-12c59d9 CreateActCtxA 217->218 220 12c59db-12c59e1 218->220 221 12c59e2-12c5a3c 218->221 220->221 228 12c5a3e-12c5a41 221->228 229 12c5a4b-12c5a4f 221->229 228->229 230 12c5a60 229->230 231 12c5a51-12c5a5d 229->231 233 12c5a61 230->233 231->230 233->233
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 012C59C9
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 8a4a4ef14463244f8c2fd837c427491556cc16509df409bd2ee860e5d6ccefc5
              • Instruction ID: 7a941860956f459c624543377cf97fdd6f53e3ddf9553370403080ee74d1243b
              • Opcode Fuzzy Hash: 8a4a4ef14463244f8c2fd837c427491556cc16509df409bd2ee860e5d6ccefc5
              • Instruction Fuzzy Hash: 9D41F471D0071DCBEB14CFAAC885B8EBBF5BF49704F20816AD508AB250DBB5A945CF91
              Function 012C44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 234 12c44c4-12c59d9 CreateActCtxA 237 12c59db-12c59e1 234->237 238 12c59e2-12c5a3c 234->238 237->238 245 12c5a3e-12c5a41 238->245 246 12c5a4b-12c5a4f 238->246 245->246 247 12c5a60 246->247 248 12c5a51-12c5a5d 246->248 250 12c5a61 247->250 248->247 250->250
              APIs
              • CreateActCtxA.KERNEL32(?), ref: 012C59C9
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 1f1795dbde3c34052688221daf64714acdd0ad72bece5624b90eaf8450783a62
              • Instruction ID: b95186b89e4e4a40946210ee5ba7afa263637873c79f6cc19f795591d021aa3f
              • Opcode Fuzzy Hash: 1f1795dbde3c34052688221daf64714acdd0ad72bece5624b90eaf8450783a62
              • Instruction Fuzzy Hash: FE41E370D1071DCBEB24CFAAC8447CEBBB5BF49704F20816AD508AB251DBB5A945CF90
              Function 07CE9818 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 251 7ce9818-7ce9819 252 7ce981b-7ce986b 251->252 253 7ce97f3-7ce980d 251->253 256 7ce986d-7ce9879 252->256 257 7ce987b-7ce98ab Wow64SetThreadContext 252->257 256->257 259 7ce98ad-7ce98b3 257->259 260 7ce98b4-7ce98e4 257->260 259->260
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CE989E
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: db02d549072ed16af140f15bd87a9d365cac9a0304926c44416c2b7f15350f16
              • Instruction ID: 68815b99ebe11045dd59403f2d33794933130c59db1d3a0c69a75f028b053dfa
              • Opcode Fuzzy Hash: db02d549072ed16af140f15bd87a9d365cac9a0304926c44416c2b7f15350f16
              • Instruction Fuzzy Hash: 2B214AB1D102098FDB10CFA9C8817EEBBF5EF88324F14842AD519A7240C779A945CF91
              Function 07CE99B3 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 264 7ce99b3-7ce9a06 267 7ce9a08-7ce9a14 264->267 268 7ce9a16-7ce9a55 WriteProcessMemory 264->268 267->268 270 7ce9a5e-7ce9a8e 268->270 271 7ce9a57-7ce9a5d 268->271 271->270
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CE9A48
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 2ec8301eb662da4d8b943972b40222677f03985afd562262b3bd4c8c350548b9
              • Instruction ID: 3397583c2b2a06dd42839aa1d1a7ed2189e4e8757755d471b8945d8cddac9447
              • Opcode Fuzzy Hash: 2ec8301eb662da4d8b943972b40222677f03985afd562262b3bd4c8c350548b9
              • Instruction Fuzzy Hash: CE2146B1900349DFDB00CFAAC885BDEBBF5FF48310F10842AE959A7240D778A954CBA5
              Function 07CE99B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 286 7ce99b8-7ce9a06 288 7ce9a08-7ce9a14 286->288 289 7ce9a16-7ce9a55 WriteProcessMemory 286->289 288->289 291 7ce9a5e-7ce9a8e 289->291 292 7ce9a57-7ce9a5d 289->292 292->291
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CE9A48
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 2f56432f35bb105f435505b3eb2fcc705166ad49c0c2d1862c63ace17df91fd2
              • Instruction ID: 262f340e5a4e3f148e1caf2ffbcc39f45de42e478cbe07eff82c557195853c92
              • Opcode Fuzzy Hash: 2f56432f35bb105f435505b3eb2fcc705166ad49c0c2d1862c63ace17df91fd2
              • Instruction Fuzzy Hash: 662126B19003599FDB10CFAAC985BDEBBF5FF48310F108429E959A7240D778A944CBA5
              Function 07CE98F0 Relevance: 1.6, APIs: 1, Instructions: 69memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 275 7ce98f0-7ce98f1 276 7ce98cb-7ce98e4 275->276 277 7ce98f3-7ce9973 VirtualAllocEx 275->277 281 7ce997c-7ce99a1 277->281 282 7ce9975-7ce997b 277->282 282->281
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CE9966
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: d60f74624aa7a7e9665a0805e4215bf1b6ab2770788dcfc25549073d2298d447
              • Instruction ID: 03946adafc233b6757e395cfd0f6beb8042fe3c323a5cefbcd3124713f24b89c
              • Opcode Fuzzy Hash: d60f74624aa7a7e9665a0805e4215bf1b6ab2770788dcfc25549073d2298d447
              • Instruction Fuzzy Hash: B7218C7290024ADFDB10CFA9D8457DEFBF8EF88320F24842AD515A7251C735A554CBA1
              Function 07CE9AA3 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 296 7ce9aa3-7ce9b35 ReadProcessMemory 300 7ce9b3e-7ce9b6e 296->300 301 7ce9b37-7ce9b3d 296->301 301->300
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CE9B28
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 04ddebf3a770972ed757f31e60c823a481643643c25522e096171242dba6a6ba
              • Instruction ID: b665af8a76c1f3cb98eb0ea47dcfd437d703a14eb0d7f7891088d0b8726c0e2a
              • Opcode Fuzzy Hash: 04ddebf3a770972ed757f31e60c823a481643643c25522e096171242dba6a6ba
              • Instruction Fuzzy Hash: 682116B18003499FDF10CFAAC985ADEBBF5FF48310F10842AE959A7240D7789544CBA5
              Function 07CE9AA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 315 7ce9aa8-7ce9b35 ReadProcessMemory 318 7ce9b3e-7ce9b6e 315->318 319 7ce9b37-7ce9b3d 315->319 319->318
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CE9B28
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: 26f52ad7ae10f43dcfab9467c51408e366c5c874aaf3a474bd30889ed9b28b2f
              • Instruction ID: 6d5a569513469a4987b66e08ecd3a0931a7c7ec9a23648140923a0bdb34da974
              • Opcode Fuzzy Hash: 26f52ad7ae10f43dcfab9467c51408e366c5c874aaf3a474bd30889ed9b28b2f
              • Instruction Fuzzy Hash: CD2128B18003499FDB10CFAAC881ADEBBF5FF48310F10842AE919A7240D7789504CBA5
              Function 07CE9820 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 305 7ce9820-7ce986b 307 7ce986d-7ce9879 305->307 308 7ce987b-7ce98ab Wow64SetThreadContext 305->308 307->308 310 7ce98ad-7ce98b3 308->310 311 7ce98b4-7ce98e4 308->311 310->311
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CE989E
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: c67d3cf689a06845358a77fb2a993c091f9b01a9efe06cc72570d3f940168aca
              • Instruction ID: a271e5b943d26d650d4fd08eadd014e6a7cf1e70be4d352e5530a306ccd38d27
              • Opcode Fuzzy Hash: c67d3cf689a06845358a77fb2a993c091f9b01a9efe06cc72570d3f940168aca
              • Instruction Fuzzy Hash: A12149B1D003099FDB10CFAAC4857EEBBF4EF88314F148429D519A7240D778A944CFA5
              Function 012CD608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD68F
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: a539322e66e14923a0e3b744d602c624eeb2594d658fd2ce1e4b46773b67ce70
              • Instruction ID: feb65cb51e6ed099ae91da3c22865a6fd6d8f90a0b0d2654ae506741974e32b6
              • Opcode Fuzzy Hash: a539322e66e14923a0e3b744d602c624eeb2594d658fd2ce1e4b46773b67ce70
              • Instruction Fuzzy Hash: EC21E4B5900249DFDB10CFAAD984ADEBFF8EB48310F14841AE918A7350D378A954CFA5
              Function 012CD601 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 323 12cd601-12cd69c DuplicateHandle 324 12cd69e-12cd6a4 323->324 325 12cd6a5-12cd6c2 323->325 324->325
              APIs
              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012CD68F
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: DuplicateHandle
              • String ID:
              • API String ID: 3793708945-0
              • Opcode ID: c88a5c641658e32421907f3029e791414d5f83cdcf02f3a5f602ff196399f9e0
              • Instruction ID: 73aef2450952bc0cf2827bd0ca84c563b171683155148b70b8b7806bbb7a7508
              • Opcode Fuzzy Hash: c88a5c641658e32421907f3029e791414d5f83cdcf02f3a5f602ff196399f9e0
              • Instruction Fuzzy Hash: DC2100B5900249DFDB10CFA9D984AEEBBF4EF48314F24841AE958B7350D338A954CFA4
              Function 012CAE58 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012CB419,00000800,00000000,00000000), ref: 012CB60A
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: 3390db37d8766cfbc3ee493f649a60f6d478ed29c1f754f7ce04a55b63c877cf
              • Instruction ID: 25ea5c0536a59d51813aee38d9ff452bbe66095652ab9ecb1834d9e75052b1bf
              • Opcode Fuzzy Hash: 3390db37d8766cfbc3ee493f649a60f6d478ed29c1f754f7ce04a55b63c877cf
              • Instruction Fuzzy Hash: 4C1103B6810349DFDB10CF9AD485A9EFBF8EB88750F14852ED619A7200C379A944CFA5
              Function 07CE9768 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: 082a667449e2e81adf1abdb65d3f656a426e2952ee3022752353d88defb6298f
              • Instruction ID: 29c16a4eecbd30f94e3275305c87e643c700cd8d3d0532fdc9861ea316fbc0ca
              • Opcode Fuzzy Hash: 082a667449e2e81adf1abdb65d3f656a426e2952ee3022752353d88defb6298f
              • Instruction Fuzzy Hash: 251146B18003498FDB10DFAAC8857DEFBF9EF88324F20841AD519A7240D7396945CFA5
              Function 07CEC4C3 Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07CEC525
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: d974c317db2792ba9c7f6512c6313809dddbcdbea2ba8750caf26c333f24a7e0
              • Instruction ID: cf21f6eede52877e5d088ce7b91c7a9a05a0558b67cb23fefee19446a02dc95f
              • Opcode Fuzzy Hash: d974c317db2792ba9c7f6512c6313809dddbcdbea2ba8750caf26c333f24a7e0
              • Instruction Fuzzy Hash: 981128B1800749DFDB20CF99D989BEEBFF8EB48324F14844AD955A7201D375AA44CFA1
              Function 07CE98F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
              Download Yara Rule
              APIs
              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CE9966
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: AllocVirtual
              • String ID:
              • API String ID: 4275171209-0
              • Opcode ID: 0820179c8260982a1f3105db0eb19967e5135cdf434992947f10f5bea0560dbe
              • Instruction ID: b2c51209ed7858604b996a12d0cd8a072c722521f7fc07ced2f71ae2de4f3e00
              • Opcode Fuzzy Hash: 0820179c8260982a1f3105db0eb19967e5135cdf434992947f10f5bea0560dbe
              • Instruction Fuzzy Hash: 581126718003499FDF10DFAAC845BDEBBF9AF88710F148819E519A7250C779A544CBA5
              Function 012CB59A Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,012CB419,00000800,00000000,00000000), ref: 012CB60A
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: LibraryLoad
              • String ID:
              • API String ID: 1029625771-0
              • Opcode ID: ad6957d3c39d09c94ce1555715ff7e558ff7c27be69678be05195cffb5366ccb
              • Instruction ID: 1955971f2a535ef78e6feedffb31e9f511d446a3d7e1e803a59a8bc0ab57a52e
              • Opcode Fuzzy Hash: ad6957d3c39d09c94ce1555715ff7e558ff7c27be69678be05195cffb5366ccb
              • Instruction Fuzzy Hash: D71112B6C10249DFDB10CFAAD985ADEFBF4AB88710F10852AD619A7200C379A545CFA5
              Function 07CE9770 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ResumeThread
              • String ID:
              • API String ID: 947044025-0
              • Opcode ID: dbb2891f13703e021d4978e79af85e0162e851493ab819c90a5154745b5a84db
              • Instruction ID: 220fd8e5f6a36beccc35c8cb90e3566eb557553cde9d7f5bfd000ddd6b1a5853
              • Opcode Fuzzy Hash: dbb2891f13703e021d4978e79af85e0162e851493ab819c90a5154745b5a84db
              • Instruction Fuzzy Hash: EF113AB1D003498FDB10DFAAC4457DEFBF9AF88714F248419D519A7240C7796544CBA5
              Function 07CE2A28 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
              Download Yara Rule
              APIs
              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07CEC525
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: MessagePost
              • String ID:
              • API String ID: 410705778-0
              • Opcode ID: 0b3d98d295ae705050d0422fa3b0bfd6106bf0a60d821c8ec46ea5d4bf50d792
              • Instruction ID: 760fe53fc7db66a6d867f78e056ffa36af1bc550b88eacb26f874c442c6ae7e7
              • Opcode Fuzzy Hash: 0b3d98d295ae705050d0422fa3b0bfd6106bf0a60d821c8ec46ea5d4bf50d792
              • Instruction Fuzzy Hash: FA11F2B5800749DFDB20DF9AD885BEEBBF8EB48310F108459E918A7340C375A944CFA5
              Function 012CB338 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNELBASE(00000000), ref: 012CB39E
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID: HandleModule
              • String ID:
              • API String ID: 4139908857-0
              • Opcode ID: 4e187eefac474fa5df08b780837fc7ec54f6f6f9eecded68ab04a2dd12471749
              • Instruction ID: 6be33cbe2c9d36ce282df5ecd844819f5483dcb6d11b39c590a72495ac1237dd
              • Opcode Fuzzy Hash: 4e187eefac474fa5df08b780837fc7ec54f6f6f9eecded68ab04a2dd12471749
              • Instruction Fuzzy Hash: 3E1110B5C00749CFDB10CF9AC444ADEFBF8AF88714F10851ADA19A7200C379A545CFA5
              Function 0663C8CC Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: adf142fee525be43d6c88d0a943c157403837f2a07bf75358570f523a750c07b
              • Instruction ID: c59205a46f48612f49f049a5347774eb2f18ed4f79867fcf58ac2d5fc0691569
              • Opcode Fuzzy Hash: adf142fee525be43d6c88d0a943c157403837f2a07bf75358570f523a750c07b
              • Instruction Fuzzy Hash: 4051E131B103558FDB10DBB9D8549BEBBF6EFC9220724856AE419DB391DB309C0587A1
              Function 0663CEB8 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9feb272b34d83e0eb9289247364dbb619d93a1c3d561d7ef5bae8b85f43ec1c
              • Instruction ID: b1b39f2b08c81f36f71d6a96574b367151a0e431cd54456dd542bf74cdebe729
              • Opcode Fuzzy Hash: e9feb272b34d83e0eb9289247364dbb619d93a1c3d561d7ef5bae8b85f43ec1c
              • Instruction Fuzzy Hash: A341F774E05229DFDB84CFA9E4848AEBBB4FF8D340B019859F816B7315D7309861CBA4
              Function 0663FC98 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7df1d3e0f5689be115ab6c6569b1fc12fbbe58967ff3287847fa5670eea8b0bd
              • Instruction ID: 02d3601681bee92811112c7d25cf9ccd43f226a26995e1aa7a185ecc2e09892e
              • Opcode Fuzzy Hash: 7df1d3e0f5689be115ab6c6569b1fc12fbbe58967ff3287847fa5670eea8b0bd
              • Instruction Fuzzy Hash: B9417C35A04225DFD794DF59C88496AFBE2FF88304F20C82AE55A9B654C772A812CB91
              Function 0663EE1C Relevance: .1, Instructions: 113COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: becc90ecd8d8837596cd46251d61295717b8792c0a88b2df7c541d1e7c51aee0
              • Instruction ID: f000d39caa41270ad0f08464d0d39da767703be944e046f0c2c431e14bf8de46
              • Opcode Fuzzy Hash: becc90ecd8d8837596cd46251d61295717b8792c0a88b2df7c541d1e7c51aee0
              • Instruction Fuzzy Hash: D3F09672A14319AFDF48DF78DC5599E7FEADF49210B10847EF405D7250EA31AC408764
              Function 0126D0B8 Relevance: .1, Instructions: 77COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127206558.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f9cf57b20d00a249f18cf5a9993122ad61de2374838fec6c72e2c2c42112817
              • Instruction ID: d793c034cf635b88d8cfc7183f0b79c43c6e606051b19b3b693f0336d851efdd
              • Opcode Fuzzy Hash: 1f9cf57b20d00a249f18cf5a9993122ad61de2374838fec6c72e2c2c42112817
              • Instruction Fuzzy Hash: 5321387261424CEFCF15DF54D8C0B16BB69FB88314F208599EA490B296C376D496CB61
              Function 0127D36C Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127271629.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75e142620ad5e7acf49ddace1ac65b734bc9e2ace4b37b639d59c143fea7c20c
              • Instruction ID: bb609e8aea4e0bdea7d59c0406171d58e2aecbead8e50f310052ced11358eec7
              • Opcode Fuzzy Hash: 75e142620ad5e7acf49ddace1ac65b734bc9e2ace4b37b639d59c143fea7c20c
              • Instruction Fuzzy Hash: 6C210471614308EFDB05DFA8D9D0B27BB65FF84318F24C56DE9094B292C376E846CA61
              Function 0127D1B4 Relevance: .1, Instructions: 72COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127271629.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 24636217a8753cebc55c72b03b95fc5ea2a89c4547e3684ac1b37807e19f38fc
              • Instruction ID: 1830af05158d9be73e4f1ad04129667b288f6a4edde9c2a10444550b463f8b65
              • Opcode Fuzzy Hash: 24636217a8753cebc55c72b03b95fc5ea2a89c4547e3684ac1b37807e19f38fc
              • Instruction Fuzzy Hash: 46210475614308EFDB05DFA4D5C0B26BB65FF84324F24C5ADE9094B243C376D846CA61
              Function 0663CA6C Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1f5a6ba2f2829301703718889b65932a2c961ab5e2a0ce1cf0b15c318010e57d
              • Instruction ID: 6048e273891963c4a18012da97d85589b1969dc97124191f32bdf5ac242efc98
              • Opcode Fuzzy Hash: 1f5a6ba2f2829301703718889b65932a2c961ab5e2a0ce1cf0b15c318010e57d
              • Instruction Fuzzy Hash: C231C370C11358DFDBA0CF9AC588B9EBBF5AB48714F14841AE504BB390C7B65845CBA5
              Function 0663CDE0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5453431caa1d8c379287ec0900572e33384e4658f02ff0192201960a0b83d372
              • Instruction ID: bf5e423f32eae03ac9c030760c619a010b1ea24f52f3af1737809d4512a80b50
              • Opcode Fuzzy Hash: 5453431caa1d8c379287ec0900572e33384e4658f02ff0192201960a0b83d372
              • Instruction Fuzzy Hash: D0219A74A00508DFD748DF5AE684999BBF1FF8D310B6280D9D8489B32AD731EE50DB14
              Function 0126D0B3 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127206558.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dc9628525a6fba08f2af82f07f2d960dd27c0204aeeac9f953582810ee387f4d
              • Instruction ID: e91ee166677f02edbfb9701227ba2bdcce73197a5c3df183abdc81c161dfa427
              • Opcode Fuzzy Hash: dc9628525a6fba08f2af82f07f2d960dd27c0204aeeac9f953582810ee387f4d
              • Instruction Fuzzy Hash: 7221C076504288DFCF06CF54D9C0B16BF72FB88314F2486A9D9890B256C33AD456CB91
              Function 0663E680 Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db78fa17602681b5370986284059117f1e53bdfc109cccfcd1435ac101beaaf4
              • Instruction ID: 79716df4b42067a354cb72a8b9cfb7396a4b1d321143a1dc82325cbcdf1dfe29
              • Opcode Fuzzy Hash: db78fa17602681b5370986284059117f1e53bdfc109cccfcd1435ac101beaaf4
              • Instruction Fuzzy Hash: 84112E31F0125A8BCB94EBB9D8105EEB7F6AF85710B60407AC504E7344EB329E06CBA1
              Function 0127D367 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127271629.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction ID: 62cdf6115ce09bf4fb54ac8511948fc8bd587ed01d00b851d1a60f08c67b6c72
              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction Fuzzy Hash: AA11BB76504284DFCB02CF54D5D4B16BFA2FF84318F28C6A9D9094B657C33AE44ACB62
              Function 0127D1AF Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127271629.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_127d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction ID: a005d4b0a58b92171029a1d929ec2366ec2651f207e00beb95e2240ba88ccdf6
              • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
              • Instruction Fuzzy Hash: C611BB75504284DFCB02CF54C5C0B16BFA1FF84224F28C6A9D9494B657C33AD80ACBA2
              Function 0126D7C5 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127206558.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a181a7ce92678049ec14b23988f88fdec05fa8a25a7a643d81ea477c36dd2bf2
              • Instruction ID: a7c246c4a452ee5618a1cd46ec4018768884cddcd39206fc541acfe6ea444b69
              • Opcode Fuzzy Hash: a181a7ce92678049ec14b23988f88fdec05fa8a25a7a643d81ea477c36dd2bf2
              • Instruction Fuzzy Hash: 9F01F73161434DEAE7114BA9CD84B66FFACEF41720F14C45AEE4D1A2C2C2789885C6B2
              Function 0126D7C4 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127206558.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_126d000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 51a93144e39232d9c167f9b4f34211c3f778719811eca2460f86751ab130b584
              • Instruction ID: 5712e18d8658ab0e5a93a3128941f92e972fdf104c48a6d48e7dd62b29f789fd
              • Opcode Fuzzy Hash: 51a93144e39232d9c167f9b4f34211c3f778719811eca2460f86751ab130b584
              • Instruction Fuzzy Hash: B5F0C271504348AAE7108E5AC8C8B62FFACEB81724F18C05AEE4C0E2C3C2789845CAB1
              Function 0663F0D0 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19da43a28e7419f6bd343b208c3a3abd4b71dec112fe0bf2ee47df4e8e5346d0
              • Instruction ID: 737884e2e2b3a53697c7182902b5b3e6f656f68026489c1e9e0f91f546ac61e3
              • Opcode Fuzzy Hash: 19da43a28e7419f6bd343b208c3a3abd4b71dec112fe0bf2ee47df4e8e5346d0
              • Instruction Fuzzy Hash: 9501FBB0C01229DFDB54CF6AD8047AEBBF1BF49350F208625E424AA290D7744A41CFD0
              Function 0663F170 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f9291572924ee9de205a0bb09f075c8afb42d20a5599c8c804f6dc043e05f34
              • Instruction ID: fc162b3cb5ae0435c75d63e29a814cd8ac2fb77d03ecd7a92e969045c651fa3c
              • Opcode Fuzzy Hash: 9f9291572924ee9de205a0bb09f075c8afb42d20a5599c8c804f6dc043e05f34
              • Instruction Fuzzy Hash: 7BE039767002286F9314DA6AE884D6BBBEEFBCC664311807AE508C7314DA319C01C6A0
              Function 0663C2F0 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3252d1dd2fd3da25c9e8bfd5c065a16d117b612064fb1617f4629ad266865282
              • Instruction ID: ee87e6ada74b9ac8027657262a2cdb35c426790d663f858596ff6efdfcfdede5
              • Opcode Fuzzy Hash: 3252d1dd2fd3da25c9e8bfd5c065a16d117b612064fb1617f4629ad266865282
              • Instruction Fuzzy Hash: 0AD0A92234C039CFF7E834AE6A0413832999384280B00002BB00BB7900E8628C3300EB
              Function 0663CAD0 Relevance: .0, Instructions: 19COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31c656ebd0c0ec1d6016fcb6a9780472bb88f77b267a4d2fa1bb6add2e23f898
              • Instruction ID: 7244fc970131651f8f6cd281b34439d06619e10a3d9b34a1b6b621ede3a97bc9
              • Opcode Fuzzy Hash: 31c656ebd0c0ec1d6016fcb6a9780472bb88f77b267a4d2fa1bb6add2e23f898
              • Instruction Fuzzy Hash: 26D05E306280359FE344E65CD850833B3DDD78939471481AAF50ABB745CEB2AC5383E0
              Function 0663EC38 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
              • Instruction ID: 9965ca927cd6e50d151432c8bb7a93adce607503106f1a7f7286c97df1631ef2
              • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
              • Instruction Fuzzy Hash: 48D09E72D001399B8B10AFE99C054DFFF79EF05650B418126E925A7101D3715A21DBD1
              Function 0663EDD4 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 657973d4244e58d1b25ef02cdc283f3c53f21666373da80225a4655e016c9fa7
              • Instruction ID: c9d3a78a7df43ea685492c91d9690bd7aedf913b5487df5ee603bd453cd5fc56
              • Opcode Fuzzy Hash: 657973d4244e58d1b25ef02cdc283f3c53f21666373da80225a4655e016c9fa7
              • Instruction Fuzzy Hash: 74B012751547A4FA51C0A7F49C52B3B6855EBF6701F409C1A730480020C43554B6913F

              Non-executed Functions

              Function 06633408 Relevance: 1.2, Instructions: 1182COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 16ff2411d556868c6db9f1bd7631fbd5f7cbc161031d830df6b2a26b8dbcb79c
              • Instruction ID: c22d1f6248b32c077e9683cca9a5aa6aa1781f4aebf7ab818567b3779a5f37c3
              • Opcode Fuzzy Hash: 16ff2411d556868c6db9f1bd7631fbd5f7cbc161031d830df6b2a26b8dbcb79c
              • Instruction Fuzzy Hash: CF827234B105698FCBA9EFBD856027D7AE3BFCD740B604469D10AEB395EE308C458B91
              Function 06636858 Relevance: .5, Instructions: 453COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7199590815a46eae84ebacbf79eba2f6f1ed48b704346617a847f9b5484c1e03
              • Instruction ID: ccd32e1854e4bca65c212cdf61faf3f5dbd2ac6c624a4e3ebcc3b79bcda76113
              • Opcode Fuzzy Hash: 7199590815a46eae84ebacbf79eba2f6f1ed48b704346617a847f9b5484c1e03
              • Instruction Fuzzy Hash: 73023D75A00525EFDB98CF69C998A6DB7B2FF85710B258169E806DB370DB30EC01CB90
              Function 07CE88A3 Relevance: .3, Instructions: 334COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccaa3842ed603fdf9ffe48b39b1551ae8dcd6c4de617423a847c17efed941ff2
              • Instruction ID: 653e192784987d22eb67b5c961a0351242ac8d0623e2ad6c844ec92d907fec2f
              • Opcode Fuzzy Hash: ccaa3842ed603fdf9ffe48b39b1551ae8dcd6c4de617423a847c17efed941ff2
              • Instruction Fuzzy Hash: D8D1B0F0E04256CFCB10CF69C5846ADBBF6BF85305F24919AD848AB256D331DD82CBA1
              Function 07CE6FE0 Relevance: .3, Instructions: 329COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aac397ae286a2a4b71cc1937313e7136f8adf1b1a55fc439efcc83e89b63ae79
              • Instruction ID: 50b154b115cb9de052856d5afd35e88cdaf50277c947216d68700795394ceae9
              • Opcode Fuzzy Hash: aac397ae286a2a4b71cc1937313e7136f8adf1b1a55fc439efcc83e89b63ae79
              • Instruction Fuzzy Hash: 03E13BB4E002598FDB14DFA9C5809AEFBF6FF89301F248169D855AB355D730A942CFA0
              Function 07CE7428 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1ef4a0a26fa393892f3671e35e4e3da9cb3d9d5b8314dd0d17976714bc3056e1
              • Instruction ID: 29ff7fc3b703b6d599d61d9eed46bc7baab361025a0e33f68ec397a420a18921
              • Opcode Fuzzy Hash: 1ef4a0a26fa393892f3671e35e4e3da9cb3d9d5b8314dd0d17976714bc3056e1
              • Instruction Fuzzy Hash: 7EE10AB4E002198FDB14DFA9C5809AEFBF6FF89305F248169D455AB355D730A942CFA0
              Function 07CE8F48 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6df29d65420b82f0338521be13313ff78cee0d5b7e44be715e972f3d049ff1c2
              • Instruction ID: d9c02bb4bf78249fb71f9acc4e0e49b3db1dfae6e6b73125f72f32683b787827
              • Opcode Fuzzy Hash: 6df29d65420b82f0338521be13313ff78cee0d5b7e44be715e972f3d049ff1c2
              • Instruction Fuzzy Hash: F0E13CB4E002198FDB14DFA9C5809AEFBF6FF89305F248169D845AB355D730A942CFA1
              Function 07CE8B10 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3a2e6b70a61ea05825dad4eb327e84622cf36f35b4ee5648fe47e71b23fe306
              • Instruction ID: aff75d8af0b002cbd6d7fe4b36eb573716cbf5b0c6c2efea5df94d51f458643e
              • Opcode Fuzzy Hash: c3a2e6b70a61ea05825dad4eb327e84622cf36f35b4ee5648fe47e71b23fe306
              • Instruction Fuzzy Hash: AEE1FAB4E0021A8FDB14DFA9C5809AEFBF6FF89305F248169D855AB355D730A942CF60
              Function 07CE7870 Relevance: .3, Instructions: 312COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3417d91f6dfaf3637dffab12a514489234f9f160033e73cf73db6e566540a14
              • Instruction ID: 49fbe2d3b913d53f71ca67f384058a88851f9bbf7043b4b89cf6c26ebc2619c2
              • Opcode Fuzzy Hash: f3417d91f6dfaf3637dffab12a514489234f9f160033e73cf73db6e566540a14
              • Instruction Fuzzy Hash: DDE11BB4E002198FDB14DFA9C5809AEFBF6FF89305F248159D855AB355D730A942CF60
              Function 06639FF0 Relevance: .3, Instructions: 310COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 139bf74b105cf74f1f7411baacc75b205caf9c5f73cda5ce67699c2857e823c4
              • Instruction ID: c2cc209560ecdcb746aa9fb932128d064aabd2611c1917bebf6f4aa3ac3e9af3
              • Opcode Fuzzy Hash: 139bf74b105cf74f1f7411baacc75b205caf9c5f73cda5ce67699c2857e823c4
              • Instruction Fuzzy Hash: BAB1D735F04221CFE759CFA8C49466A7BB2AF86304B198069D4D6DB391CB35DC42E7E1
              Function 07CEED88 Relevance: .3, Instructions: 298COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e54343e6e85f2cd51125f342bb5629638111a5ea77523eb12d695af547ec831
              • Instruction ID: 29abfbf62db9accf44fd8dab82b4f0e1a0a0a308bc082b40dc8f30d40d573947
              • Opcode Fuzzy Hash: 4e54343e6e85f2cd51125f342bb5629638111a5ea77523eb12d695af547ec831
              • Instruction Fuzzy Hash: 6DD1D474A00609CFDB58DF69D598AADB7F5BF8D710F2580A8E405AB361DB31AD40CF60
              Function 012CDF14 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2127577190.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_12c0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9b73c747b3ded74387dd691d3e3aa0b5ae78af93759e900411561b48883db1b9
              • Instruction ID: d992402fbc3527421f9037d6dfa7710f0a741cf35cbc33cc17281ac232b24117
              • Opcode Fuzzy Hash: 9b73c747b3ded74387dd691d3e3aa0b5ae78af93759e900411561b48883db1b9
              • Instruction Fuzzy Hash: FBA18F32E1020A8FCF19DFB5C9405AEBBB2FF85700B15467EEA05AB265DB71D915CB80
              Function 0663F6E8 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2145216110.0000000006630000.00000040.00000800.00020000.00000000.sdmp, Offset: 06630000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_6630000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 14bf15e11a8112589ad9372100f361f60a50e4e070f211d00604ef91c8a5993f
              • Instruction ID: 7e9f1b6c8e01e24caa1e7af34ace6d22e1afba18544a353d1e97c2509033c19e
              • Opcode Fuzzy Hash: 14bf15e11a8112589ad9372100f361f60a50e4e070f211d00604ef91c8a5993f
              • Instruction Fuzzy Hash: 2BD1F83192075ACACB01EB64D9506ADB771FFE9300F10CBAAD5493B214FB706AC9CB91
              Function 07CE7860 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0dd587effdd770e9e2dee6c383e5912c9528b06117a1b0b7d8f7ff421a6a24b9
              • Instruction ID: 74c065ab6677f5f3ffe9aea490256f5e67861c9c3c413410ede5a83bc3984708
              • Opcode Fuzzy Hash: 0dd587effdd770e9e2dee6c383e5912c9528b06117a1b0b7d8f7ff421a6a24b9
              • Instruction Fuzzy Hash: E7513CB0E0025A8FDB14DFA9C5805AEFBF6FF89311F248169D448A7355D7309942CFA0
              Function 07CE8B03 Relevance: .1, Instructions: 134COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2149965039.0000000007CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CE0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ce0000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f5da23f88c80cde8e92e4410ee74b89329482f142660d16b77342ce33764b82
              • Instruction ID: a10a9131bf22ad744b70e5ff376dc3254d21ea525aa2ea0e4ce0cf92547bf704
              • Opcode Fuzzy Hash: 9f5da23f88c80cde8e92e4410ee74b89329482f142660d16b77342ce33764b82
              • Instruction Fuzzy Hash: 89510BB0E002198FDB14DFA9C9805EEFBF6FF89305F248169D459AB256D7309942CFA1

              Execution Graph

              Execution Coverage:0.7%
              Dynamic/Decrypted Code Coverage:4.8%
              Signature Coverage:8.7%
              Total number of Nodes:104
              Total number of Limit Nodes:8
              execution_graph 93923 4241c3 93927 4241d2 93923->93927 93924 424219 93931 42cec3 93924->93931 93927->93924 93928 424257 93927->93928 93930 42425c 93927->93930 93929 42cec3 RtlFreeHeap 93928->93929 93929->93930 93934 42b3a3 93931->93934 93933 424229 93935 42b3bd 93934->93935 93936 42b3ce RtlFreeHeap 93935->93936 93936->93933 93937 42dfa3 93938 42dfb3 93937->93938 93939 42dfb9 93937->93939 93942 42cfa3 93939->93942 93941 42dfdf 93945 42b353 93942->93945 93944 42cfbe 93944->93941 93946 42b370 93945->93946 93947 42b381 RtlAllocateHeap 93946->93947 93947->93944 93952 42a673 93953 42a690 93952->93953 93956 12a2df0 LdrInitializeThunk 93953->93956 93954 42a6b8 93956->93954 93957 423e33 93958 423e4f 93957->93958 93959 423e77 93958->93959 93960 423e8b 93958->93960 93961 42b043 NtClose 93959->93961 93967 42b043 93960->93967 93963 423e80 93961->93963 93964 423e94 93970 42cfe3 RtlAllocateHeap 93964->93970 93966 423e9f 93968 42b05d 93967->93968 93969 42b06e NtClose 93968->93969 93969->93964 93970->93966 93948 417563 93949 417587 93948->93949 93950 4175c3 LdrLoadDll 93949->93950 93951 41758e 93949->93951 93950->93951 93971 413953 93975 413969 93971->93975 93973 4139cc 93974 4139c4 93975->93973 93976 41ac63 RtlFreeHeap LdrInitializeThunk 93975->93976 93976->93974 93977 41dc53 93978 41dc79 93977->93978 93982 41dd64 93978->93982 93983 42e0d3 93978->93983 93980 41dd08 93980->93982 93989 42a6c3 93980->93989 93984 42e043 93983->93984 93985 42cfa3 RtlAllocateHeap 93984->93985 93986 42e0a0 93984->93986 93987 42e07d 93985->93987 93986->93980 93988 42cec3 RtlFreeHeap 93987->93988 93988->93986 93990 42a6dd 93989->93990 93993 12a2c0a 93990->93993 93991 42a709 93991->93982 93994 12a2c1f LdrInitializeThunk 93993->93994 93995 12a2c11 93993->93995 93994->93991 93995->93991 93996 401899 93997 4018a0 93996->93997 94000 42e463 93997->94000 94003 42cac3 94000->94003 94004 42cae9 94003->94004 94013 4072c3 94004->94013 94006 42caff 94012 40196b 94006->94012 94017 41a953 94006->94017 94008 42cb1e 94009 42cb33 94008->94009 94010 42b3f3 ExitProcess 94008->94010 94028 42b3f3 94009->94028 94010->94009 94014 4072cb 94013->94014 94031 4162a3 94014->94031 94016 4072d0 94016->94006 94018 41a97f 94017->94018 94042 41a843 94018->94042 94021 41a9c4 94024 41a9e0 94021->94024 94026 42b043 NtClose 94021->94026 94022 41a9ac 94023 41a9b7 94022->94023 94025 42b043 NtClose 94022->94025 94023->94008 94024->94008 94025->94023 94027 41a9d6 94026->94027 94027->94008 94029 42b40d 94028->94029 94030 42b41b ExitProcess 94029->94030 94030->94012 94032 4162b6 94031->94032 94034 4162cf 94032->94034 94035 42ba83 94032->94035 94034->94016 94037 42ba9b 94035->94037 94036 42babf 94036->94034 94037->94036 94038 42a6c3 LdrInitializeThunk 94037->94038 94039 42bb0d 94038->94039 94040 42cec3 RtlFreeHeap 94039->94040 94041 42bb22 94040->94041 94041->94034 94043 41a85d 94042->94043 94047 41a939 94042->94047 94048 42a763 94043->94048 94046 42b043 NtClose 94046->94047 94047->94021 94047->94022 94049 42a780 94048->94049 94052 12a35c0 LdrInitializeThunk 94049->94052 94050 41a92d 94050->94046 94052->94050

              Executed Functions

              Function 00417563 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 9 417563-41757f 10 417587-41758c 9->10 11 417582 call 42dbc3 9->11 12 417592-4175a0 call 42e0e3 10->12 13 41758e-417591 10->13 11->10 16 4175b0-4175c1 call 42c593 12->16 17 4175a2-4175ad call 42e383 12->17 22 4175c3-4175d7 LdrLoadDll 16->22 23 4175da-4175dd 16->23 17->16 22->23
              APIs
              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004175D5
              Memory Dump Source
              • Source File: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_AWB-112-17259653.jbxd
              Yara matches
              Similarity
              • API ID: Load
              • String ID:
              • API String ID: 2234796835-0
              • Opcode ID: ee42f8d8793020ec2df12135a14a1a1a44b4e94e8a4e1f4e9a38d61ce16bc817
              • Instruction ID: aa95b4dfb64e6a9ec7892862e702998255a16b9d033994f05c1b20222fdea62f
              • Opcode Fuzzy Hash: ee42f8d8793020ec2df12135a14a1a1a44b4e94e8a4e1f4e9a38d61ce16bc817
              • Instruction Fuzzy Hash: 87011EB5E0020DBBDF10DBE5DC42FDEB778AB54308F0081AAE90897241F675EB558B95
              Function 0042B043 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 34 42b043-42b07c call 4046f3 call 42c0c3 NtClose
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_AWB-112-17259653.jbxd
              Yara matches
              Similarity
              • API ID: Close
              • String ID:
              • API String ID: 3535843008-0
              • Opcode ID: d2fce80bf96f9aef502c7a706a78167f0df0f39cd2da303e79a79779ee84456a
              • Instruction ID: ffaf1c4e845619c312234e72993fc9ff90263f8a355b3c874327399a7ff256d0
              • Opcode Fuzzy Hash: d2fce80bf96f9aef502c7a706a78167f0df0f39cd2da303e79a79779ee84456a
              • Instruction Fuzzy Hash: ABE04F722042147BC210EA5ADC42F9B776CDFC5714F40441AFA0CA7241C775B9008AF8
              Function 012A2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 49 12a2df0-12a2dfc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 809f56127f72ca241e5a45f10c6b02ad5fee20def11a2a9c4b17d6035777e570
              • Instruction ID: 99abf4ae0b9fd376f63d565de7b3a5bbb1b0308e44b696df82f6b9e00802e1ec
              • Opcode Fuzzy Hash: 809f56127f72ca241e5a45f10c6b02ad5fee20def11a2a9c4b17d6035777e570
              • Instruction Fuzzy Hash: 5B90023121140413D11171584944747000D97D0381F95C412A1465558DD6568A52A621
              Function 012A2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 48 12a2c70-12a2c7c LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: a760bbecd22982c82b55f7163a4098641c1a6eba19c5485c6092e1822b4c187d
              • Instruction ID: 689cb50fcd7c3aaf99a598224d52c3f9c467fa698e1d07973da1eda1aa4148c8
              • Opcode Fuzzy Hash: a760bbecd22982c82b55f7163a4098641c1a6eba19c5485c6092e1822b4c187d
              • Instruction Fuzzy Hash: 8B90023121148802D1107158884478A000997D0341F59C411A5465658DC69589917621
              Function 012A35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 50 12a35c0-12a35cc LdrInitializeThunk
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 50c38ea0a1eae905dbd88a0f9b8b97084128328a68f8b2a0df5a14265d7a5636
              • Instruction ID: bb77f1891e81ea576e98e578fcd0781c01074a8d18f4358667d3dff7d1f1839a
              • Opcode Fuzzy Hash: 50c38ea0a1eae905dbd88a0f9b8b97084128328a68f8b2a0df5a14265d7a5636
              • Instruction Fuzzy Hash: 6B90023161550402D10071584954746100997D0341F65C411A1465568DC7958A516AA2
              Function 0042B353 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 24 42b353-42b397 call 4046f3 call 42c0c3 RtlAllocateHeap
              APIs
              • RtlAllocateHeap.NTDLL(?,0041DD08,?,?,00000000,?,0041DD08,?,?,?), ref: 0042B392
              Memory Dump Source
              • Source File: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_AWB-112-17259653.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 67067a5979bf89484583072b10f1e444b18ba938f0cd1e1733e25f412d44e4b4
              • Instruction ID: 08153466ed60f3f2000019d0bfb2e373602b8a1c462ac61380ed6339d86ac2ef
              • Opcode Fuzzy Hash: 67067a5979bf89484583072b10f1e444b18ba938f0cd1e1733e25f412d44e4b4
              • Instruction Fuzzy Hash: 85E06DB22042047BD610EE99DC41FAB37ACEFC5714F40441AF90CA7241D675B9108AB8
              Function 0042B3A3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 29 42b3a3-42b3e4 call 4046f3 call 42c0c3 RtlFreeHeap
              APIs
              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,00416E43,000000F4,?,?,?,?,?), ref: 0042B3DF
              Memory Dump Source
              • Source File: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_AWB-112-17259653.jbxd
              Yara matches
              Similarity
              • API ID: FreeHeap
              • String ID:
              • API String ID: 3298025750-0
              • Opcode ID: 13650c0d6e97d53927156756923c6077ca3cb3c8a3d43df0e4b7966925559e16
              • Instruction ID: 80b4c937ed58d4596e4ad6dd3a2aff8a2fca0abc077511e8a490e76b554d259d
              • Opcode Fuzzy Hash: 13650c0d6e97d53927156756923c6077ca3cb3c8a3d43df0e4b7966925559e16
              • Instruction Fuzzy Hash: BFE06D722042147BD610EE99EC41FAB37ACEFC5710F004419F908A7241D675B9108BB8
              Function 0042B3F3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 39 42b3f3-42b429 call 4046f3 call 42c0c3 ExitProcess
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375400060.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_400000_AWB-112-17259653.jbxd
              Yara matches
              Similarity
              • API ID: ExitProcess
              • String ID:
              • API String ID: 621844428-0
              • Opcode ID: 604270ba436fbaaf1a05b974bd8f4fc5f2b26e6030a311004d6d1d1377cbedf3
              • Instruction ID: 9ece63966d072ee311104e8e7a659c24dc27957594864eb624a4202f721f2215
              • Opcode Fuzzy Hash: 604270ba436fbaaf1a05b974bd8f4fc5f2b26e6030a311004d6d1d1377cbedf3
              • Instruction Fuzzy Hash: 37E04F36210214BBD210EA5ADC41F9B775CDFC5724F004419FA0CA7241C6B5BA018BF4
              Function 012A2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 44 12a2c0a-12a2c0f 45 12a2c1f-12a2c26 LdrInitializeThunk 44->45 46 12a2c11-12a2c18 44->46
              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: c51f824545ce80db550412db07cf04139506cca5b1eb6c2879178d4ebbffb35b
              • Instruction ID: 2c9e8c46cf0755b948777f015b4ed20f3ace096f98cec6804993b539daf81efd
              • Opcode Fuzzy Hash: c51f824545ce80db550412db07cf04139506cca5b1eb6c2879178d4ebbffb35b
              • Instruction Fuzzy Hash: 73B09B719115D5C6DA11E7644A08717790577D0741F56C061D3070641F4738C1D5E775

              Non-executed Functions

              Function 012E2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2160512332
              • Opcode ID: 17f9d234e00fb860f070ceea3f6d8d7051e1a1e4969950db1ed339945233befa
              • Instruction ID: aeefab780d268932e6e9e5fc8ed73bdde5632d41c01a2b100aace03ea2433075
              • Opcode Fuzzy Hash: 17f9d234e00fb860f070ceea3f6d8d7051e1a1e4969950db1ed339945233befa
              • Instruction Fuzzy Hash: 6092AE71624342EFE725CE29C888B6BBBE8BB84750F84491DFB96D7250D770E844CB52
              Function 01298620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
              Download Yara Rule
              Strings
              • Thread identifier, xrefs: 012D553A
              • Thread is in a state in which it cannot own a critical section, xrefs: 012D5543
              • Critical section address, xrefs: 012D5425, 012D54BC, 012D5534
              • undeleted critical section in freed memory, xrefs: 012D542B
              • Address of the debug info found in the active list., xrefs: 012D54AE, 012D54FA
              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012D54CE
              • Critical section debug info address, xrefs: 012D541F, 012D552E
              • Critical section address., xrefs: 012D5502
              • Invalid debug info address of this critical section, xrefs: 012D54B6
              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012D54E2
              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012D540A, 012D5496, 012D5519
              • 8, xrefs: 012D52E3
              • double initialized or corrupted critical section, xrefs: 012D5508
              • corrupted critical section, xrefs: 012D54C2
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
              • API String ID: 0-2368682639
              • Opcode ID: 9e13a3e9059f2e4f0d84bfb250b22f217f84924b5d5fd7cdc80f77e37e40f9ab
              • Instruction ID: 8038ed8f1f9797737fe37fa26d06a59afdcef5a4cc8ba10adf5531b80509a806
              • Opcode Fuzzy Hash: 9e13a3e9059f2e4f0d84bfb250b22f217f84924b5d5fd7cdc80f77e37e40f9ab
              • Instruction Fuzzy Hash: B5819DB1A61349EFDB64CF99C845BAEBBB5FB08B14F144119F605BB240D3B5A940CB90
              Function 012929F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
              Download Yara Rule
              Strings
              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 012D2624
              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 012D2498
              • @, xrefs: 012D259B
              • RtlpResolveAssemblyStorageMapEntry, xrefs: 012D261F
              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 012D2506
              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012D24C0
              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 012D2412
              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 012D2409
              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012D22E4
              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 012D2602
              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012D25EB
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
              • API String ID: 0-4009184096
              • Opcode ID: 6fb04c8588c5d23c6ac7e7d726020711f977f0179252775fc7a49aeb70838ba8
              • Instruction ID: 2a50ee8a03866c46fd3a957a3e9837d70a0dc3d8196d01deef27e3dbcaf56fc4
              • Opcode Fuzzy Hash: 6fb04c8588c5d23c6ac7e7d726020711f977f0179252775fc7a49aeb70838ba8
              • Instruction Fuzzy Hash: 430271B1D20229DFDF21DB58CD81BA9B7B8AF54304F4141DAEB09A7241DB709E84CF59
              Function 01308B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
              • API String ID: 0-2515994595
              • Opcode ID: d22d0890918fdb7e885b69dd39b4f77e228007c390efef8ba4cc451279a95339
              • Instruction ID: 48ce2490abd8cfb010ce8c2ad6d0126bbc4269699649861885981eabeda768da
              • Opcode Fuzzy Hash: d22d0890918fdb7e885b69dd39b4f77e228007c390efef8ba4cc451279a95339
              • Instruction Fuzzy Hash: 0E51E2B1914305ABCB26DF1C8854BABBBECEFD4758F144A5DE984C3280E770D604C792
              Function 01310274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
              • API String ID: 0-1700792311
              • Opcode ID: 8e19c34104e07b830dcf672c65cc5514b2795feeaeebce65acee3107ac1c995f
              • Instruction ID: eceecc063ddaf1988fd6ceb389021a2fa8d1dd2d25ff3b4d478b07e8177c5830
              • Opcode Fuzzy Hash: 8e19c34104e07b830dcf672c65cc5514b2795feeaeebce65acee3107ac1c995f
              • Instruction Fuzzy Hash: 3FD1DD31610686DFDB2EDF68C480AADBBF2FF4A718F088459F8459B656D7349981CF10
              Function 012E89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
              Download Yara Rule
              Strings
              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 012E8A67
              • AVRF: -*- final list of providers -*- , xrefs: 012E8B8F
              • HandleTraces, xrefs: 012E8C8F
              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 012E8A3D
              • VerifierDlls, xrefs: 012E8CBD
              • VerifierFlags, xrefs: 012E8C50
              • VerifierDebug, xrefs: 012E8CA5
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
              • API String ID: 0-3223716464
              • Opcode ID: cd73d1c29f39bf52cf361c0c813979d206e3d32f317111e7a3e67bd666cc88d0
              • Instruction ID: c2c8f05c01d6060e30a17f1541db5f08b794559128871b2ca6c6f5a5fe8aec44
              • Opcode Fuzzy Hash: cd73d1c29f39bf52cf361c0c813979d206e3d32f317111e7a3e67bd666cc88d0
              • Instruction Fuzzy Hash: E4913672661706EFDB21EF28C889F2B77E9EB54B14F85045CFA85AB280D770AC00C791
              Function 0126EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
              • API String ID: 0-1109411897
              • Opcode ID: ed623163687b1fb3ae26d50a0c3060b7a583a4cafba879873c732fe5aa8d3ede
              • Instruction ID: 6f7cc55df3e2a9a56f0f5f09c8dd609cea112b0df7b48e41622016348ce2922b
              • Opcode Fuzzy Hash: ed623163687b1fb3ae26d50a0c3060b7a583a4cafba879873c732fe5aa8d3ede
              • Instruction Fuzzy Hash: 6CA25F74A2566ACFDF64DF18CD987AABBB5AF45704F1042D9DA09A7290DB709EC0CF00
              Function 012963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
              • API String ID: 0-792281065
              • Opcode ID: de0e809e85a78fabd82b84fa2a293317f18830eb293e46f0712d0f328edfce08
              • Instruction ID: ca0e5a58f0a3b7b105b07d9a29ad2fcb1ad2e1ed4f8ffbe8d1285112e5b22f46
              • Opcode Fuzzy Hash: de0e809e85a78fabd82b84fa2a293317f18830eb293e46f0712d0f328edfce08
              • Instruction Fuzzy Hash: 6D911771B70356DBEB39EF68D849BBA7BE5FF41B14F040129EA006B681D7B49801CB91
              Function 0125645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
              Download Yara Rule
              Strings
              • Loading the shim user DLL failed with status 0x%08lx, xrefs: 012B9A2A
              • minkernel\ntdll\ldrinit.c, xrefs: 012B9A11, 012B9A3A
              • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 012B99ED
              • apphelp.dll, xrefs: 01256496
              • LdrpInitShimEngine, xrefs: 012B99F4, 012B9A07, 012B9A30
              • Getting the shim user exports failed with status 0x%08lx, xrefs: 012B9A01
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-204845295
              • Opcode ID: d90b579613561c1bee8f57f4e70a7a7387e5e9a3b0ba4c811af4a52c866429eb
              • Instruction ID: 7a43aa71a69f442dd2fbe78c785dd4b66740870f21e2a15341fb1a85b5e6237d
              • Opcode Fuzzy Hash: d90b579613561c1bee8f57f4e70a7a7387e5e9a3b0ba4c811af4a52c866429eb
              • Instruction Fuzzy Hash: 2251B3B12783059FDB24DF25D881BAB7BE8FF84B88F40091DFA8597150D670E944CB92
              Function 01292674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • RtlGetAssemblyStorageRoot, xrefs: 012D2160, 012D219A, 012D21BA
              • SXS: %s() passed the empty activation context, xrefs: 012D2165
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012D21BF
              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 012D219F
              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 012D2178
              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 012D2180
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
              • API String ID: 0-861424205
              • Opcode ID: 8bbf015f72a1185c803f1e485d7d02902c27fcca11b324d09fb3fbb2da8727e6
              • Instruction ID: d295b41d09983fa5db70aaed69ea98fa2df1c216a222938bca0c384c8b2e38b0
              • Opcode Fuzzy Hash: 8bbf015f72a1185c803f1e485d7d02902c27fcca11b324d09fb3fbb2da8727e6
              • Instruction Fuzzy Hash: F0310736B70216F7FB258AADCC45FAE7A68DBA5A50F054059BB14BB141D370DA00C7A1
              Function 0129C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 0129C6C4
              • minkernel\ntdll\ldrinit.c, xrefs: 0129C6C3
              • Loading import redirection DLL: '%wZ', xrefs: 012D8170
              • LdrpInitializeImportRedirection, xrefs: 012D8177, 012D81EB
              • minkernel\ntdll\ldrredirect.c, xrefs: 012D8181, 012D81F5
              • Unable to build import redirection Table, Status = 0x%x, xrefs: 012D81E5
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-475462383
              • Opcode ID: 2f180e75e5fab4095e0de0bb0961b0e2fb878ea8200cb1c27f489b468c4bdf20
              • Instruction ID: 0a922e45e478da9b42494fb512edfd0bb0e5088f9562b5695a5b2d1ecdaf5e83
              • Opcode Fuzzy Hash: 2f180e75e5fab4095e0de0bb0961b0e2fb878ea8200cb1c27f489b468c4bdf20
              • Instruction Fuzzy Hash: B231E2B16643469FC724EF29DD46E2ABBE4AFD4B10F040558F944AB2D1E660EC04CBA2
              Function 012A096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 012A2DF0: LdrInitializeThunk.NTDLL ref: 012A2DFA
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012A0BA3
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012A0BB6
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012A0D60
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012A0D74
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
              • String ID:
              • API String ID: 1404860816-0
              • Opcode ID: 22780276ae6bb20515ae761fdd9a234a53d15a36e31d435b5bc8cfa4bf95de69
              • Instruction ID: 6fa8f06f7e20e9d512a190377c0ac04c89575fd21f4241b1a45e160aa14efab4
              • Opcode Fuzzy Hash: 22780276ae6bb20515ae761fdd9a234a53d15a36e31d435b5bc8cfa4bf95de69
              • Instruction Fuzzy Hash: E8427E71910716DFDB21CF28C981BAAB7F5FF04304F5445AAEA89DB241E770A984CF61
              Function 0126A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
              • API String ID: 0-379654539
              • Opcode ID: c3ab3e86b478b9bf4bd742f382769af2786a20e1363b42ec4f53219237fd3c57
              • Instruction ID: 4c5a59bc0d41b4f8f56d2600c47a4878ba955e2c6da80d3cf996dc1e3d5c7e1c
              • Opcode Fuzzy Hash: c3ab3e86b478b9bf4bd742f382769af2786a20e1363b42ec4f53219237fd3c57
              • Instruction Fuzzy Hash: 35C1AE70528382CFD711CF58C440B6AB7E8FF84704F04496EFA96AB291E774CA85CB92
              Function 01298402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
              Download Yara Rule
              Strings
              • LdrpInitializeProcess, xrefs: 01298422
              • minkernel\ntdll\ldrinit.c, xrefs: 01298421
              • @, xrefs: 01298591
              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0129855E
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1918872054
              • Opcode ID: 1260ca82994246ba087796107adce7a53f4faac2f363634a8de12125fbbede5f
              • Instruction ID: 352080a48c54741fc3c7052286d59a3bf219558f8f149b836492e9a968fdf502
              • Opcode Fuzzy Hash: 1260ca82994246ba087796107adce7a53f4faac2f363634a8de12125fbbede5f
              • Instruction Fuzzy Hash: 8C91AD7156834AAFDB21DF69CC41FABBAE8FF84744F44092EF68492151E370D908CB62
              Function 0129273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
              Download Yara Rule
              Strings
              • SXS: %s() passed the empty activation context, xrefs: 012D21DE
              • .Local, xrefs: 012928D8
              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012D21D9, 012D22B1
              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012D22B6
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
              • API String ID: 0-1239276146
              • Opcode ID: 069c46bbbdc732ab4e7d50d07eb7d36271722519837ede87b1186bf47e9c2f6f
              • Instruction ID: b8f8552ec8c823ab61cc50a80663452d70c26023a69e2dd2f15084501e84ba53
              • Opcode Fuzzy Hash: 069c46bbbdc732ab4e7d50d07eb7d36271722519837ede87b1186bf47e9c2f6f
              • Instruction Fuzzy Hash: 01A1C83192022ADFDF25CF58DC88BA9B7B1BF58354F2441E9EA08A7251D7709E80CF90
              Function 012664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
              Download Yara Rule
              Strings
              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 012C106B
              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 012C1028
              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 012C0FE5
              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012C10AE
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
              • API String ID: 0-1468400865
              • Opcode ID: d6e124fa84d0c8ca28023bdc5dd3f4c331defd39a2b760ef69a9f97e9d56485c
              • Instruction ID: c58cf38c878f0ab623446e568c928399097d205fa457eed4fd7a85d1e1a943c1
              • Opcode Fuzzy Hash: d6e124fa84d0c8ca28023bdc5dd3f4c331defd39a2b760ef69a9f97e9d56485c
              • Instruction Fuzzy Hash: EC71A0B19243469FCB21DF14C886BAB7BACAF94764F400568FE488B286D774D588CBD1
              Function 0128245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012CA9A2
              • apphelp.dll, xrefs: 01282462
              • LdrpDynamicShimModule, xrefs: 012CA998
              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 012CA992
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
              • API String ID: 0-176724104
              • Opcode ID: 0745f0024f86f8300a2e96a88a5b3f1c8f8954643e3f52cc016b682a2ece56cb
              • Instruction ID: 03223888d29d4ced3d1d3f138b17f987cb2fd6a6717aa1db1aef81fb85b4efe4
              • Opcode Fuzzy Hash: 0745f0024f86f8300a2e96a88a5b3f1c8f8954643e3f52cc016b682a2ece56cb
              • Instruction Fuzzy Hash: B7315B71620306EBDB359F5DD886EBABBBCFB80F04F16011DEA0067255D7B09981C790
              Function 012729A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
              Download Yara Rule
              Strings
              • HEAP: , xrefs: 01273264
              • HEAP[%wZ]: , xrefs: 01273255
              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0127327D
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
              • API String ID: 0-617086771
              • Opcode ID: 2d23f5730d23767798c7c42be109cef5555795d48c7371e4fa3ed23c1a6653d4
              • Instruction ID: ca04a097af0a87e652f1db747817bcf35f712db4b22b9636a4254085bf2d8e52
              • Opcode Fuzzy Hash: 2d23f5730d23767798c7c42be109cef5555795d48c7371e4fa3ed23c1a6653d4
              • Instruction Fuzzy Hash: 8F92DD71A2424ADFDB29CF68C4407AEBBF1FF49300F188459E989AB391D774A941DF50
              Function 01270770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-4253913091
              • Opcode ID: 44d34009744b278adbd6a90211e7c4429342848e24fa9c1ca3ae17239ac722b8
              • Instruction ID: 5b7319dcebe750238b7f6aad8b8a1aff6cda7d3fc6ba0a7c847e9a91356d8597
              • Opcode Fuzzy Hash: 44d34009744b278adbd6a90211e7c4429342848e24fa9c1ca3ae17239ac722b8
              • Instruction Fuzzy Hash: D3F1CC70720606DFEB25CF68C884B6AB7F6FF45B04F148268E6069B381D770E985CB95
              Function 01286962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: $@
              • API String ID: 0-1077428164
              • Opcode ID: 75dea2c569c627182e5869a9271d3673ab2a2d41e22504326a3df3249d8bb7e3
              • Instruction ID: 1a6727f2f470305347ce905389978d87a081bf2dc31dc9b8bfe0b2aa3be287f5
              • Opcode Fuzzy Hash: 75dea2c569c627182e5869a9271d3673ab2a2d41e22504326a3df3249d8bb7e3
              • Instruction Fuzzy Hash: 41C2B1716293429FE725DF28C841BABBBE5BF88704F14892DFA89C7281D774D805CB52
              Function 0125A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: FilterFullPath$UseFilter$\??\
              • API String ID: 0-2779062949
              • Opcode ID: 3b5208bef2395abb881cd91adbea7c35afbcb4bf32dba8733ae0d099098dbfad
              • Instruction ID: ae7eed2ae7fa224508232baff5b82a53d24aaef0f7d2ddb6525fb199db0edfd2
              • Opcode Fuzzy Hash: 3b5208bef2395abb881cd91adbea7c35afbcb4bf32dba8733ae0d099098dbfad
              • Instruction Fuzzy Hash: 57A16C7192122A9BDB31DF28CC89BEAB7B8EF44750F1041E9EA08A7250D7359F85CF50
              Function 01280BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012CA121
              • LdrpCheckModule, xrefs: 012CA117
              • Failed to allocated memory for shimmed module list, xrefs: 012CA10F
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
              • API String ID: 0-161242083
              • Opcode ID: 870249264abb1d3e045cf2c0799045e8d63f324f92d9abf5dfddf37c53bd8f13
              • Instruction ID: 480cd9bcba537be91420de05a1ce0b64b17d94b5dc3a034fae708d2d091f1512
              • Opcode Fuzzy Hash: 870249264abb1d3e045cf2c0799045e8d63f324f92d9abf5dfddf37c53bd8f13
              • Instruction Fuzzy Hash: C071D071A21306DFDB25EF68C981BBEB7F8FB44B04F14402DE60297291E774A985CB54
              Function 01270A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-1334570610
              • Opcode ID: e00516a956fe6c1d8144f6c79a44f2e7e656ea4f3a6f803b8892575aa80e7eae
              • Instruction ID: f3aef46e8712ecb1c0684440e28d569756954dbeac1e97549c85b465dabef804
              • Opcode Fuzzy Hash: e00516a956fe6c1d8144f6c79a44f2e7e656ea4f3a6f803b8892575aa80e7eae
              • Instruction Fuzzy Hash: 3861D070620302DFDB29DF28C481B6ABBE1FF46704F14855DEA498B282D7B0E985CB95
              Function 0129C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012D82E8
              • LdrpInitializePerUserWindowsDirectory, xrefs: 012D82DE
              • Failed to reallocate the system dirs string !, xrefs: 012D82D7
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
              • API String ID: 0-1783798831
              • Opcode ID: 1b4c5bc5ba0be7623bc203994e7a25819de5078f9b7b9292afd6a4a4d7ed4e99
              • Instruction ID: 557681dd3138b26c1e8bab1a95e19a1b2e632c005a57f9e1af8621f8a6ebe2b1
              • Opcode Fuzzy Hash: 1b4c5bc5ba0be7623bc203994e7a25819de5078f9b7b9292afd6a4a4d7ed4e99
              • Instruction Fuzzy Hash: BE41D5B1564306EBDB25EB68D845B6F77ECEF44B60F40492AFA48D7290E770D810CBA1
              Function 0131C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
              Download Yara Rule
              Strings
              • @, xrefs: 0131C1F1
              • PreferredUILanguages, xrefs: 0131C212
              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0131C1C5
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
              • API String ID: 0-2968386058
              • Opcode ID: 3001b61936aca80d30610a0c554e21bf024959bd2a0c8e1dfbbda5d8b0e7a467
              • Instruction ID: 70f732293d68e032304cc191ebccd17cd8a7be8b2b5c124f64f14cefd5f3c6c8
              • Opcode Fuzzy Hash: 3001b61936aca80d30610a0c554e21bf024959bd2a0c8e1dfbbda5d8b0e7a467
              • Instruction Fuzzy Hash: 81416072E5021AEBDF15DAD8C881FEEBBB8AB14704F14406AEA09B7284D7749A458B50
              Function 012F4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
              • API String ID: 0-1373925480
              • Opcode ID: 831fa2cdf1575993d8c92e3816ff2b11d39188d061a4e3af9716da8478a47b6f
              • Instruction ID: 663553f9649f61b5cf621d5e8c8a133eb3a20967d2e91fd220f5e3f50c10f26e
              • Opcode Fuzzy Hash: 831fa2cdf1575993d8c92e3816ff2b11d39188d061a4e3af9716da8478a47b6f
              • Instruction Fuzzy Hash: 0141E231A202998BEB25EB98C844BAFFBB4FF55340F14047EDB01AB791D7B49901CB11
              Function 012E4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              Strings
              • LdrpCheckRedirection, xrefs: 012E488F
              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 012E4888
              • minkernel\ntdll\ldrredirect.c, xrefs: 012E4899
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
              • API String ID: 0-3154609507
              • Opcode ID: 3c50488e27ccc10b6c6f82f0f1dea79a054418029e78e4eecb6259212fd95b74
              • Instruction ID: 70f6fafb2bb7382b23c1f992f277367f8d6082c427a715382ebe5d0d04f332c5
              • Opcode Fuzzy Hash: 3c50488e27ccc10b6c6f82f0f1dea79a054418029e78e4eecb6259212fd95b74
              • Instruction Fuzzy Hash: 7841D372A203928FCB21EF1DD849A267BE5AF8AB50F85055DEE49D7251D330DC00CBC1
              Function 01270BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
              • API String ID: 0-2558761708
              • Opcode ID: 5ee1dcc55d269a302f868efab10ede5f4ffb5150f2d2ccc2bbad88f5a5994492
              • Instruction ID: c47b27319cc950e6bf6068625cccba35269d1eef6047ccdfcec72d6063cf94bb
              • Opcode Fuzzy Hash: 5ee1dcc55d269a302f868efab10ede5f4ffb5150f2d2ccc2bbad88f5a5994492
              • Instruction Fuzzy Hash: 0911CD313341429FDB29DE18C482B3AF3A5EF42B15F18825DF606CB251EB70E844C754
              Function 012E20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
              Download Yara Rule
              Strings
              • minkernel\ntdll\ldrinit.c, xrefs: 012E2104
              • Process initialization failed with status 0x%08lx, xrefs: 012E20F3
              • LdrpInitializationFailure, xrefs: 012E20FA
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
              • API String ID: 0-2986994758
              • Opcode ID: 7eee8dc2fac32b57531f11cb16b42e25a6c6269ce14ad2cb4f9b6eb1086135ba
              • Instruction ID: 7a0804a7fe8a2ef747c854bcf5d994b92e57db19fc969cc1432c484b9bda7350
              • Opcode Fuzzy Hash: 7eee8dc2fac32b57531f11cb16b42e25a6c6269ce14ad2cb4f9b6eb1086135ba
              • Instruction Fuzzy Hash: B7F0C875660319BBE724E64DDC46FA93BACEB40B54F500059F7017B286D2F0E640CA51
              Function 012703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: #%u
              • API String ID: 48624451-232158463
              • Opcode ID: fb7a77a3c31eb309e2903cadb13020e6485811ceb8548664998194c8edb825c1
              • Instruction ID: 0524c0320ace06bd9678437ecf1612da571e689cf13ac5d4051b06039238ba99
              • Opcode Fuzzy Hash: fb7a77a3c31eb309e2903cadb13020e6485811ceb8548664998194c8edb825c1
              • Instruction Fuzzy Hash: 27715C71A2014A9FDB01DFA8C994BAFB7F8FF08704F144169EA05A7251EB34EA01CB65
              Function 0126A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
              Download Yara Rule
              Strings
              • LdrResSearchResource Enter, xrefs: 0126AA13
              • LdrResSearchResource Exit, xrefs: 0126AA25
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
              • API String ID: 0-4066393604
              • Opcode ID: 572354756570e7ec4582cf51d2f2bcfb56731bea2fc7c033ab432a8fde417c64
              • Instruction ID: fd000c38e544d7ea9c7d530596e82e15386315b07fdb608ba7e22a0ad39ce532
              • Opcode Fuzzy Hash: 572354756570e7ec4582cf51d2f2bcfb56731bea2fc7c033ab432a8fde417c64
              • Instruction Fuzzy Hash: 36E17571A2021ADFEB21CE99C940BAEBBBDFF54710F10452AEB01F7291E7749981CB50
              Function 0132A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: `$`
              • API String ID: 0-197956300
              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction ID: c79503ba9a236f30b491abb64232e01b3f3c204a700bc5991a72411f8701f2a5
              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
              • Instruction Fuzzy Hash: 65C1EE312043529BEB24EF28C841B6BBBE5AFC4718F184A2DF696DB690D774D509CB81
              Function 012DE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Legacy$UEFI
              • API String ID: 2994545307-634100481
              • Opcode ID: 0199401c7c8416c53cfbd5bccbdeb90625442c801b8788bd26d6f91716fb5436
              • Instruction ID: 2a1f018dd6926c742c3ccc49ec9628bcf3887ba7e77c29a453c146f9d147a10a
              • Opcode Fuzzy Hash: 0199401c7c8416c53cfbd5bccbdeb90625442c801b8788bd26d6f91716fb5436
              • Instruction Fuzzy Hash: 89616D71E602099FEB24DFA8C841BBEBBB9FF54700F15402DE649EB291D731A940CB50
              Function 013043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: @$MUI
              • API String ID: 0-17815947
              • Opcode ID: 1b97318d708dd04afb78fb1364e9cabb1784bdc9f3ad6b377f5a7641327324aa
              • Instruction ID: f23d6420590ed2db6b2739bc0386d139fedf73df6f9e86daa27e1ba99ec3d957
              • Opcode Fuzzy Hash: 1b97318d708dd04afb78fb1364e9cabb1784bdc9f3ad6b377f5a7641327324aa
              • Instruction Fuzzy Hash: 30512AB1E1021DAFDB11DFA9CC90AEEBBBDEB44758F100529E611B7290D631AE05CB60
              Function 012604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
              Download Yara Rule
              Strings
              • kLsE, xrefs: 01260540
              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0126063D
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
              • API String ID: 0-2547482624
              • Opcode ID: 27762c7f044ded0aa1f99758fa878c282d0e8ed5548998dea0db4f0a974c8a48
              • Instruction ID: aca55f9a16cdae83e610ae3317042e1e7021101d9dba2738e96f802effe83a1a
              • Opcode Fuzzy Hash: 27762c7f044ded0aa1f99758fa878c282d0e8ed5548998dea0db4f0a974c8a48
              • Instruction Fuzzy Hash: 6F51BEB15247438FD725DF68C4406A7BBE8AF84304F10483EFA9A87281E774D985DF9A
              Function 0126A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
              Download Yara Rule
              Strings
              • RtlpResUltimateFallbackInfo Exit, xrefs: 0126A309
              • RtlpResUltimateFallbackInfo Enter, xrefs: 0126A2FB
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
              • API String ID: 0-2876891731
              • Opcode ID: c433605119133aa5c7e2cd2791aa06223ad2b7f1579606e596457d27e052ba8b
              • Instruction ID: f25bda68fb9efd50283c374e91fe1a50e03d5b83d2adf5df65cfb912ae26e901
              • Opcode Fuzzy Hash: c433605119133aa5c7e2cd2791aa06223ad2b7f1579606e596457d27e052ba8b
              • Instruction Fuzzy Hash: 9341BE30A24646DBDB11CF59C840B6ABBB8FF85700F2441A9EB05EB291E7B5D980CB50
              Function 0129A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID: Cleanup Group$Threadpool!
              • API String ID: 2994545307-4008356553
              • Opcode ID: b086e324c8ba5a1a04fdca92de134521cb337b4242f518fed9b6eda85b813739
              • Instruction ID: fcd8987c21576c50dfbdf77aa23215fe845a14e07d31ca46c0b75ba443e71e5c
              • Opcode Fuzzy Hash: b086e324c8ba5a1a04fdca92de134521cb337b4242f518fed9b6eda85b813739
              • Instruction Fuzzy Hash: AD01F4B2260704AFD711DF18CD46F267BE8E794B26F018939A64CC7194E374D804CB86
              Function 0126C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: MUI
              • API String ID: 0-1339004836
              • Opcode ID: 487b2c319d7f49cc9561fdee9c9837da1ae360be92ba1f72887bc173b9ee117c
              • Instruction ID: 6c4a094d80098c1d5cc74a3af71d29d5142d06a6ac8737a8a97dc5c60e417b3f
              • Opcode Fuzzy Hash: 487b2c319d7f49cc9561fdee9c9837da1ae360be92ba1f72887bc173b9ee117c
              • Instruction Fuzzy Hash: 62829E71E2025D8BDB24DFA9C8807EDBBB9FF48310F148169DA99AB291D7709D81CF50
              Function 012E6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 06febf117536a55524b5e215f3946f623f02ba861c3e7f0fba353e371f2cdfb2
              • Instruction ID: bb211c769fd1039f2ba2413083f4bdb1d74301c5788aa270de10e913c33d8647
              • Opcode Fuzzy Hash: 06febf117536a55524b5e215f3946f623f02ba861c3e7f0fba353e371f2cdfb2
              • Instruction Fuzzy Hash: 12916171A6121AAFEB21EB95CC85FBEBBB9EF14B50F504065F700AB190D774E900CB60
              Function 0130E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID: 0-3916222277
              • Opcode ID: 7a27b9d5a10fe2a16c54563289d0aa62c69cb718aa667732801ff9b54b42d694
              • Instruction ID: 654dd390bb161813fbc1593ee94da14ea18ce8229653d16edeca69077ffc2ba0
              • Opcode Fuzzy Hash: 7a27b9d5a10fe2a16c54563289d0aa62c69cb718aa667732801ff9b54b42d694
              • Instruction Fuzzy Hash: 1F91AE32A0160ABFDB27ABA4DC64FAFBBBDEF45744F100429F505A7290E7749901CB90
              Function 0129A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: GlobalTags
              • API String ID: 0-1106856819
              • Opcode ID: d58ce4fa34522832ecc5596ef6c984d8cc40ff987eca4706180344653b680ca1
              • Instruction ID: ef57a76b430355fb915702163118f53e92f161678d732ee50ca250b2d4697cb9
              • Opcode Fuzzy Hash: d58ce4fa34522832ecc5596ef6c984d8cc40ff987eca4706180344653b680ca1
              • Instruction Fuzzy Hash: A8718FB5E2020ACFEF28CF9CC5916ADBBB1FF88700F14812EEA05A7241E7709945CB50
              Function 01304978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: .mui
              • API String ID: 0-1199573805
              • Opcode ID: 3356e7b7d4edc66cab76b629626f156c2d9ab51196d707b54af4a4ac0f66022a
              • Instruction ID: 0a592a384f19611bc15834c3a60cf40c8878993a2e4418a1225a08e9bdf26781
              • Opcode Fuzzy Hash: 3356e7b7d4edc66cab76b629626f156c2d9ab51196d707b54af4a4ac0f66022a
              • Instruction Fuzzy Hash: DB51A772D1022A9BDF11DF9DD950AAEBBF8AF08714F054129EB11B7290D3749E41CBE4
              Function 0127E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: EXT-
              • API String ID: 0-1948896318
              • Opcode ID: bf7a66875ed4e26bef35ac4154e3145cc3dc94f217dddee0e52e6bfb0be14a8d
              • Instruction ID: 090737e78a599b13643ef42de20f0c464ed45a06f2d1a004ae685d4ac691cf20
              • Opcode Fuzzy Hash: bf7a66875ed4e26bef35ac4154e3145cc3dc94f217dddee0e52e6bfb0be14a8d
              • Instruction Fuzzy Hash: BF41B1725283429BD714EA79C881B6BF7E8AF88704F450A6DFA84E7180E674D904C7A7
              Function 012DC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: BinaryHash
              • API String ID: 0-2202222882
              • Opcode ID: a155bb73a78ae047ff65557f3ee92632b38794f32eb19e438e99fe271a8fc506
              • Instruction ID: f6695d13dff7cf38c8d2984003b9b8f77d1fdb04cd8ff98d5bebe3035191ae6b
              • Opcode Fuzzy Hash: a155bb73a78ae047ff65557f3ee92632b38794f32eb19e438e99fe271a8fc506
              • Instruction Fuzzy Hash: 174145B1D5012DABDF21DA50CC85FEEB77CAB44714F4045A9E708A7140EB709E99CF94
              Function 012F6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: #
              • API String ID: 0-1885708031
              • Opcode ID: 8f671a0d124f7b873f2ebab4dfa23e1c377cf42c104ed9c567f10c3b6e8cffca
              • Instruction ID: 220cf7fb496d11917a7a6de6b922bd4ee92d8312e49570e645dedead006b17b2
              • Opcode Fuzzy Hash: 8f671a0d124f7b873f2ebab4dfa23e1c377cf42c104ed9c567f10c3b6e8cffca
              • Instruction Fuzzy Hash: 6C312C31A2074A9BEB22DB69C854BAEFBB8DF05704F54407CEB80AB282D775DC05CB54
              Function 012DCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: BinaryName
              • API String ID: 0-215506332
              • Opcode ID: 323ce5423195efb4b592ebec06da3e649f329a01aa33da1a214fce15c5ca53f8
              • Instruction ID: b5358286586ede0a599554c83367ff84ba0087baac3aa11c8a9618c25f8ac81b
              • Opcode Fuzzy Hash: 323ce5423195efb4b592ebec06da3e649f329a01aa33da1a214fce15c5ca53f8
              • Instruction Fuzzy Hash: CB31E376920516AFEB16DA59C845E7FFB74EB80720F11812DEA05A7250E730DE14DBE0
              Function 012E892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
              Download Yara Rule
              Strings
              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 012E895E
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
              • API String ID: 0-702105204
              • Opcode ID: 06a282b7283bbcce6e995e5c6c79d534c30e2093ae44fbc5c3e277247009bd71
              • Instruction ID: a4577c49090bd320de8ccd180a71411f591c13669e38306ae2d528234e0efadc
              • Opcode Fuzzy Hash: 06a282b7283bbcce6e995e5c6c79d534c30e2093ae44fbc5c3e277247009bd71
              • Instruction Fuzzy Hash: 0E01F7326303069FEB356B56988CF6A7BE9EF85A94F44001CF78107751CB70B880C792
              Function 01302000 Relevance: .8, Instructions: 757COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 705ae13de4ac881f1ad7a99da9bd9d32e699f64b92511662b59b77c153d26fec
              • Instruction ID: 31c1d782942bfb175766aecc461ec8676b0025c7f63ceec64d4f6586c93fe08f
              • Opcode Fuzzy Hash: 705ae13de4ac881f1ad7a99da9bd9d32e699f64b92511662b59b77c153d26fec
              • Instruction Fuzzy Hash: 0E42F6356083019FD726CF68C8A4A3BFBE5BF88708F48092DFA8697290D771D945CB52
              Function 012F8158 Relevance: .6, Instructions: 617COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 86096e83b25413fbded0dfd08344985b2c82627e0a95eaecb1967d9c05504298
              • Instruction ID: 09914c3b3fff5b8d64fb9ae2d7d08966accdc8b655eff51a2853da3296370fe5
              • Opcode Fuzzy Hash: 86096e83b25413fbded0dfd08344985b2c82627e0a95eaecb1967d9c05504298
              • Instruction Fuzzy Hash: 91423C75A202198FEB24CF69C841BADFBF5FF48300F1481ADEA49AB251D734A985CF50
              Function 01272840 Relevance: .6, Instructions: 605COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41ed7dfd8bd75e3a07fab528fb98ce237e4313c2d4b1daf922fc5c74badbe831
              • Instruction ID: f319b7f625d9698451a04598a5752ba697f780834ed9aca5fc20da7d124e6d4e
              • Opcode Fuzzy Hash: 41ed7dfd8bd75e3a07fab528fb98ce237e4313c2d4b1daf922fc5c74badbe831
              • Instruction Fuzzy Hash: 2532DD70A20756CFDB25CF69C8447BABBF2BF84B04F24421DD68A9B384D775A846CB50
              Function 0130A118 Relevance: .6, Instructions: 591COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aaea33510ff8b77611377740df0e52f11e9d6cb4790f12e7a03f07a8824e09a8
              • Instruction ID: 6ba88ffdce6086ccaca4015b68abb025695dc4952f7b8cedb452e2b54d89ceaf
              • Opcode Fuzzy Hash: aaea33510ff8b77611377740df0e52f11e9d6cb4790f12e7a03f07a8824e09a8
              • Instruction Fuzzy Hash: 8822E0742047658BEB26CF2DE4A0372BBF5BF44348F08859AD9868F6C6D335E452DB60
              Function 01266A50 Relevance: .5, Instructions: 548COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 107a9f8d7d16468355a40fd9991582fa0be30dc1b9ba5ed63044f42706617ee0
              • Instruction ID: a5680150b93e99bd56836a83f47ac5d2afb930f430c34e7ca024249c55d7f444
              • Opcode Fuzzy Hash: 107a9f8d7d16468355a40fd9991582fa0be30dc1b9ba5ed63044f42706617ee0
              • Instruction Fuzzy Hash: 1C32A271A20216CFDB25CF68C480BAEB7F5FF48310F144669EA55AB392D774E891CB90
              Function 01284A35 Relevance: .4, Instructions: 423COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction ID: 7045856fbe65c251537438e7486152b9a9170a41881394bcd2d91f157d4f73b2
              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
              • Instruction Fuzzy Hash: DEF19271E2125B9BDB15EF99C580BAEBBF5AF48714F08812DEA05AB380E774D841CB50
              Function 012F892B Relevance: .4, Instructions: 386COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b48b287e2da698b2470e196910ca0715e3a425724b821b00f37a278a6857970d
              • Instruction ID: 9df10f135b9b8eae862da54ce4457f39dce5b3c1293539b580d5229399e37c5c
              • Opcode Fuzzy Hash: b48b287e2da698b2470e196910ca0715e3a425724b821b00f37a278a6857970d
              • Instruction Fuzzy Hash: 48D1C072A2060A9BDF19CF69C841BBEF7F1AF88304F18817DDA55E7241E735E9058B60
              Function 012665D0 Relevance: .4, Instructions: 383COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20fd7b0ff0fb54c1a6ddcd48a8359d90e35286f66cd5ac2772c12b62c4fa660d
              • Instruction ID: ab27086be3f0cd67e1fb76e6a4b98903ae10291ea7aa266e82f057480fa805da
              • Opcode Fuzzy Hash: 20fd7b0ff0fb54c1a6ddcd48a8359d90e35286f66cd5ac2772c12b62c4fa660d
              • Instruction Fuzzy Hash: 0EE1C171519342CFC715CF28C090A6ABBE4FF89304F048A6DEA9987391EB75E945CB92
              Function 01258397 Relevance: .4, Instructions: 380COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d6469e81aa2baf7f714aa9c5d56cf38c2269be28c788b26b7d6c88126b1a5f80
              • Instruction ID: d61eb2cf389abbba26802918062e8ef24bec82639a57e3a7d790e549edca9cf2
              • Opcode Fuzzy Hash: d6469e81aa2baf7f714aa9c5d56cf38c2269be28c788b26b7d6c88126b1a5f80
              • Instruction Fuzzy Hash: C0D1D275A2020BDFDB58DF2AC8C1ABA77A5FF54344F044629EE16DB280E7B0E951CB50
              Function 012E8243 Relevance: .3, Instructions: 322COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction ID: 0354ce6f314f0c9fd9216a054bd8e60f924c41713020453da3333d6198891ac5
              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
              • Instruction Fuzzy Hash: 58B19674A106069FDF24DF99C944EBBBBF9FF85304F50445EAA8297790DA34E905CB10
              Function 01270535 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction ID: f28a19fe5722b65edf4cd93533c9f0a81ee04aeb8a1cabbc7b1ea1c8e0451a73
              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
              • Instruction Fuzzy Hash: A1B13331620646AFDB25DB68C850BBFBBF6BF89700F140259E742DB281DB30E945CB94
              Function 012683C0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f40ae2939a2baafc1228ece055c48cd3a4087aec378196cf57a95f2488e0d9c2
              • Instruction ID: d14f757d623eddd3b369420436267cdfa742d55e086825723e62433e3c6a2a19
              • Opcode Fuzzy Hash: f40ae2939a2baafc1228ece055c48cd3a4087aec378196cf57a95f2488e0d9c2
              • Instruction Fuzzy Hash: 6FC16874128342CFD764CF19C485BAAB7E8FF88704F44496DEA8987291D774EA48CF92
              Function 0125C427 Relevance: .3, Instructions: 280COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5c0d282e47578d06dcd5f47bf82019be73aec614f9887d1d6b9eb7c7781e59a1
              • Instruction ID: ebe16fc20a806c6b0160aca5ef16c9de27026d37ecda2f86a8a14aee219ea964
              • Opcode Fuzzy Hash: 5c0d282e47578d06dcd5f47bf82019be73aec614f9887d1d6b9eb7c7781e59a1
              • Instruction Fuzzy Hash: B9B18270A202668BDB74DF58D880BB9B3F5EF44744F0485E9D90AEB241EB70DD85CB20
              Function 0128E5E7 Relevance: .3, Instructions: 278COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c8620edb20d960fbbdf244253d9fbb23200b141188b63fb082dfdc167e97ab0d
              • Instruction ID: 89fdfc6690fd84f47bfa23898515896bd01f655202e8d67346a2bdcaece0f725
              • Opcode Fuzzy Hash: c8620edb20d960fbbdf244253d9fbb23200b141188b63fb082dfdc167e97ab0d
              • Instruction Fuzzy Hash: 02A15B31E212569FEB21EB5CC944BAEBBB5BF04B14F060215EB11AB2D1D7749D40CBD1
              Function 012A0185 Relevance: .3, Instructions: 276COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ee859d89ee539a7fde0a6f07bb1e8107d02f18253316e0de0dc25bb5af1f297
              • Instruction ID: c1283ff05a5b5a0e846a26d2367059ce68f6777c35d1f0c57c3b98a162349997
              • Opcode Fuzzy Hash: 5ee859d89ee539a7fde0a6f07bb1e8107d02f18253316e0de0dc25bb5af1f297
              • Instruction Fuzzy Hash: A0A1EE70B207069FDB24DF69C890BBAB7A5FF54318F404029FB05A7282EB74E855CB84
              Function 01334500 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1b7d4f09df96a0b938f46ce70ba3ab8258286bf61c74d4913bdc4d289282516c
              • Instruction ID: 2637c4f178becd1d7ed73cb80e01a329469a787c59ef46531c32e781faf9bab0
              • Opcode Fuzzy Hash: 1b7d4f09df96a0b938f46ce70ba3ab8258286bf61c74d4913bdc4d289282516c
              • Instruction Fuzzy Hash: FBA1EF72A14212DFD712DF28C980B2ABBE9FF88718F450A2CF5459B650D335EC00CB99
              Function 01332B57 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction ID: 398835c5ef1ab9fe39093a0c1a895e5f1ee1972a1d5b489b4fc7ef09cc289a4d
              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
              • Instruction Fuzzy Hash: B8B13B71E0061ADFDF19CFADC880AAEB7B5FF88314F148169E925A7354D730A941CBA4
              Function 012E60E0 Relevance: .3, Instructions: 264COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9d349b4dae70945cee0657972bea9d2b0c95da7ae7fdf638cf174d141ee43f7
              • Instruction ID: 220dd53b9b6c8bd9713395d06bdb9c5338a4875f9fa5dd575a02a1aaaf870fe3
              • Opcode Fuzzy Hash: e9d349b4dae70945cee0657972bea9d2b0c95da7ae7fdf638cf174d141ee43f7
              • Instruction Fuzzy Hash: 14919171D20216AFDF15CFA8D888BBEBFF5AF58710F554169EA10AB341D734E9009BA0
              Function 0127E3F0 Relevance: .3, Instructions: 261COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 28400931fd613ab8181a8b95ecad591d8c847c2f7d8dc157cf8b7e89007fd072
              • Instruction ID: b3cccd1270f543f1ca74a3ae638242b31a7a6ca557022985b04cb88476b5db13
              • Opcode Fuzzy Hash: 28400931fd613ab8181a8b95ecad591d8c847c2f7d8dc157cf8b7e89007fd072
              • Instruction Fuzzy Hash: 0F915671A20616CBEB24DB6CD441BBB7BA1FF94B14F0642A9EF059B380E634D941C7B1
              Function 0132AB40 Relevance: .2, Instructions: 222COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction ID: 0450e4a93ac3b994fc61e31d60568ab52e0f796fbcfa3d226997b8c0dee5c706
              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
              • Instruction Fuzzy Hash: B5819131A0022A9FDF19DF98C890AAEBBF6FF84314F188569D916DB785D734E901CB50
              Function 0129E284 Relevance: .2, Instructions: 212COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 846b6f58dcd0d77ce65c75d4f2cdbb92756b35cfe7da8deef7d44d8499cc7bc0
              • Instruction ID: a6a4840b8ce04554a425b179b225bc72d957f2e2fa4197867cf0a5a2d27e2bac
              • Opcode Fuzzy Hash: 846b6f58dcd0d77ce65c75d4f2cdbb92756b35cfe7da8deef7d44d8499cc7bc0
              • Instruction Fuzzy Hash: 8D817E71A1060AEFDF25CFA9C880BEEBBBAFF48314F114429E655A7250D770AC45CB64
              Function 0127C640 Relevance: .2, Instructions: 206COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54f739dab2925073f133b1e765ac409ee5b6c8b54233619a1e206742612ef24e
              • Instruction ID: 5dee363bdf4cd5713e0d74718ab4cbefe61d8f8e9ea4453493da97b1e38d8b83
              • Opcode Fuzzy Hash: 54f739dab2925073f133b1e765ac409ee5b6c8b54233619a1e206742612ef24e
              • Instruction Fuzzy Hash: FB71C2B5C25666DFCB298F68D4917BEBBB4FF58B10F14821EEA42A7350D7709810CB90
              Function 013147A0 Relevance: .2, Instructions: 202COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fdf01702af6e8c1072267116166ae4c72cb6f465d67d367c5f67f14a4bc403ef
              • Instruction ID: a308f8e15ea9acb13ce189b64f565b529b0d422c2010991866653f754218cf06
              • Opcode Fuzzy Hash: fdf01702af6e8c1072267116166ae4c72cb6f465d67d367c5f67f14a4bc403ef
              • Instruction Fuzzy Hash: 387192B1900305EFEB24CF59DA41EAABBF9FF80708F51465AE604AB25CD7318944CF54
              Function 0127260B Relevance: .2, Instructions: 201COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 53bf2d1adeb1e8a7ca81b613911d7a75af33b5f272f4b1a8be7d4f26f6a1ee5e
              • Instruction ID: dc9fcbc262a63042682171013a45e4f9949c5954ae302b8d7da8047137189c9e
              • Opcode Fuzzy Hash: 53bf2d1adeb1e8a7ca81b613911d7a75af33b5f272f4b1a8be7d4f26f6a1ee5e
              • Instruction Fuzzy Hash: 9171CE35624242CFD316DF2CC480B2BB7E5FF84710F0485AAE9988B356DB78D886CB91
              Function 012E035C Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction ID: e746f46cea3236f2397ff20df7604a9a4d5bb39f2b505782f93a2d56e2e6a3c1
              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
              • Instruction Fuzzy Hash: 1B716E71A1060AEFDB10DFA9C944EAEBBF8FF58300F504569E505E7250DB70EA02CB54
              Function 012F62A0 Relevance: .2, Instructions: 198COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77ff5ac484777c5f1bb466f216037b8eef85d9c538ac0c77d99472b49ab12710
              • Instruction ID: 721deea3d3fa74b296ebc7d8152817b640d60d66d6abd7dc95fd2d02b3c7a302
              • Opcode Fuzzy Hash: 77ff5ac484777c5f1bb466f216037b8eef85d9c538ac0c77d99472b49ab12710
              • Instruction Fuzzy Hash: 0271C132260702AFE732DF18C845F66FBA6EB44720F14492CE756976A0D775E944CB50
              Function 01268AA0 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3bb02c6a203ef68b0cd0a2504f15e0910b8720ee23c38a0d344822e7c6a748d5
              • Instruction ID: a21565d31145224cd0a450975cf7552750717c5064fd9497fa3e8fae0beeb6af
              • Opcode Fuzzy Hash: 3bb02c6a203ef68b0cd0a2504f15e0910b8720ee23c38a0d344822e7c6a748d5
              • Instruction Fuzzy Hash: F1819271A24316CFDB24CF5CD584B6D77BABB48B14F15422DDB00AB285EB749D81CB90
              Function 01338324 Relevance: .2, Instructions: 192COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 314569a6865acc1fe70114a96329b9a85a48eccd3cc2e4df05f6285b45468b27
              • Instruction ID: 309c1ba4e59216023cda59bfe60fd71f0f3dd196f47df7488d9bcd20c6f2ccc1
              • Opcode Fuzzy Hash: 314569a6865acc1fe70114a96329b9a85a48eccd3cc2e4df05f6285b45468b27
              • Instruction Fuzzy Hash: 6E711A71E10209EFEB15DF94C841FEEBBB9FF44364F104269F611A6290E774AA05CB94
              Function 0131A250 Relevance: .2, Instructions: 184COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 299eac580ecc62fce415392a1b07b31ce39823765eb18fa044287e62d1c19e34
              • Instruction ID: 409322a285907e6ef1ad6bc4a3f43e2c929788bc7c7c1e85e0f2039cb6b9f00f
              • Opcode Fuzzy Hash: 299eac580ecc62fce415392a1b07b31ce39823765eb18fa044287e62d1c19e34
              • Instruction Fuzzy Hash: AF51F272505782AFD716DE68C844F6BB7ECEBC8718F000929BA40EB254DB70ED04C7A2
              Function 01308350 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd84c17f7a1097b24c3a09e1d1cc59bc3b16f41e3335de1ea66542a507aabbb2
              • Instruction ID: dfe8874ae381b561024fe5a25eaba248dcb029bac5ac02d70fa8bf09a6d63cba
              • Opcode Fuzzy Hash: dd84c17f7a1097b24c3a09e1d1cc59bc3b16f41e3335de1ea66542a507aabbb2
              • Instruction Fuzzy Hash: AC51CF70900B05DFD722DF5AC890AABFBF8BF94718F10465ED29267AE0C770A545CB90
              Function 0129E443 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e881e70009ff8d2198fbbb043ab65afac9f9a708d9132cf132811054051f6c72
              • Instruction ID: 2cac66e469d149faff183f988e2b5283b3d9f74af3288f0a0556d472b0da355e
              • Opcode Fuzzy Hash: e881e70009ff8d2198fbbb043ab65afac9f9a708d9132cf132811054051f6c72
              • Instruction Fuzzy Hash: 29516B71220A06DFDB22EFA9C980FAAB3F9FF14784F41042DE65697660E734E940DB51
              Function 01304180 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8135a7e3b84b157ac51d78b60ba61bc61d9b2b5b782c01d5b21effe4f8f47eb2
              • Instruction ID: 23dd2f163876be7c79a8ebe0e88fcd99d272c21a1dad9cb65885255b004efa9b
              • Opcode Fuzzy Hash: 8135a7e3b84b157ac51d78b60ba61bc61d9b2b5b782c01d5b21effe4f8f47eb2
              • Instruction Fuzzy Hash: E7519B716083029FD755DF29C890A6BB7E5BFC8308F44496DF689C7290E730EA15CB56
              Function 012845B1 Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction ID: 1bd9b731fc74227166b208c5557d6db4dfc5e489c0b48a2f4861d7e8c127ad36
              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
              • Instruction Fuzzy Hash: 6551BC71E1125BAFDF15FF98C440BBEBBB9AF44750F14816AEA01AB280D734D944CBA0
              Function 012EE9E0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction ID: 0f90536aa53a226e7a239871cfa93fbb0fadc317e92aede2143a51dc39e2b494
              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
              • Instruction Fuzzy Hash: 1151B831D2021AEFEF21DE94C889BAEBBF9BF04314F56466DD61167290F7709D4487A0
              Function 01328B28 Relevance: .2, Instructions: 152COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3ba421341aed3338d7bfa5437b55e15be83305b268fc6c7d80bb3fdf5bde7caf
              • Instruction ID: 363f19823fc54534d8a4ff117077baa8fdd8c32bc059f4d995900db049857f1f
              • Opcode Fuzzy Hash: 3ba421341aed3338d7bfa5437b55e15be83305b268fc6c7d80bb3fdf5bde7caf
              • Instruction Fuzzy Hash: 0941F5707016319BDB29FB2DC894B7BFBDAFF90628F048699F95587280DB34D801C691
              Function 012ECBF0 Relevance: .1, Instructions: 148COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ff7ef069e9d483802e7236c1c9dc04892d67931f2f83a5f974560d3f5449f2e6
              • Instruction ID: 7e036731e540c70d359036e5d79adf031b953beb3beef24b8abcbc0e0d193be0
              • Opcode Fuzzy Hash: ff7ef069e9d483802e7236c1c9dc04892d67931f2f83a5f974560d3f5449f2e6
              • Instruction Fuzzy Hash: 9F51AEB1920316DFCB20DFA9C8849AEBBF9FF48764F904519E605A3304D732AD61CB90
              Function 0129A430 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d199ffeb353c7fd541d0ccb0747f6c1adbe43aef4071dc3ac8e5001d3aa35a4
              • Instruction ID: 3ebc9601a0e6f6bdd832b3afaa920304284593536becab49065f330c6d54031b
              • Opcode Fuzzy Hash: 8d199ffeb353c7fd541d0ccb0747f6c1adbe43aef4071dc3ac8e5001d3aa35a4
              • Instruction Fuzzy Hash: EE41F971B60306DFDF25EF6DE881F7A3769EB58B58F41002CEE0A9B245D7B198108791
              Function 0132A9D3 Relevance: .1, Instructions: 139COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction ID: bd06d70414c0af2a7949a000722c6c7fb7c2573e24c5cc539817747cd5ba41e9
              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
              • Instruction Fuzzy Hash: C441EA716117269FDB25EF68C984A6BF7A9FF80318B05462EE95287A40EB30ED14C7D0
              Function 012901F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a3e87054d577e8817d9677a8aa90b67b10dbe2ae741f4e36c8522c3082a818e
              • Instruction ID: 71a0229a46f7666b22c0843d5745c181f13213f6f4882664ebd5fe22febf5de0
              • Opcode Fuzzy Hash: 8a3e87054d577e8817d9677a8aa90b67b10dbe2ae741f4e36c8522c3082a818e
              • Instruction Fuzzy Hash: 13418936E2021A9BDF14DF9CC440AEEBBB8BF48710F14816AF916A7250D7759D41CBAC
              Function 0128EBFC Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a99fdb7782cede3276eb5081ea55bf862a63f69682d559119958fa266b45a9d
              • Instruction ID: 920d696d02364ece8e8249228fab982e0731c5bb9d7d96e7e4b8bc8de0d9cf25
              • Opcode Fuzzy Hash: 0a99fdb7782cede3276eb5081ea55bf862a63f69682d559119958fa266b45a9d
              • Instruction Fuzzy Hash: 0D41D4B16253029FD724EF28C884A2BB7E9FF88324F01492DEA57C7751DB71E8448B51
              Function 012A2750 Relevance: .1, Instructions: 137COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction ID: 152d41374023d977bb6e3f1ba6276cb607ae7f436a78c10d15bf4fbe674222d4
              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
              • Instruction Fuzzy Hash: B1515B75A10216CFCB15CF9CC480AAEF7B2FF84724F2881A9DA15A7351D770AE42CB90
              Function 01266154 Relevance: .1, Instructions: 133COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 096d8e87d3934b96b6450e6163deb3b621ecf5c98998495d33e9a8a87dde78dc
              • Instruction ID: defd380e56cfdbc0de265de1e8c96bafa83afd2c5502a9abdecbf7db7ece68e8
              • Opcode Fuzzy Hash: 096d8e87d3934b96b6450e6163deb3b621ecf5c98998495d33e9a8a87dde78dc
              • Instruction Fuzzy Hash: 265127B0920257DBDB25CB28CC41BB9BBB9EF15314F1482A9D629A72D1D774A9C1CF40
              Function 01260BCD Relevance: .1, Instructions: 130COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a2d505326dbdec3496af1aa74bbe3ebfcbe32720902cb16d94b1aecb2490ca9f
              • Instruction ID: 845614761fd39a178679404fe384ab71b85117b86927e9ecbec4dfb8b88c6fed
              • Opcode Fuzzy Hash: a2d505326dbdec3496af1aa74bbe3ebfcbe32720902cb16d94b1aecb2490ca9f
              • Instruction Fuzzy Hash: 98417671A2022A9FDB21DF68C940BEE77B8EF55740F4500A5EA08AB281D774DE84CF95
              Function 0132866E Relevance: .1, Instructions: 129COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction ID: 71d49416bc5e5ae8a380811b4c99fe41cc33c292b960c9a8437ccb951c8b35e8
              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
              • Instruction Fuzzy Hash: 1241D775B00125ABDB15EF9DCC84ABFBBFAAF84218F1440A9E90097341D770DD00C7A0
              Function 01260887 Relevance: .1, Instructions: 128COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d9323731a9c66d6fe56db96372bec738de71496f6cf537760b6125b08c95da86
              • Instruction ID: 60bbe6006a913d2d1395a4ac21281bd677d403af344eeb879ae4e0c45cdeff1d
              • Opcode Fuzzy Hash: d9323731a9c66d6fe56db96372bec738de71496f6cf537760b6125b08c95da86
              • Instruction Fuzzy Hash: C941C4B06217029FE325CF28C480A26B7FDFF48714B144A6DE65787691E770F885DB98
              Function 0128A470 Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a04e60b5396637f9ed7b7dd51ed8ff6666dc2b9c2268d5d24d5de9549f427316
              • Instruction ID: 64bc557abce7c4995741c8f4e647f795c188f117e3445d82e76127aec3327159
              • Opcode Fuzzy Hash: a04e60b5396637f9ed7b7dd51ed8ff6666dc2b9c2268d5d24d5de9549f427316
              • Instruction Fuzzy Hash: 1F410031966206CFDF24EF6CE4947AE7BB4FB44710F04015AD611AB2C1EB789980CBA0
              Function 01268BF0 Relevance: .1, Instructions: 124COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b878fbe6c69dc62acc7afac24bdd9b82121b5d3b67e6f911a42774d5c9d3264
              • Instruction ID: ac114590746a3c50ae625b6ac1047ae234264cbee10c8d8f47545892f0cca1bb
              • Opcode Fuzzy Hash: 2b878fbe6c69dc62acc7afac24bdd9b82121b5d3b67e6f911a42774d5c9d3264
              • Instruction Fuzzy Hash: 3641E971920302CBD728DF5CD880A6ABBB9FF94B14F15812DDA015B299E775D8C2CF90
              Function 01258918 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7a500d65baac7846c60392db4df7307b9247acac23a831434b97fdcf5c5d7aab
              • Instruction ID: 4115abae0e231435591a0f0a46cd1fc3329f886ee0bbc4dbdc3e43d06733d9bf
              • Opcode Fuzzy Hash: 7a500d65baac7846c60392db4df7307b9247acac23a831434b97fdcf5c5d7aab
              • Instruction Fuzzy Hash: 73413E325283469FD312DF65C881A6BB7E9EF84B94F40092AFA84D7250E770DE058B93
              Function 0125A020 Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction ID: 3941ba5b6c6511c888fd9a814d6da344bad8bdb57ea41f39d55607790ec9d3a0
              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
              • Instruction Fuzzy Hash: 51413B31A30213DBDB21DE5984D27FABB61EB507A4F15816AFF459B240D6738D40CB90
              Function 012609AD Relevance: .1, Instructions: 122COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 586fc4ce60054b1ea5ea0e1c983ac027c9f363677d623696efbcb6d2ca84f4aa
              • Instruction ID: 8943e8981e0623f06c715362ab0ad6ef2b6b68c2f1ceb6d2c973e5e9a2153e23
              • Opcode Fuzzy Hash: 586fc4ce60054b1ea5ea0e1c983ac027c9f363677d623696efbcb6d2ca84f4aa
              • Instruction Fuzzy Hash: 04417B71660702EFD721CF18C840B6ABBE9FF54754F20866AE6498B291E770ED81CB94
              Function 01290710 Relevance: .1, Instructions: 121COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction ID: 334811af4b47e964c8400ce1763349ce8c43924e12f90227eb2db8c9013dd83d
              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
              • Instruction Fuzzy Hash: 87413971A10609EFDB24CF9CC980AAABBF8FF18710B10496DE656DB650D330EA44CF54
              Function 0126262C Relevance: .1, Instructions: 119COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b3cd56066c7d716c1dfe008356068e85a41d4e6f8e3f5f6dfbaf07cb77e35b6
              • Instruction ID: adf42b602f2855b317b0f5dbd2d4e5f5bf146c851cbc513fa78e9ccd84469cb1
              • Opcode Fuzzy Hash: 4b3cd56066c7d716c1dfe008356068e85a41d4e6f8e3f5f6dfbaf07cb77e35b6
              • Instruction Fuzzy Hash: 1C41C1B1921702CFCB26EF28C941B69B7B9FF54714F1082A9C6169B6E1EB309981CB51
              Function 0129C8F9 Relevance: .1, Instructions: 116COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6d39c7ecb531bca5c654280cec3a6c1c44170edbb452041230660073c67d7e7b
              • Instruction ID: 688a144ae9cad810c107f71817d0983dd7e990741566d82dacf0098ff9662e33
              • Opcode Fuzzy Hash: 6d39c7ecb531bca5c654280cec3a6c1c44170edbb452041230660073c67d7e7b
              • Instruction Fuzzy Hash: 143159B1A10356DFDB11CFACC440BA9BBF0EB49724F2085AED519EB251D3769902CB94
              Function 012E07C3 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a3a292757129164ff695aad04ccbcd96189224856b6b3cb1b56b20a188c0072
              • Instruction ID: 4d92378f3341736966e94338b7e1dd96f9f221a05d0ea63691576f337f8719b3
              • Opcode Fuzzy Hash: 9a3a292757129164ff695aad04ccbcd96189224856b6b3cb1b56b20a188c0072
              • Instruction Fuzzy Hash: 16419DB16243019BD320DF29C845BABBBE8FF88754F404A2EF59897250D7709905CB92
              Function 012580A0 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55a035882fb5f8686ac848f68a8891d0cbfccfd1dcba2c19c65c0a39d3934f31
              • Instruction ID: 090049657a340366f51684ae12869cfdfae16b801b636b9709c3140afc25e958
              • Opcode Fuzzy Hash: 55a035882fb5f8686ac848f68a8891d0cbfccfd1dcba2c19c65c0a39d3934f31
              • Instruction Fuzzy Hash: A841E171A25616AFDB41DF1AC8C06A8BBB1FF54760F24C229DD16A7280DBB0ED418BD0
              Function 012E05A7 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e0dd39a4ee50632686349cb78c861fcd2d89804757610fcfc7ff1b450c02657
              • Instruction ID: f322608fcfa7694545257470a605d82a0c31f07b826f3f1554f27c3a52146a64
              • Opcode Fuzzy Hash: 7e0dd39a4ee50632686349cb78c861fcd2d89804757610fcfc7ff1b450c02657
              • Instruction Fuzzy Hash: DD41E3726146429FC320DF29C844B7AB7E9FFC8700F540A1DFA5497680E770E906CBAA
              Function 01264859 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a398f19b6a33ee4ad6d453084a7cb3120358a4e56930cf6c14f8b845ef221e15
              • Instruction ID: 8aad4cf2b0cae90eb2b56e073eeee6b490b78d746656ed2ac22c258141a1eb57
              • Opcode Fuzzy Hash: a398f19b6a33ee4ad6d453084a7cb3120358a4e56930cf6c14f8b845ef221e15
              • Instruction Fuzzy Hash: B541D3702613828BD725EF28D894B3ABBEDEF80764F14442DEA858B2D1DB70D981CB51
              Function 01258B50 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8faeed87676737e6a63d255cbbee165e15da5d7ab23102231c35d10093efb9ca
              • Instruction ID: 90b1a56625d425e59ac62a0aea02bb9787094e1b2bb34715058c304bbfefd63a
              • Opcode Fuzzy Hash: 8faeed87676737e6a63d255cbbee165e15da5d7ab23102231c35d10093efb9ca
              • Instruction Fuzzy Hash: 0B41A371E21605CFCB55CF6AC9C09ADB7F1FF98320B10862ED966E72A0D7749941CB40
              Function 012702E1 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction ID: 0cd010e7d4d7af0582368411f7e5e41a3aa8fd47957ea028dfa97d73de2a75ed
              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
              • Instruction Fuzzy Hash: 8C314A31A20245AFDB11DB68CC80BABBFE9EF15350F044166F815D7392D3B4D988CBA4
              Function 0130E3DB Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be3948f27a52b21bc2a598199a2e9cc85b5792734743f3bb4c80d4542f8eb8df
              • Instruction ID: 9cbfca079efcd877319a1f8673702fbc18f301e7d612e6a0371ffcda4452f752
              • Opcode Fuzzy Hash: be3948f27a52b21bc2a598199a2e9cc85b5792734743f3bb4c80d4542f8eb8df
              • Instruction Fuzzy Hash: 3931943575071AABD722AF658C91F6B76E9AB58B54F010438F600BB3D1DAB4DC0087A0
              Function 01314B4B Relevance: .1, Instructions: 104COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a69cf2188e2d30a74bc9c3e285019e91acb883ab1797483cf6f4a08dd75b119
              • Instruction ID: 11b03f83e284261ecb323d0eb050e19439323aa4add673589206ee3ddcd826d0
              • Opcode Fuzzy Hash: 4a69cf2188e2d30a74bc9c3e285019e91acb883ab1797483cf6f4a08dd75b119
              • Instruction Fuzzy Hash: 1F31E272205301DFC729DF1DD881E26BBE9FB80764F5A846EE9998B659D730E800CF91
              Function 01264260 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 402d2451fc21accbc8e127d63d56c2f39cf908645ff22a372298448dc5ffcef3
              • Instruction ID: 0e466a798fc29d24e5866b7d0878e808903a0d1a2de89b84e13b6b889104e1b0
              • Opcode Fuzzy Hash: 402d2451fc21accbc8e127d63d56c2f39cf908645ff22a372298448dc5ffcef3
              • Instruction Fuzzy Hash: 1F41C075220B46DFD722DF28C981FE6BBE9AF44714F10452DE79A8B290D770E840CB94
              Function 01314BB0 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 32a131470b852f538cfaf69b467f5ef3dc0eec8627ad0ce8e449a00e5285468e
              • Instruction ID: 684cdedbcc0e804c3e7f129522cf71c4e5da6bb5ab2c106f48e3e91632f39702
              • Opcode Fuzzy Hash: 32a131470b852f538cfaf69b467f5ef3dc0eec8627ad0ce8e449a00e5285468e
              • Instruction Fuzzy Hash: C531C2716043029FDB28DF28D881E2AB7E5FB84714F05496DF9559B798E730EC05CB91
              Function 012DEB1D Relevance: .1, Instructions: 100COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 773c260fbf2f3b36ab245d98686cfa149a21c1f2ce8baa9f91abef3629fe3fba
              • Instruction ID: b4e598f7487272d34e5e94f4a9543d0911a8a9b2266c4a09782d7f9d97ab795d
              • Opcode Fuzzy Hash: 773c260fbf2f3b36ab245d98686cfa149a21c1f2ce8baa9f91abef3629fe3fba
              • Instruction Fuzzy Hash: C131C1317216879BF722975DCD48B267BD8BF40B44F1E00A4AB459F6D2EB68E841C325
              Function 013261C3 Relevance: .1, Instructions: 97COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c9b48ac6e13c17551391de33c5a62c428300d2c447e3ad9a7d57a7488310a1dc
              • Instruction ID: d6a31ddbe327e9df6301b7f2b1a3235e1f3a26d42c5c29792749adaa61cb866e
              • Opcode Fuzzy Hash: c9b48ac6e13c17551391de33c5a62c428300d2c447e3ad9a7d57a7488310a1dc
              • Instruction Fuzzy Hash: D431B2B5A0026AABDB15EF98CC41BBEB7B9EF45B44F554168E900AB244D770ED00CBA4
              Function 0130483A Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d75e3f2c20924cc145e4c6f78da9bac9cbf8e14f88ceeea036db36575bfba6ca
              • Instruction ID: 6341181fd79990b538f0f05766d66fecd938ef40ff4ddc7333d4b5c928ff6a2a
              • Opcode Fuzzy Hash: d75e3f2c20924cc145e4c6f78da9bac9cbf8e14f88ceeea036db36575bfba6ca
              • Instruction Fuzzy Hash: EA315576A4012DABCF22DF54DD44BDEBBF9AB98354F1400A5E608A7250DA30DF918F90
              Function 0128EB20 Relevance: .1, Instructions: 96COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7d5d1515433a3ca76bfed97169e3d59757816c5b3c1d0bdfc648f6b295682767
              • Instruction ID: 38323a80c1c1308d7214d0602ac10c253715399f15c117d57967ee655ab6c2fc
              • Opcode Fuzzy Hash: 7d5d1515433a3ca76bfed97169e3d59757816c5b3c1d0bdfc648f6b295682767
              • Instruction Fuzzy Hash: 2931D872E21216AFDB21EFA9CD41BAFBBF9FF44750F014525E615D7290E2709E008BA0
              Function 013260B8 Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c9e7b220c614baac637cfd4a7db0763a951e78ada35e8c1b91794fb5906606b
              • Instruction ID: 32b6b2e07c63a7fc3293bca1bdc7ee3aa779944fe54514e80aba0b103bae5159
              • Opcode Fuzzy Hash: 6c9e7b220c614baac637cfd4a7db0763a951e78ada35e8c1b91794fb5906606b
              • Instruction Fuzzy Hash: D931B6B1A00626EBD716AF99CC51B6FB7B9EF44758F244069E905DB352EA30FD008790
              Function 012607AF Relevance: .1, Instructions: 95COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e8b2209c7c37c7d4f000efeaad1498a390d1472b69ae919b3202f0a1b5e15d4
              • Instruction ID: c5c7e586b002a35d1f282a08d73c84db57b671011cb7b3799e2b4ac5ad1613d9
              • Opcode Fuzzy Hash: 4e8b2209c7c37c7d4f000efeaad1498a390d1472b69ae919b3202f0a1b5e15d4
              • Instruction Fuzzy Hash: B931E832A24712DBC712DE288880DBFBBA9AF94650F024529FD5597390DA30DC51A7D5
              Function 01268550 Relevance: .1, Instructions: 94COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c090b851029eba6f26f5030e379119cb4bbd27b08ce436877530f2aaeae1b65f
              • Instruction ID: e343787e35a58043b70dbf49cecd413b447e528b8bbd2e974bbbd5d1be489c8f
              • Opcode Fuzzy Hash: c090b851029eba6f26f5030e379119cb4bbd27b08ce436877530f2aaeae1b65f
              • Instruction Fuzzy Hash: 59318271625302CFE720CF19C840B2ABBE9FF98B10F054A6EEA8597391D770E944CB91
              Function 0129A6C7 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction ID: db6014e29a88cee62e47cfbee8eec90e117b5ef1de621431b12631bd009a86e1
              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
              • Instruction Fuzzy Hash: 05310E72B10702AFDB65CF6DDD42B9BBBF8AB08750F14492DA65AC3651E670E900CB60
              Function 0130EBD0 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1a0bb05d90681f4e19e3fbfc8f0f94784d6cde0ff82321dad688f86f46ac5f9
              • Instruction ID: d8f75b207ae0e29ad7f7bebb67681b3b33bd5f8e265a2621e06222b61b5e9b5e
              • Opcode Fuzzy Hash: e1a0bb05d90681f4e19e3fbfc8f0f94784d6cde0ff82321dad688f86f46ac5f9
              • Instruction Fuzzy Hash: FD31ACB1605301CFCB16DF19C55096ABBF6FF89B18F4449AEE8889B391D332D944CB92
              Function 0128438F Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f8006629e2a469fda7c853fd209e57317ba46632a776dc50886da69b1b9eefa1
              • Instruction ID: dcf45409d0b6a43a8d84670b716a985af8834c38edc8717cd8bd2c0a20e6ecee
              • Opcode Fuzzy Hash: f8006629e2a469fda7c853fd209e57317ba46632a776dc50886da69b1b9eefa1
              • Instruction Fuzzy Hash: FB31D171B212869FD720FFB8C881B6EBBF9EB90704F10852AD205D3295D730D945CB90
              Function 0125CB7E Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction ID: 5e5fcae004c9e063382e370481d00d90c141be6ae43c6338c596b721d9ffbe4c
              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
              • Instruction Fuzzy Hash: 8521D536E6125BAADB11DBB98881BFFBBB9AF54790F0580359E55E7340F270D90087A0
              Function 0125C156 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 554778d74acc7c64cfa30d4bac13f55e74b2454a06109a9b741f20a58a6bb425
              • Instruction ID: 42fc147d940319cec37b67680d63445f4add827d85585b16978a48d9dc456c44
              • Opcode Fuzzy Hash: 554778d74acc7c64cfa30d4bac13f55e74b2454a06109a9b741f20a58a6bb425
              • Instruction Fuzzy Hash: 34315BB15203068BD725AF68CCC1BF977B8EF40358F5481A9DE859B382DA74D982CB90
              Function 0131C3CD Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction ID: 946009d91ecccc24be70523d65b734cbd26fa9449ad70a51e337faf09f36f14c
              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
              • Instruction Fuzzy Hash: 2521423A68065277CF1AABA98C00FBBFBB5EF40714F40941EFA5597651EA34D950C360
              Function 0125E420 Relevance: .1, Instructions: 88COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 92198370fe6252ff3180f86fe26038960becbca9064856ab9abd25aa64cd795d
              • Instruction ID: 55845267cc7ade252fb6cf8478d691359a7d043dd5360067852294a5cb74f8fd
              • Opcode Fuzzy Hash: 92198370fe6252ff3180f86fe26038960becbca9064856ab9abd25aa64cd795d
              • Instruction Fuzzy Hash: F531EA31A2011D9BDB31DF18DC81FEEFBB9EB15750F0200A5EA45A7190D6B49F808F91
              Function 01294588 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction ID: 4a411df64c6297434305f753bbefd06d05a8cf2e04a7e484ef36f62c6b11c9cf
              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
              • Instruction Fuzzy Hash: E22191B1A10649EFCF15DF5CCA80A9EBBB5FF48314F108169EF159B241D670EA06CB90
              Function 012944B0 Relevance: .1, Instructions: 87COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b98944d9fe3a8d9f40b6a977c98354ebef9b3bad21c34d3bbf28a0cf31ee2b42
              • Instruction ID: b878d1a730951cbdfc86c3b4515b64fe50c523bb9b85058be9ddf29867375340
              • Opcode Fuzzy Hash: b98944d9fe3a8d9f40b6a977c98354ebef9b3bad21c34d3bbf28a0cf31ee2b42
              • Instruction Fuzzy Hash: B621B1726247869BCB22EF5CD940F6BB7E4FB98760F004519FA549B641D730E9018BA2
              Function 0125E388 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction ID: 1fd7c08fdec32717698b6318942e0fcbce1bd47e7867f4f60a51effb6276e600
              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
              • Instruction Fuzzy Hash: 1F319A31620605EFD721CF68C9C4FAAB7B9FF45354F1149A9EA128B291E770EE01CB50
              Function 012DE609 Relevance: .1, Instructions: 86COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4ad933dc7c4d23ecc88201912c9a0c909a1e2130a0686203996709769a95215
              • Instruction ID: ed43058aaf00f8891a08859766f820f63514f33d46e58e32ad2092ab13658ea7
              • Opcode Fuzzy Hash: f4ad933dc7c4d23ecc88201912c9a0c909a1e2130a0686203996709769a95215
              • Instruction Fuzzy Hash: 9D31AE75A20206DFCB14DF1CC8859AEBBB9FF84704B168459E9099B392E771EA50CFD0
              Function 012E06F1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cfeacab6fed82c346b6fb3369533aa187bfda7dce14d29ab8b3842d7dad8bee9
              • Instruction ID: c69fa6a346fd79486484d76c2bae0efaef7f3261f0f738a46b900793417d3890
              • Opcode Fuzzy Hash: cfeacab6fed82c346b6fb3369533aa187bfda7dce14d29ab8b3842d7dad8bee9
              • Instruction Fuzzy Hash: A2219171A1022A9BCF14DF59C881ABEB7F9FF48740F540069F941A7240D778AD42CFA5
              Function 012E019F Relevance: .1, Instructions: 78COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20bf81dc35684a396db8545fb8d246b6acffa81a843b0ea5342b0f2af05ce5ba
              • Instruction ID: 4f83c30f63c38309770840927e8f2a76e55a285db1325a275611021e4d2d91bc
              • Opcode Fuzzy Hash: 20bf81dc35684a396db8545fb8d246b6acffa81a843b0ea5342b0f2af05ce5ba
              • Instruction Fuzzy Hash: 94219A71620646AFD715DB6CD884F6AB7E8FF48740F140069FA04DB6A0D774ED41CBA8
              Function 012E0283 Relevance: .1, Instructions: 74COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 969946b9f16b3cfe42651706c1c568b58be49842da283810c960d92cf7972446
              • Instruction ID: b2691f28be490ae17bfb4b9a051023d4e3eb218bd2a115318abb4a2f674a2d85
              • Opcode Fuzzy Hash: 969946b9f16b3cfe42651706c1c568b58be49842da283810c960d92cf7972446
              • Instruction Fuzzy Hash: 2C21D372A243479BD711EF5AC848B6BBBDCAF90640F08045ABE80C7251D7B0D906C7A6
              Function 01282835 Relevance: .1, Instructions: 73COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 59d9ca08fc45cf2e671a942c039bb7dd0277a4e67818ce496f8605e835bc5e3d
              • Instruction ID: 29cf9bd7e575b76c24f80e13e9d69cda7ef77173adb11a1908d1412ce140c8f9
              • Opcode Fuzzy Hash: 59d9ca08fc45cf2e671a942c039bb7dd0277a4e67818ce496f8605e835bc5e3d
              • Instruction Fuzzy Hash: 5D210B31736687DBEB22A76C8D04B253BD5BF41B74F180364FB209B6D2EBA8C841C251
              Function 0129A30B Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc464180705ee78c188e53f1f37c1f4534e6ed457a23d4673bece45bb1767698
              • Instruction ID: bb264b4ca97c6684d19a981a3974521efa3a04707e2ff272075c5767e97d236a
              • Opcode Fuzzy Hash: cc464180705ee78c188e53f1f37c1f4534e6ed457a23d4673bece45bb1767698
              • Instruction Fuzzy Hash: C5216A752617429BCB25DF29C901B56B7F5AF48B04F14846CE509CBB61E371E842CB98
              Function 0131A49A Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b947eeb0196d7d5a50d81541a66b10391b172e3cf5fa67aa7acbe6a40fd280e3
              • Instruction ID: 8e8b72a951f17dedf24b97d0b1395a52d3f1c25226e7885777154156aaed3cd4
              • Opcode Fuzzy Hash: b947eeb0196d7d5a50d81541a66b10391b172e3cf5fa67aa7acbe6a40fd280e3
              • Instruction Fuzzy Hash: C7113272395A12FFE3265659AC00F2BBA9DDFD4B65F110028B748DB2C8EB70DC008795
              Function 012E0946 Relevance: .1, Instructions: 70COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 10236fc2c17cdf09dc69cd1cf53b54e5cfcbf4d679c32762d02b6f8d9600d9e5
              • Instruction ID: 3dbaec4f0aab1e98841bb7e6420597e0cab4fcad742b69c546b3528cff8b478c
              • Opcode Fuzzy Hash: 10236fc2c17cdf09dc69cd1cf53b54e5cfcbf4d679c32762d02b6f8d9600d9e5
              • Instruction Fuzzy Hash: 3D21E9B1E10349ABCB14DFAAD8859AEFBF9FF98B10F10012EE505A7244D7709941CB54
              Function 012F80A8 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction ID: 2f5b57b9e5961da765be427d70f49278f0599d87d99293705ea3d22f408dcd5f
              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
              • Instruction Fuzzy Hash: F4216D72A1020AAFDF129F98CC40BAFFBB9EF58310F204829FA01A7251D774D9509B50
              Function 01290124 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction ID: 9c931573658841268e7a82db5dafa06f2151dcb55951a4dba964ad184ddbe7ce
              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
              • Instruction Fuzzy Hash: E911E2B261061AAFDB229B48DC41FAABBBCEF80754F100429F7048B180D671ED44DB68
              Function 01268770 Relevance: .1, Instructions: 68COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b00b468c273f44ca602afc85303112ef79cc228287fb4012dc2ce7a6c6251e7e
              • Instruction ID: 82116b69ed6f4f4b5d32cb75a74c72cb98961ee3ed721f0e3259304b6102d3e5
              • Opcode Fuzzy Hash: b00b468c273f44ca602afc85303112ef79cc228287fb4012dc2ce7a6c6251e7e
              • Instruction Fuzzy Hash: EE11B27A7207169BDB16CF4DC480A26BBEDAF4AB50B18406DEF089F244D6B2D9818790
              Function 012680E9 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41aa5e353b3c984446231a0c98b0c646825b93f83b3bff37fef4a52badd73d60
              • Instruction ID: 49254dd589594c6daf21b026cf82bb49696996d0e1757e70f7cfe241f31cd85a
              • Opcode Fuzzy Hash: 41aa5e353b3c984446231a0c98b0c646825b93f83b3bff37fef4a52badd73d60
              • Instruction Fuzzy Hash: 7E216F75A10206DFCB14CF58C581A6EBBF9FB88714F2441ADD205A7351D771AD46CBD0
              Function 0129674D Relevance: .1, Instructions: 65COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62f61558e70a0322dbd2d3d98c97e08422f4108a02b82946436f28cb57770c4f
              • Instruction ID: 4ecd384cf677fd50b5d3082c8ec2423c824c429f7bc14b94de44e6c97e77becf
              • Opcode Fuzzy Hash: 62f61558e70a0322dbd2d3d98c97e08422f4108a02b82946436f28cb57770c4f
              • Instruction Fuzzy Hash: 04219D75620A01EFDB24CF6CC881FAAB7F8FF44750F40882DE59AC7250EA71A840CB60
              Function 012F6870 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 174e9d5c1e1b4aa74991fc2768124822d8d72ce0b98ad40adef5fbfc75627b8d
              • Instruction ID: dd4e37b171376730883cfdb9a3f2de2cefc8cf86e3e60893dfc3d424ddb20eb0
              • Opcode Fuzzy Hash: 174e9d5c1e1b4aa74991fc2768124822d8d72ce0b98ad40adef5fbfc75627b8d
              • Instruction Fuzzy Hash: 80119172260615FBD722DBA9C940F9AB7A8EF95B50F11403DF3059B251DA70E905C790
              Function 0128E8C0 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6958c28ce043e2fa8a366a385022507f84fb3c0f9252d4b8187b6c21bdb43a4f
              • Instruction ID: 22173aca12d5616faa2fe9bbfd74a91403e07d69b34b1142358b221e36e8b38c
              • Opcode Fuzzy Hash: 6958c28ce043e2fa8a366a385022507f84fb3c0f9252d4b8187b6c21bdb43a4f
              • Instruction Fuzzy Hash: DF116B773201119FCF19DB28CD82A3B7267EFD5774B26462DDA22CB281E9708802C390
              Function 012966B0 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e73b4fb52e524a58deb0fe1e2e4e1bcbcc1f24ec6a9f07386e9a02df26fc97f
              • Instruction ID: f89f89294edc758bfeb7a21e918b025e88aeda6600de7115c6d63e434e34bbd4
              • Opcode Fuzzy Hash: 3e73b4fb52e524a58deb0fe1e2e4e1bcbcc1f24ec6a9f07386e9a02df26fc97f
              • Instruction Fuzzy Hash: 12118CB6A21206DFCF29CF5DD580EAABBE8EB94650F064079DA059B315E674DD00CB90
              Function 0132A8E4 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction ID: 0420277dc0c7e0ee03ab4dcfa5103e385457b8c7ba8b2f1a31c1d691500c3d64
              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
              • Instruction Fuzzy Hash: 94110136A00929AFDB19DB58CC05B9EFBF5FF84214F058269E856A7340E631AE01CB80
              Function 012EE7E1 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction ID: 2524e40e27cb8e0c3144cba4c33305736146679d038c6b9aca9fa33513ef6ad2
              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
              • Instruction Fuzzy Hash: BB110631620602EFEB21DF48C848B26BBE6EF51754F468428EA089B170DB70DC84CB90
              Function 012827ED Relevance: .1, Instructions: 58COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c18f7151c79f54e81eb32586c364b940a84f414d0b88df6bc7cc53d78c7281f
              • Instruction ID: b4afad7ce2590e4c1f59253b83e679d648a78aa3ea107bef4684844986a1d3e9
              • Opcode Fuzzy Hash: 6c18f7151c79f54e81eb32586c364b940a84f414d0b88df6bc7cc53d78c7281f
              • Instruction Fuzzy Hash: C401D67173664AAFE716A66ED885F377B9CFF40794F050069FB008B291EA64DC00C2B1
              Function 01264690 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11b238e33d8d843bc00aa3f8cb9d845f05fd7db854f6e0b865f4f3f4a80c7bd5
              • Instruction ID: ba5391375717c4450a5585864e5f34e49bfa2cccc4a26a8ec2c91bb1e75f84e9
              • Opcode Fuzzy Hash: 11b238e33d8d843bc00aa3f8cb9d845f05fd7db854f6e0b865f4f3f4a80c7bd5
              • Instruction Fuzzy Hash: D21106752606829FD72AEF59C880F167BACEB85B64F044119FA4487290C374E880CF60
              Function 01334B00 Relevance: .1, Instructions: 57COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a8952f93cfb6a8257fc84ca41304e6269dd769aee033d2dca79f733bb1b98dd
              • Instruction ID: 781e2bd94786c828cadc7fbaece058397b1a589998003081dded9a05f62e3d21
              • Opcode Fuzzy Hash: 9a8952f93cfb6a8257fc84ca41304e6269dd769aee033d2dca79f733bb1b98dd
              • Instruction Fuzzy Hash: B911C2362006159FDB26DB69D840F67BBAAFFC4715F194429EA8287790DB30A806CB94
              Function 01296620 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c7f04716080c2ac1d30c7cdf35792cd084027db53400ace902dfb20bd8cbf3e9
              • Instruction ID: 6895b12352f07d4e128af03d1f91c6a5d80242a945a1f7ee961d6a9a84867c01
              • Opcode Fuzzy Hash: c7f04716080c2ac1d30c7cdf35792cd084027db53400ace902dfb20bd8cbf3e9
              • Instruction Fuzzy Hash: 4E118E76A10716AFEF21DF6DC980B6EFBF8EF84B50F500459EA01A7240D735AD418BA0
              Function 0128EA2E Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5118bd472796946482d27b47205ede855a617606c501226e7f9793c1e2cc635e
              • Instruction ID: 36647fa7946a8b620805ac600c468758e2f615a917da714da98cb939ac16afaa
              • Opcode Fuzzy Hash: 5118bd472796946482d27b47205ede855a617606c501226e7f9793c1e2cc635e
              • Instruction Fuzzy Hash: 9D01D2765112069FC725EB18D444F36BBFDFB81B18F25816AE1048B2A0D770AC42CB90
              Function 0128E53E Relevance: .1, Instructions: 55COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction ID: bc2f490a967dc76c22a959931a37e971ce44a7a50df4a33a849d6c0f6d89d393
              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
              • Instruction Fuzzy Hash: BF1108722326C39BEB23A72CDA54B667BD5FB01B44F1A00A4DF4187692F33CC842C261
              Function 012EE75D Relevance: .1, Instructions: 54COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction ID: 2e1faa10a1d9ec22fc0b38b6e8ac8e8b85cc6982279eb874c99984adb66650c7
              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
              • Instruction Fuzzy Hash: 5D01F932660106AFF7295F58CC09FAA7BE9EF45750F468424EB059B1A0D775DD40CB90
              Function 0125A250 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction ID: 71de043976f775823481ea8508a7a71f8a426002a74ef01c199d5174ab0403c7
              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
              • Instruction Fuzzy Hash: 6B012631425722AFCB718F19EC82A327BA4FF557A07008A2DFE95CB281C331D400CB60
              Function 01334940 Relevance: .1, Instructions: 52COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1cef15ea89ac7eca2dc22ea7206b8926601363ad13c6f694a37b0ad09f81d7cc
              • Instruction ID: e47d8b3dfe4ef9a9a0d22446699c2c06d86ce3de29884acc0ab399d30b848f88
              • Opcode Fuzzy Hash: 1cef15ea89ac7eca2dc22ea7206b8926601363ad13c6f694a37b0ad09f81d7cc
              • Instruction Fuzzy Hash: 5301F5725516119FC332DF1CD840E22BBA8EFD1778B254265E9A89B1A6E730DC01CBD8
              Function 012DE1D0 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d86eb7ce7663172f815bf7681ca4af9cb7506d003f0fcf94579d10881b3b346f
              • Instruction ID: 7ba8e8c3bbc90a454c60cf7d0aa1165ca70801d49f3627bf18fa311b14ccab2f
              • Opcode Fuzzy Hash: d86eb7ce7663172f815bf7681ca4af9cb7506d003f0fcf94579d10881b3b346f
              • Instruction Fuzzy Hash: C111AD32261241EFDB15EF19CD91F26BBB8FF54B84F2000A9EA059B6A1C235ED01CA90
              Function 01266259 Relevance: .1, Instructions: 51COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f75fd1f477fa158e2816f891805955b4a8f5bde85225de387f677bff36202d75
              • Instruction ID: a6169f4d0c1bea959adbe08eadca8bcf6749b4d8d0664a41db4abb3951f0d316
              • Opcode Fuzzy Hash: f75fd1f477fa158e2816f891805955b4a8f5bde85225de387f677bff36202d75
              • Instruction Fuzzy Hash: BF117C71551229ABEF25EF64CC42FE9B378BF14710F9045D4A318A61E0EB709E81CF84
              Function 012E6050 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed47eb85e891b0f1cba42058964c5005f983b64a0cb0fefd8d7f214f6d096f6f
              • Instruction ID: f0f9ec91324f3f33aa8788128d502c19b0510ecfc0eb5db1c9b82b53277ec5e0
              • Opcode Fuzzy Hash: ed47eb85e891b0f1cba42058964c5005f983b64a0cb0fefd8d7f214f6d096f6f
              • Instruction Fuzzy Hash: 2E11177391011AABCB11DB94CC84EEFBBBCEF58354F044166A906A7211EA34AA15CBA0
              Function 0126208A Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction ID: 614791301b4951bfbf8d13546caf7d7dabfb459197b18006473d98cf55a0807a
              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
              • Instruction Fuzzy Hash: 6D01B532620112CBDF159A5DD880BA6776ABFE4700F5545A5EE058F286DAB198C1C790
              Function 012F6500 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 21639144f557d31d37f1ebf1990139e34da19dac1878baa897ba61fbb02bb3ad
              • Instruction ID: 07892c8bc04788fd8f64192998cb510d3f201df9f42257545bb4a0ecefe657ce
              • Opcode Fuzzy Hash: 21639144f557d31d37f1ebf1990139e34da19dac1878baa897ba61fbb02bb3ad
              • Instruction Fuzzy Hash: 8911C4326541469FD711CF68E810BA6FBB9FB5A314F088169EA48DF315D732EC85CBA0
              Function 012EC810 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef845ea96c5d8afe6c13df2649f9b87be9703b82d0a7bb26b799320361665375
              • Instruction ID: 654830581c5ace774e0f6efc662c6315ff32682820eb8f6455505f18474729e9
              • Opcode Fuzzy Hash: ef845ea96c5d8afe6c13df2649f9b87be9703b82d0a7bb26b799320361665375
              • Instruction Fuzzy Hash: 801118B1A10209ABCB00DFA9D545AAEBBF8FF58350F50406AA905E7351D674EA018BA4
              Function 0130EA60 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a8c3b4579d2fc93e0e6b22ce2366083d4bd2d4e2df21cc945ba4586ab99260d1
              • Instruction ID: 05dc89fc1809f13fe1a6c46eb0dbcfb60348b56905444f04052fe5826ed37b42
              • Opcode Fuzzy Hash: a8c3b4579d2fc93e0e6b22ce2366083d4bd2d4e2df21cc945ba4586ab99260d1
              • Instruction Fuzzy Hash: 9101F1316402119FE733AA298420D37BBEAFF55A98B04483EE5011B680CB30DC81CB91
              Function 0125C020 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction ID: d10bb2773bb7435033bf20f02e1c83151934c5fd0b486ba6c3aea6c132892f93
              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
              • Instruction Fuzzy Hash: 3301B53212070A9FEF2296A9D880EE777EDFFC5754F044819EA468B540EA74E801CB50
              Function 012A20F0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 350653b495db14677f5f4e4074dc7db5a420b5d5bd4bc85d2b623331543a25a0
              • Instruction ID: 832cbc5739f435db1fd3b0dcb26d2977279e941523e086880e68de7ede121db0
              • Opcode Fuzzy Hash: 350653b495db14677f5f4e4074dc7db5a420b5d5bd4bc85d2b623331543a25a0
              • Instruction Fuzzy Hash: 48116D75A1024DEBCB05EFA4C851FAE7BB5FB44740F404099EA1597251D735EE11CB90
              Function 0129E5CF Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6a9aeed92bbcd0bacd4db2b9b9f985d8dc13cec4280e3124f64527fb4d667690
              • Instruction ID: 77f0c757e71ded99a42bad4bb2fd52d375a9f08e2b7822aa41b213040b7c6501
              • Opcode Fuzzy Hash: 6a9aeed92bbcd0bacd4db2b9b9f985d8dc13cec4280e3124f64527fb4d667690
              • Instruction Fuzzy Hash: 000184B1221512BBD711BB79CD84E67BBACFB946547000629F60593651DB34EC41C7A4
              Function 012F69C0 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6083ceab27c359188a80be554953aac09147fa67fc10eb3544fc45483939b0a1
              • Instruction ID: 9dec9e53c82872041c852d1983baf706e259311c929aeb777a880f939a13f6fa
              • Opcode Fuzzy Hash: 6083ceab27c359188a80be554953aac09147fa67fc10eb3544fc45483939b0a1
              • Instruction Fuzzy Hash: 9E01FC322343029BD320DF69C849977FBA8FF54760F61423DEA6987180E7309905CBD1
              Function 012EC460 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a527b9bb88ebc5ab19e07d8a0f976dc9d03c8b3455b69f31369df30301e98044
              • Instruction ID: 8dce681b27a2d89191c5231137a2bdd7d5027effe9896ca72b6611ad6d1af081
              • Opcode Fuzzy Hash: a527b9bb88ebc5ab19e07d8a0f976dc9d03c8b3455b69f31369df30301e98044
              • Instruction Fuzzy Hash: C4115B75A10249EBDB15EFA8C854EBEBBB6FB48340F404059B90197340DB34EA21CB90
              Function 012EC97C Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 82823ebbac7463d405f7d09b4d438c8feddbfc27285263d63535d64cb405e211
              • Instruction ID: 327938f01138ea009018368b02dc6f7a4fcbbb652a23640a1c4de236e1c354e3
              • Opcode Fuzzy Hash: 82823ebbac7463d405f7d09b4d438c8feddbfc27285263d63535d64cb405e211
              • Instruction Fuzzy Hash: A71179B16283099FC700DF69C44296BBBE8FF98710F40455ABA98D7391E630E900CB92
              Function 012ECA11 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d745556c27a5100ba253fed4957fb31b6adfbbc1b92ee9ab483d81ce5ec258da
              • Instruction ID: e715db1f2b898d9a87848b303455f1b967ea525d280c8d386148f8a7d50b869a
              • Opcode Fuzzy Hash: d745556c27a5100ba253fed4957fb31b6adfbbc1b92ee9ab483d81ce5ec258da
              • Instruction Fuzzy Hash: 941179B16283099FC310DF69C44195BBBE8FF99750F40856AB958D73A0E670E900CB92
              Function 01334A80 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction ID: 4faa790a93dd07661da2ba488d9dd157e1abb18afd20bc0a20130511caed1dbc
              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
              • Instruction Fuzzy Hash: F401FC322047059FE721DB5DD844F57B7EAFFC6614F044519E6428B650DA70F841C758
              Function 0127E016 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction ID: 2b7a8dd7e7240a839f6812c098563c0d9c47a35436478f414d00932a338ddd9b
              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
              • Instruction Fuzzy Hash: 8B01BC722215819FE723871DC948F677BE8FF46788F0A00A5FB05DB6A1D678DC80C221
              Function 0125826B Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e8a30a91e4a36cfcd08a01cf9b0f8222341dffa32885d093b6a12fcd360826a2
              • Instruction ID: 51aeadcf27b23edca1ce8be00972a0955e5631bd17b19f0c9018e9c91a49b19f
              • Opcode Fuzzy Hash: e8a30a91e4a36cfcd08a01cf9b0f8222341dffa32885d093b6a12fcd360826a2
              • Instruction Fuzzy Hash: D401DF31730645ABD714EB6ADC849BEBBA9EF80790B4540699E01E7284DEB0E901C791
              Function 0130EB50 Relevance: .0, Instructions: 46COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: InitializeThunk
              • String ID:
              • API String ID: 2994545307-0
              • Opcode ID: 95c47228d719e79011e3975266c1c06f0e93f6e88c8e5c8b88ca2d08d8a33f24
              • Instruction ID: 02c435340bce11671b81f6aadb9a4c70aa2a764b3df87860fcce352b9fe097d7
              • Opcode Fuzzy Hash: 95c47228d719e79011e3975266c1c06f0e93f6e88c8e5c8b88ca2d08d8a33f24
              • Instruction Fuzzy Hash: 2C018BB1684B11AFD3329A19D851F12BAE8EF55F94F11482AEA069B390D6B198408BA4
              Function 01262582 Relevance: .0, Instructions: 45COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3e7c0ef78c94e588ea250bc419bf1e4a939eb97daeefacfb388107a66919e5d5
              • Instruction ID: a6c39ce1fdf1e55d8ce3088d0f8de9d574f00d6be528c77f9acf2fd57a5656f9
              • Opcode Fuzzy Hash: 3e7c0ef78c94e588ea250bc419bf1e4a939eb97daeefacfb388107a66919e5d5
              • Instruction Fuzzy Hash: 10F0F432751A11B7C735DB5A9D40F57BEADEB84B90F004428E60A97680DA30ED01CBA0
              Function 0128C073 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction ID: 8a7430d15d66d9665f5fd6bfab878ba69c5d992f33d5aad279d15790ade60d6c
              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
              • Instruction Fuzzy Hash: C5F0C2B2600612ABE324DF4DDC40E67FBEADBD1A80F048528A645C7220EA31DD05CB90
              Function 0125C310 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction ID: 49d8b327231adacf82a5e971c0f2d0ccc7708aba8ea6390153048110c91504a1
              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
              • Instruction Fuzzy Hash: A9F04C33224723ABD7721B5948C0B3BA69D8FD1B60F190035EB059B200D9B08D11A3D0
              Function 0133634F Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b3a84e8539dc2efa55c0a347e69b6ca208e1cf11abb274d68e84d97fd2518939
              • Instruction ID: 99892801294c31654cab7f2789444207843dd2178965bf7bb95d93965de920f5
              • Opcode Fuzzy Hash: b3a84e8539dc2efa55c0a347e69b6ca208e1cf11abb274d68e84d97fd2518939
              • Instruction Fuzzy Hash: EA012171A10249EFDB04DFA9D5519AEB7F8FF58714F10405AE904E7350D7749A018BA4
              Function 0133625D Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bde2075c6f54bfe73e28ee9e86df36c35a6bfc82737b56f0572137dbc0936ad5
              • Instruction ID: fd342443f52dcecb4cc7e4177ef2342b333dc884f3c899b95c56bde21de51ca8
              • Opcode Fuzzy Hash: bde2075c6f54bfe73e28ee9e86df36c35a6bfc82737b56f0572137dbc0936ad5
              • Instruction Fuzzy Hash: 52012CB1A1024AEFCB04DFA9D451AAEB7F8FF58704F50406AF904E7351D674AA018BA4
              Function 013362D6 Relevance: .0, Instructions: 43COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce00646440ebee74ec91d50dab7d76043a3a469dca7b63161f0eaf09e6145054
              • Instruction ID: 09cbd57b61002a17c0d4cf41103ae010735527b72939f15ee7a56968fe3041c7
              • Opcode Fuzzy Hash: ce00646440ebee74ec91d50dab7d76043a3a469dca7b63161f0eaf09e6145054
              • Instruction Fuzzy Hash: D0017CB1A10209EFCB00DFA9D441AAEBBF8FF58304F50406AE905E7390D674AA008BA4
              Function 0129CA6F Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction ID: c32b0e7efdc148cd626f8bbae6f954918d22f70499e7902ee5c3c8bcf9f51920
              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
              • Instruction Fuzzy Hash: 9301F4322206869BD726DB1DC80AF6ABBD8FF41750F0840A9FB048B6A1D7B8C810C251
              Function 013361E5 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d102be924fe49eb014667b9cf02d86c52a18a2396ebfe619875ffc528ffa26c
              • Instruction ID: 6b34e1c77c43e1a9f29e31bc37a5bfdfdb440b4a061ebd4278011738ac6c590f
              • Opcode Fuzzy Hash: 1d102be924fe49eb014667b9cf02d86c52a18a2396ebfe619875ffc528ffa26c
              • Instruction Fuzzy Hash: CB018F71A10249EFCB00DFA9D441AEEBBF8BF58314F14005AE500E7280D774EA01CBA8
              Function 012E63C0 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction ID: 9cc1fa76ead78025d8407566ed2afdecde7659f20a541210e948e2d45374c149
              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
              • Instruction Fuzzy Hash: EBF01D7221001DBFEF019F94DD80DBF7BBEFB59298B104125FA11A2160D631DE21ABA0
              Function 012EA4B0 Relevance: .0, Instructions: 40COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 414b4474d58d298e905a1c73a865ee5360b66d1986ccda35528fae0e36665dde
              • Instruction ID: f40770dee1001e9c721355f1fe4802c7563236ddfbde3174ec312b8735fa8715
              • Opcode Fuzzy Hash: 414b4474d58d298e905a1c73a865ee5360b66d1986ccda35528fae0e36665dde
              • Instruction Fuzzy Hash: CC018936520219ABCF129E94D844EDA3FA6FB4C754F058105FE1866220C332D970EB91
              Function 0125C0F0 Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c4dc639e602e7673a079cf32c85cd8dcafb052dfcfb179d8a0dbb0b31acbf471
              • Instruction ID: 52b5c0df9e8cb0d894f35314edd171d91a1f4ae8d751df99e5e569dce5edc0df
              • Opcode Fuzzy Hash: c4dc639e602e7673a079cf32c85cd8dcafb052dfcfb179d8a0dbb0b31acbf471
              • Instruction Fuzzy Hash: 2BF024B23343429BFB9496199C82F32329EE7C0791F25C02AEF058B2C1F970DC118394
              Function 0129656A Relevance: .0, Instructions: 39COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 309fdbd3e365d8d875b1095ac7015b20caa6e001ebe49c6d6cac274c18a04e14
              • Instruction ID: a8aef09547b92c496d4157697dd02e9b8206373f32f12e9524e70ffd4959508a
              • Opcode Fuzzy Hash: 309fdbd3e365d8d875b1095ac7015b20caa6e001ebe49c6d6cac274c18a04e14
              • Instruction Fuzzy Hash: BE0144716207C29BEB32AB6CDD49B2637E8BB40B44F580594BB418BAD6DB78E4018615
              Function 0130437C Relevance: .0, Instructions: 37COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction ID: b761c5638cc76ad2f97f807760b4b1bb281d729c11c1b3321854e1d79e86c115
              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
              • Instruction Fuzzy Hash: 4DF0E93534191347EB37AA2D9430B3BE7D69F90904B05656C9741CB6C0DF60D9208780
              Function 012EE872 Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction ID: 5024f65a34d4e1b5a925ed0e096906d6540643ba11d388b7d31c0a009961de52
              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
              • Instruction Fuzzy Hash: C4F05E327316129BE721DA5ECC84F16B7E8AFD5A60F9A0169A7089B274C760EC0187D0
              Function 012EC89D Relevance: .0, Instructions: 36COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 91f9b4a9316f8e4c2e8930b4b423b783dd6451ffead1d94ab6923d634073bb1a
              • Instruction ID: 3a6fb098a79536b1e05c092959236b22a1e7532f12ceb1114b99476db939645a
              • Opcode Fuzzy Hash: 91f9b4a9316f8e4c2e8930b4b423b783dd6451ffead1d94ab6923d634073bb1a
              • Instruction Fuzzy Hash: 88F0C2706257449FC310EF68C946A2FF7E4FF98710F80465AB898DB394E634EA00CB96
              Function 01290854 Relevance: .0, Instructions: 35COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction ID: 7b599f86ddb68d20c550a774d1a62e08f45c1651f4017563a217dfb8c5b23a7f
              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
              • Instruction Fuzzy Hash: DEF0B472620205AFEB14DB26CC01F56B6EDFF98740F148478AA45DB260FAB0DD41C658
              Function 012EC912 Relevance: .0, Instructions: 34COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ca0703eacf02a1fe892effb464aabdafb9dc1d822656be3c534ffb62dc3579b5
              • Instruction ID: be4923b8c51c1d7d8e7daba0f95e8921ec7e3a8af117bfcc1c25e07c017f2dea
              • Opcode Fuzzy Hash: ca0703eacf02a1fe892effb464aabdafb9dc1d822656be3c534ffb62dc3579b5
              • Instruction Fuzzy Hash: 0DF06270A11249EFCB04EFA9C515A6EB7F4FF18300F408055B955EB385DA74EA01CB64
              Function 012647FB Relevance: .0, Instructions: 33COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d96409ad486e2d13ac8e70a79e07fb3802843edb310e30e170841977b443097c
              • Instruction ID: caf2687d59c90e5b441ea5b498fbf454ea1cac112574a9a8016d6e111eb0b28c
              • Opcode Fuzzy Hash: d96409ad486e2d13ac8e70a79e07fb3802843edb310e30e170841977b443097c
              • Instruction Fuzzy Hash: 39F0B4319366D2DFE733EB9CC844B61BBDC9F00628F08496AD6C9875D2CB64D8C0C651
              Function 01320115 Relevance: .0, Instructions: 32COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: abc4418440a34d8248c20ff306322e0f9ab6f5502b48c4877df7a38cc1ed937d
              • Instruction ID: 67746c5365769dc3831f19280985d37f9ce135d1128411d4c8aea83f6821206e
              • Opcode Fuzzy Hash: abc4418440a34d8248c20ff306322e0f9ab6f5502b48c4877df7a38cc1ed937d
              • Instruction Fuzzy Hash: FBF05CBF4157D106CF3A7B3C74523D12F7CA741A1CF691485E8A157209C674A48BC360
              Function 0129C5ED Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 570c99766b5e2fcc80ffbf8a301257e0abdedf7dfc1935b2a6ee6d08f68d1e71
              • Instruction ID: 5b57b5e1dd1ecf450cb21c91d92af72fe00996c2caab48761b4ce5b2aeb3d2ac
              • Opcode Fuzzy Hash: 570c99766b5e2fcc80ffbf8a301257e0abdedf7dfc1935b2a6ee6d08f68d1e71
              • Instruction Fuzzy Hash: 84F027719316529FEF32D75CC148B617BD49BC07A4F089425D616C7652C370F8A0CBD1
              Function 012A2619 Relevance: .0, Instructions: 31COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction ID: e6177f6ba8e6afac9c93a546f9b5df4237daf3e33babc0aa2e7601bdbd187c9f
              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
              • Instruction Fuzzy Hash: 2EE0D8323516016BE7119E598CC0F67B76EDFD2B10F440479B7045F251C9E2DC0982A4
              Function 012F6030 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction ID: 776910b8d708fbb95f20e904866906fdf6324e9042f2107372f3ec248e67b4ea
              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
              • Instruction Fuzzy Hash: B1F0F8721242049FE3218B09D944B52B7A8EB05364F55842DE7099B561D27AAC40CBA4
              Function 01260710 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction ID: 0b8c1909cb16e962d6e918f3f15cd94228ea252f9b68db2553fb85770d0765a3
              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
              • Instruction Fuzzy Hash: 88F0E5392643419BDB1EDF19D040AE57BA8FB51360F010094F9428B341E775E9C1DB95
              Function 012949D0 Relevance: .0, Instructions: 28COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction ID: c7b04bdd03a41e7f92af73ac60c06f83efdaa4cba4874d8c06b4409fe2c01123
              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
              • Instruction Fuzzy Hash: F5E0D8322741C6ABDB213A5D8921F6677A5DBDA7A0F150429E3009B150DBB8EC42C7D8
              Function 01334164 Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e288ee0dda847421aa2d08b4d01c03bbcb6f87f637242e135f0c0f829b7bcae5
              • Instruction ID: 64a1a6ace4be0eb04a9310a28a353ad51c0b14aa7a019e70e009e5197c3e87b5
              • Opcode Fuzzy Hash: e288ee0dda847421aa2d08b4d01c03bbcb6f87f637242e135f0c0f829b7bcae5
              • Instruction Fuzzy Hash: F6F09B31E35D914FE772D76CD544F5677E4EF90638F1A0594D40687962C724DC80C694
              Function 0130678E Relevance: .0, Instructions: 27COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction ID: c5509e1641d4fe23989ef90c6f1191ed7b854c9e4e9ea02309a354ef576c8302
              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
              • Instruction Fuzzy Hash: 4FE0DF72A00110BBDB22A7998E12FABBEECDB90EA4F050058B600E70D4E530DE00C690
              Function 013308C0 Relevance: .0, Instructions: 25COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction ID: add18fbb2b9d06d41b3d8c20edb8ffc4761faa1ba12a7483bffa669c7a0b2403
              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
              • Instruction Fuzzy Hash: 4EE09B316403548BCB298E1DD140A53BFE8EFD5668F158169E9054B612C231F852C6D4
              Function 012625E0 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db7e0233319e69a4626aac1bb59c4815a9709754c924fbb06d8da822a5ee5e40
              • Instruction ID: 1bb9347fa3628d06a11f4f8f4cd639ccdfb738457bbc2fd9e389b93529612bfa
              • Opcode Fuzzy Hash: db7e0233319e69a4626aac1bb59c4815a9709754c924fbb06d8da822a5ee5e40
              • Instruction Fuzzy Hash: 3EE092721106949BC321FB29DD41FAB779EEB60764F014619F155571D0CA30AC50C798
              Function 0131A456 Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction ID: 5f7ce7018da379dcce8eb355fd2d91429ec731081641a9d6d18d5b7a1c3615ca
              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
              • Instruction Fuzzy Hash: A2E0D831061651DFE7366F2AD848B62BBE0FF50716F148C2CE19A225F0CB7498D0CB40
              Function 012E4000 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction ID: 9d9946eaf3c37300e211ce19edd4029a5b8a9c1b34b762df227d0eb2f992cfed
              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
              • Instruction Fuzzy Hash: 4DE0AE343102468BE719DF19C044B627BA6BFD5A10F68C078AA488F205EB32A8428A50
              Function 0129CA38 Relevance: .0, Instructions: 22COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1bde948adb682ec995412341216c8a0c862fbaf7252779689c8c869ae6db36d9
              • Instruction ID: 80520cda52c912eae76d5f352674f0134008d1b0c5b9f174284d38122756dabe
              • Opcode Fuzzy Hash: 1bde948adb682ec995412341216c8a0c862fbaf7252779689c8c869ae6db36d9
              • Instruction Fuzzy Hash: 94D02B324B10A16BCF35F91C7C04FA73A5DAB50770F014C60F20892050D568CC9193C4
              Function 0125823B Relevance: .0, Instructions: 21COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction ID: d13e1f15b8fb0c31648b6f35621235224796340708dbad56b6d7eb875feb9ea2
              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
              • Instruction Fuzzy Hash: 5DE0C231134A51EFDB322F27DC40F627AA5FF54B90F104C29E582468B487F0AC81DB45
              Function 01262050 Relevance: .0, Instructions: 20COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e953b8837f8586da9bd08d8ee4cfb0ea10a78db1658e9f7db327c5ccf8d1a37
              • Instruction ID: 0fb44301db5c2390cd323bd9aa4da0eb6060bc720c262faabd5b8fbd2659d5e3
              • Opcode Fuzzy Hash: 7e953b8837f8586da9bd08d8ee4cfb0ea10a78db1658e9f7db327c5ccf8d1a37
              • Instruction Fuzzy Hash: 4BE0C232111590ABC311FB6DDD41F6A739EEFA4770F000225F151872D0CA30EC40C798
              Function 012B6AA4 Relevance: .0, Instructions: 17COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction ID: ed7a14455050a03e41646715a44ac9064e20cf6a0cf2027e7136eb7220a48512
              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
              • Instruction Fuzzy Hash: C5D05E36521A50AFD7329F1BEE40C53BBF9FBC4B50705062EE64583920C670A806DBA0
              Function 0129E59C Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction ID: 8fe7d4772a5987566a218ae0036e28896b8901e66c183108190e18581e780f56
              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
              • Instruction Fuzzy Hash: 02D0A932224620ABEB32AA2CFC04FD333E8BB98720F060459F008C7050C360AC81CA88
              Function 012DE908 Relevance: .0, Instructions: 16COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction ID: 9cb2d460dadf9f205e17c0cd04c9ef750e2dbede76fbe6e7eac363eeaf1a9e2c
              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
              • Instruction Fuzzy Hash: 8EE0EC359616859FDF12DF69C640F9ABBB9BB94B40F560058A1485F660C634AD00CB80
              Function 0125A0E3 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction ID: f0ac4d83db07a1cac3770ce54d1756a80d6bf3d31c971ede790db6c9fb43a000
              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
              • Instruction Fuzzy Hash: 4AD0223223203193DB2896656841F737905AB80A90F0A012C790AA3800C0248C43D2E0
              Function 0129A830 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction ID: 78effa315da07cb47d9715d67044bbbd1800a2be8819ad3906f0e2068843b4f1
              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
              • Instruction Fuzzy Hash: EBD012371E054DBBDB11DF66DC01FA57BA9E764BA0F444020F504875A0C63AE950D684
              Function 0129CA24 Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bdbe2e05b9dea839e2af7e036d98a96f9667365a624cbd51d28302461ed12461
              • Instruction ID: 2664b92df2be4d50b63d4f24f0aadf4e0233d6dd0b1dd0beb4f4990dca9bb9e9
              • Opcode Fuzzy Hash: bdbe2e05b9dea839e2af7e036d98a96f9667365a624cbd51d28302461ed12461
              • Instruction Fuzzy Hash: F6D0C934675502DBEF2ADF5DCA51E7E7AB4FF14A41F80006CE701A2520E329DC11DB50
              Function 0129C700 Relevance: .0, Instructions: 12COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction ID: 857e871de59f69a8c3010b7abc969203c4e61f9a4035c19e94097ba84146132b
              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
              • Instruction Fuzzy Hash: F6C01232150644AFD711DA95CD01F1277A9E798B40F000021F20447570C531E810E644
              Function 01280310 Relevance: .0, Instructions: 11COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction ID: 4c0cfbfdea55cbda9b2ecbebc07bab610db4cf72994f7b56aeb66f3d70831ff4
              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
              • Instruction Fuzzy Hash: A3D01236110248EFCB02EF41D890DAA772AFBD8710F148019FD19076508A31ED62DA50
              Function 01260750 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction ID: c34eb01d2fe2432ea26fbcd3f0eca8c4d04cf2bb0990be60463af2538b5e055d
              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
              • Instruction Fuzzy Hash: 94C04C757115428FCF15DB19D2D4F9677E4F744740F150890E945CB721E724E801DA11
              Function 012A4340 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2285fee6c95c3aed2c0e24de7337db242a241b60d885e1820403805b7d6e6a7f
              • Instruction ID: a4620097ca557b41b4c836fc21bbab2fa1aed506ae9bde015a5598820d93fefb
              • Opcode Fuzzy Hash: 2285fee6c95c3aed2c0e24de7337db242a241b60d885e1820403805b7d6e6a7f
              • Instruction Fuzzy Hash: E190023161580012914071584CC45864009A7E0341B55C011E1465554CCA148A565761
              Function 012A4650 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e54e6d8c9406e08431c2d85c7483fe09876a9de78864977040a1007994c8df9
              • Instruction ID: 12fd309cf08e371cc95c2e49dc2ec1fa0738b16013b0bb4d0605124c6dd0e74e
              • Opcode Fuzzy Hash: 9e54e6d8c9406e08431c2d85c7483fe09876a9de78864977040a1007994c8df9
              • Instruction Fuzzy Hash: 9C900471711500434140715C4C44447700DF7F13413D5C115F15D5570CC71CCD55D77D
              Function 012A2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce2f11bf2994786dcafbe6a56b1256c54bed4712b13bef0dc55a9b666457006b
              • Instruction ID: d8527d923f11b0b532851ca60aa20acf18da4f6ff4c3422131841b2a5f571203
              • Opcode Fuzzy Hash: ce2f11bf2994786dcafbe6a56b1256c54bed4712b13bef0dc55a9b666457006b
              • Instruction Fuzzy Hash: 0A90026121240003410571584854656400E97E0341B55C021E2055590DC52589916625
              Function 012A2BA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a7aae614b63bfcf6e23ba3ba147ab35ac3f6dd66f275c2372c71e80c8295b8a0
              • Instruction ID: c62581348aef3d1187c4baaa5a405692aaba611b405b6a12ee984b80d234cf57
              • Opcode Fuzzy Hash: a7aae614b63bfcf6e23ba3ba147ab35ac3f6dd66f275c2372c71e80c8295b8a0
              • Instruction Fuzzy Hash: 5890023161540802D15071584854786000997D0341F55C011A1065654DC7558B557BA1
              Function 012A2B80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69904be5566d718c8d1b1e8cfaea1643eca5f2f26f8ec28635f7901fa85897e0
              • Instruction ID: 6965b204f30a2f2ac5bd0577265aa7b04c2bfa8868102c0c7de9c02cf1456b23
              • Opcode Fuzzy Hash: 69904be5566d718c8d1b1e8cfaea1643eca5f2f26f8ec28635f7901fa85897e0
              • Instruction Fuzzy Hash: DA90023121140802D10471584C446C6000997D0341F55C011A7065655ED66589917631
              Function 012A2BE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c22e37bf8e0d3b6444e31f6f4f65e761e36347f2aae002b3dda695ea3ea2a34
              • Instruction ID: d380e31173fd3eb8753c59c71ab0f7ae6e283008a9f9c14618a569df66c00f17
              • Opcode Fuzzy Hash: 1c22e37bf8e0d3b6444e31f6f4f65e761e36347f2aae002b3dda695ea3ea2a34
              • Instruction Fuzzy Hash: C790023121544842D14071584844A86001997D0345F55C011A10A5694DD6258E55BB61
              Function 012A2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eafccfaf4332cfbdcf2ef91a5ccbfe62464ac074c682b4fdfa5a3edb1595eaa1
              • Instruction ID: b0f99d26ed4e067421466565c9abf4c355e892383a800845ae18d11a4b5655f4
              • Opcode Fuzzy Hash: eafccfaf4332cfbdcf2ef91a5ccbfe62464ac074c682b4fdfa5a3edb1595eaa1
              • Instruction Fuzzy Hash: 1190023121140802D1807158484468A000997D1341F95C015A1066654DCA158B597BA1
              Function 012A2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ba4631ee04c0e168b6d6235a3cddfcff44816e6428d6ead08d598469f370ee7b
              • Instruction ID: 23f4fa02426e993e15d86b8a9b3e2ac333c162640b8f0fadb524f2a01d0ee2a6
              • Opcode Fuzzy Hash: ba4631ee04c0e168b6d6235a3cddfcff44816e6428d6ead08d598469f370ee7b
              • Instruction Fuzzy Hash: 849002A1211540924500B2588844B4A450997E0341B55C016E2095560CC52589519635
              Function 012A2AF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b95fed1092dacd623e9f92d9db8cab6c01a4948e794998827e36edbac4e31eb
              • Instruction ID: 9b532a656abd5575e642d3ce9fbf7043f021cb6019b78e7e7415bb1856908f09
              • Opcode Fuzzy Hash: 4b95fed1092dacd623e9f92d9db8cab6c01a4948e794998827e36edbac4e31eb
              • Instruction Fuzzy Hash: F9900225231400020145B5580A4454B0449A7D6391395C015F2457590CC62189655721
              Function 012A2AD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31cc65a3886c19b6a044c3adbf0b138c1f7c0bd2dffb6c1fc1310a4a631837ec
              • Instruction ID: 149e372f1481ed3c614f33aed270ba582e971377b9f5ceb62b4d806cfdacc3ae
              • Opcode Fuzzy Hash: 31cc65a3886c19b6a044c3adbf0b138c1f7c0bd2dffb6c1fc1310a4a631837ec
              • Instruction Fuzzy Hash: 55900225221400030105B5580B44547004A97D5391355C021F2056550CD62189615621
              Function 012A2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0f91ef10d2a0c872eba6d779ae571d05c0cd79d7ed9cf4c83f6059b96a459bc
              • Instruction ID: adf19729c7b80b79ae55a7fbcc12612ea56874b95d07d429a19a234b275d4c44
              • Opcode Fuzzy Hash: b0f91ef10d2a0c872eba6d779ae571d05c0cd79d7ed9cf4c83f6059b96a459bc
              • Instruction Fuzzy Hash: 0090043131140003D140715C5C5C747400DF7F1341F55D011F1455554CDD15CD575733
              Function 012A2D00 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 650f53df35210adf6ff657ee85fed6b46ac567b068fe7009e4f47eacd3858412
              • Instruction ID: 15d2863a93f904b562d73a60c95038fd476cc744dde7070244c6c409e79e3348
              • Opcode Fuzzy Hash: 650f53df35210adf6ff657ee85fed6b46ac567b068fe7009e4f47eacd3858412
              • Instruction Fuzzy Hash: 3390022121544442D10075585848A46000997D0345F55D011A20A5595DC6358951A631
              Function 012A2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d129962993f83e890683511700940f508a7b84dd76889c1968630da4233e412
              • Instruction ID: 6d450ef6ab692b83854b09579fb3bf58bad94d47f0598dfe1e93ec734e117737
              • Opcode Fuzzy Hash: 5d129962993f83e890683511700940f508a7b84dd76889c1968630da4233e412
              • Instruction Fuzzy Hash: 3190022922340002D1807158584864A000997D1342F95D415A1056558CC91589695721
              Function 012A2DB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7e39b38dcc4d6c4a86fd93fcb0dfaf683cf78c61cefdf00f15c7a8130a3587dc
              • Instruction ID: 544ef5a41e78feaf76f523754c668b219938b5e94a25e4d8c15392bbf935d1f0
              • Opcode Fuzzy Hash: 7e39b38dcc4d6c4a86fd93fcb0dfaf683cf78c61cefdf00f15c7a8130a3587dc
              • Instruction Fuzzy Hash: 9190023125140402D14171584844646000DA7D0381F95C012A1465554EC6558B56AF61
              Function 012A2DD0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6f2014281ce55f276ac5161f6fa5d23f55df0910a170a4e7dff9cac93c957ad
              • Instruction ID: 1d50830e0d7b3af7bf48b94b12b3bbbeb4f0e9fbcc46cd1e070adca7cd58eec6
              • Opcode Fuzzy Hash: f6f2014281ce55f276ac5161f6fa5d23f55df0910a170a4e7dff9cac93c957ad
              • Instruction Fuzzy Hash: 0E900221252441525545B1584844547400AA7E0381795C012A2455950CC5269956DB21
              Function 012A2C60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5d04d600b1e6940d2000246c747b1d8d6af3e7c68f0cecd48f9309bb3fe230d5
              • Instruction ID: 7deeda1a2caf561fe5d3cb1ee719b5749faccee041e6f5f1d85dddf838d9ff39
              • Opcode Fuzzy Hash: 5d04d600b1e6940d2000246c747b1d8d6af3e7c68f0cecd48f9309bb3fe230d5
              • Instruction Fuzzy Hash: BF90023121140842D10071584844B86000997E0341F55C016A1165654DC615C9517A21
              Function 012A2CA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a18bbac7a0c1db6a2c76dcaf8ccaf074bf0a64da82d9e26a55bb936c80a04f4
              • Instruction ID: dbd7c99274f70d961add75aef71b60ac03a4bd091d31ea6d4f91d664a06a4569
              • Opcode Fuzzy Hash: 9a18bbac7a0c1db6a2c76dcaf8ccaf074bf0a64da82d9e26a55bb936c80a04f4
              • Instruction Fuzzy Hash: FC90023121140402D10075985848686000997E0341F55D011A6065555EC66589916631
              Function 012A2CF0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0e188f52aed748263afdad8d5e6590892e9a08f5ae1921cf4bddf6adcbbe48d3
              • Instruction ID: 94d98d06554a71ddf988df3477a470e4ff40775e4f32c5e8912bbc8efdb38706
              • Opcode Fuzzy Hash: 0e188f52aed748263afdad8d5e6590892e9a08f5ae1921cf4bddf6adcbbe48d3
              • Instruction Fuzzy Hash: 7290043131140403D100715C5D4C747000DD7D0341F55D411F147555CDD757CD517731
              Function 012A2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 562ff829a1390bf7f1a6d91a1466362687444d7a3c3d92730e14e71aef0eb214
              • Instruction ID: 21785b53744f245bf640d7400f031effbcbc152ca076a519e0ffa94bc204b686
              • Opcode Fuzzy Hash: 562ff829a1390bf7f1a6d91a1466362687444d7a3c3d92730e14e71aef0eb214
              • Instruction Fuzzy Hash: BE90022161540402D14071585858746001997D0341F55D011A1065554DC6598B556BA1
              Function 012A2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ccdcb7647e4aeed23e40c808c91993eede39e18107b82c8afd804ccbabbe758a
              • Instruction ID: e499f4c1978c8ae81672864b5fbf42b31d917c691ba086221322f8567bf99348
              • Opcode Fuzzy Hash: ccdcb7647e4aeed23e40c808c91993eede39e18107b82c8afd804ccbabbe758a
              • Instruction Fuzzy Hash: 8C90026135140442D10071584854B460009D7E1341F55C015E20A5554DC619CD526626
              Function 012A2F60 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 44fc00c913d3f15e50d1ae566001d94bc4522cc8b2e5402dde59f59d7f0dad32
              • Instruction ID: d403e5affc754443b62403e510656ebc48e1e8ffd4b1879f4821ccbce247309e
              • Opcode Fuzzy Hash: 44fc00c913d3f15e50d1ae566001d94bc4522cc8b2e5402dde59f59d7f0dad32
              • Instruction Fuzzy Hash: CF90026122140042D10471584844746004997E1341F55C012A3195554CC5298D615625
              Function 012A2FA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a54a860cfb46ac3f9d8c41df652ec6777323532848c152c2ecbe744a5f59f4cf
              • Instruction ID: 84c91900dfc63914f64f761debd6cfc43f7013642e4074d9433d7b8c405c07a4
              • Opcode Fuzzy Hash: a54a860cfb46ac3f9d8c41df652ec6777323532848c152c2ecbe744a5f59f4cf
              • Instruction Fuzzy Hash: 6590023121180402D10071584C48787000997D0342F55C011A61A5555EC665C9916A31
              Function 012A2FB0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d1ad744806edfb93508a7f3c38e291312ab553b15abdb0cd67da56e6b9f985b0
              • Instruction ID: 87278b24b5cfbcc72794d53218b758a44e8241ed22d89f133a49ff51c1b1f49e
              • Opcode Fuzzy Hash: d1ad744806edfb93508a7f3c38e291312ab553b15abdb0cd67da56e6b9f985b0
              • Instruction Fuzzy Hash: 7790022161140042414071688C849464009BBE1351755C121A19D9550DC55989655B65
              Function 012A2F90 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef7cb6ac4b0e124ddfe68f01cc69edfac4d07bf6c3dd46554752160426c22bc1
              • Instruction ID: 0b622b303f122d99ca9b13e863cf86788193b96b5d036ba4c2e17d22f5b5e51c
              • Opcode Fuzzy Hash: ef7cb6ac4b0e124ddfe68f01cc69edfac4d07bf6c3dd46554752160426c22bc1
              • Instruction Fuzzy Hash: 6190023121180402D10071584C5474B000997D0342F55C011A21A5555DC62589516A71
              Function 012A2FE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dda4b3dc76f254332a6b9085184cc02e72b897ad58993e33fedadc06a364bef2
              • Instruction ID: 45ba481d81c6b630fee3c3025acb5b60810f5608a7af06b7074faa60a9a83645
              • Opcode Fuzzy Hash: dda4b3dc76f254332a6b9085184cc02e72b897ad58993e33fedadc06a364bef2
              • Instruction Fuzzy Hash: B4900221221C0042D20075684C54B47000997D0343F55C115A1195554CC91589615A21
              Function 012A2E30 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 092279c722ff07cbd962b86ccf3d0af51e1caf3c5c0dd17ae165efb47f30b2af
              • Instruction ID: 40df161603007392fd9426aa1c9b6c2558ba91dd8222c6708a07988c2cb77c75
              • Opcode Fuzzy Hash: 092279c722ff07cbd962b86ccf3d0af51e1caf3c5c0dd17ae165efb47f30b2af
              • Instruction Fuzzy Hash: 4890022131140402D10271584854646000DD7D1385F95C012E2465555DC6258A53A632
              Function 012A2EA0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2346891cd9115365adc767396a654f496f885d6b130ed4bb450d543c4fcf5bd3
              • Instruction ID: 4ea5b59a8a06c9e4e579f5f872f025e764386e517bc9b0b8cb6141e4466b57c4
              • Opcode Fuzzy Hash: 2346891cd9115365adc767396a654f496f885d6b130ed4bb450d543c4fcf5bd3
              • Instruction Fuzzy Hash: 0890027121140402D14071584844786000997D0341F55C011A60A5554EC6598ED56B65
              Function 012A2E80 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 025868c72b689c7fc73069fcb3c845dcadc602d12a72f6d6204b747c758baaa4
              • Instruction ID: 0240047d2607fa0bfcb98b738e6f3bbc6190f633dad9948f17309fb9ba689af5
              • Opcode Fuzzy Hash: 025868c72b689c7fc73069fcb3c845dcadc602d12a72f6d6204b747c758baaa4
              • Instruction Fuzzy Hash: FA90022161140502D10171584844656000E97D0381F95C022A2065555ECA258A92A631
              Function 012A2EE0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 842362f6626e16bd58d8ecbf310fd165dc6799b3ce74a8ea166416dc23a75d80
              • Instruction ID: 4e384b09980b84c9b05e4484b9d13a18b44512595671649701987e6292adbb6e
              • Opcode Fuzzy Hash: 842362f6626e16bd58d8ecbf310fd165dc6799b3ce74a8ea166416dc23a75d80
              • Instruction Fuzzy Hash: F890026121180403D14075584C44647000997D0342F55C011A30A5555ECA298D516635
              Function 012A3010 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3944929da04e9ae82e6bccc405f7f44bb681b74e68e5afd9ffd0685107e4088d
              • Instruction ID: abac4109f99dbf841fa20f4b36448a5c229822838ba3e253b9bf665345ae0c9b
              • Opcode Fuzzy Hash: 3944929da04e9ae82e6bccc405f7f44bb681b74e68e5afd9ffd0685107e4088d
              • Instruction Fuzzy Hash: 7A90022121184442D14072584C44B4F410997E1342F95C019A5197554CC91589555B21
              Function 012A3090 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eeddf852e672ff5ce2dd6da180c0ad13c869abf8ed699d7d159e1ae292ace216
              • Instruction ID: 1ab267b5bed98f7d89e36c64c510215444a08e75ff79ced873cd64db5271d01b
              • Opcode Fuzzy Hash: eeddf852e672ff5ce2dd6da180c0ad13c869abf8ed699d7d159e1ae292ace216
              • Instruction Fuzzy Hash: D490022125140802D14071588854747000AD7D0741F55C011A1065554DC6168A656BB1
              Function 012A39B0 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f429f123850285a4e1b27cfd76528fa5114192061c5d2726fd01bfe8e4ce915f
              • Instruction ID: 444ac5bd79a62d2fe3e78735b2199864f03a61a7db6d6cb51c711d949c1fda2e
              • Opcode Fuzzy Hash: f429f123850285a4e1b27cfd76528fa5114192061c5d2726fd01bfe8e4ce915f
              • Instruction Fuzzy Hash: 4490043135545103D150715C4C44757400DF7F0341F55C031F1C555D4DC555CD557731
              Function 012A3D10 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a1c90f78dfdabc847d37a888de6e314ee32f23256363149851b515e40734fc61
              • Instruction ID: cb53d6ca29008dd547f61063357b76ca0826e63ac3b86a1cdd8f89c156dd4e4a
              • Opcode Fuzzy Hash: a1c90f78dfdabc847d37a888de6e314ee32f23256363149851b515e40734fc61
              • Instruction Fuzzy Hash: FE90023121240142954072585C44A8E410997E1342B95D415A1056554CC91489615721
              Function 012A3D70 Relevance: .0, Instructions: 4COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f5f37c5002c4d156f8a115e390e4d9467d85d590b062d12e329faaacfbd4772
              • Instruction ID: 510dc6c62c1fd3452ba5cfae6fb11a4b43821a04d25d4138ac7b328499debfbd
              • Opcode Fuzzy Hash: 2f5f37c5002c4d156f8a115e390e4d9467d85d590b062d12e329faaacfbd4772
              • Instruction Fuzzy Hash: 1D90023521140402D51071585C44686004A97D0341F55D411A1465558DC65489A1A621
              Function 012A2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction ID: 0a4f4174614f6b841ff7e8650d075c932cd1145fb45d53304f57950252844b83
              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
              • Instruction Fuzzy Hash:
              Function 012A2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: c13c9539635b4cc647c72dd6d503dd5a892f9d711552626dff7df7347434affc
              • Instruction ID: 18f7ac8b84b61e414ebf8dc533851a0fba24d96abb1ff92076d51d0cb787701e
              • Opcode Fuzzy Hash: c13c9539635b4cc647c72dd6d503dd5a892f9d711552626dff7df7347434affc
              • Instruction Fuzzy Hash: 5351E5B2A20117AFCB11DB9CC9C097EFBB8BB48740B948229F565D7641D374DE0087A0
              Function 01312410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
              • API String ID: 48624451-2108815105
              • Opcode ID: 906b9817f1a1e91fe31405e933d4b87cff93664a76a20a84e89b822b685a4629
              • Instruction ID: ee29b26d767730ec264058df4b3a3882c10a2a28a73cf57acfcc4893ea95b8d2
              • Opcode Fuzzy Hash: 906b9817f1a1e91fe31405e933d4b87cff93664a76a20a84e89b822b685a4629
              • Instruction Fuzzy Hash: FB512771A00645AECB39DF9CC8D087FFBF8EF44304B248459E496D7646EA74DA40C760
              Function 01297630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
              Download Yara Rule
              Strings
              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012D46FC
              • Execute=1, xrefs: 012D4713
              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 012D4725
              • CLIENT(ntdll): Processing section info %ws..., xrefs: 012D4787
              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 012D4742
              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 012D4655
              • ExecuteOptions, xrefs: 012D46A0
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
              • API String ID: 0-484625025
              • Opcode ID: e440772194711824ad702d1fe4fa8460dd20f3ee6a3ef9b704fca88c68903bd3
              • Instruction ID: 2045b5be44d1b95c8fef38778468cfe9fdac249613bec6801cf5fb9901efd6fa
              • Opcode Fuzzy Hash: e440772194711824ad702d1fe4fa8460dd20f3ee6a3ef9b704fca88c68903bd3
              • Instruction Fuzzy Hash: 5E51293167021ABFEF14AEACDC85FFD77A8AF54304F4400A9D605AB191E7709A418F90
              Function 01336940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction ID: c3f4e8ebd0d82ddfb8730cf6291842e5b54a51c3cdbba98af82d5098c944a503
              • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
              • Instruction Fuzzy Hash: 180238B1508342AFD309CF19C590A6FBBE5EFC4708F448A2DF9994B260DB31EA05CB56
              Function 012AB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-$0$0
              • API String ID: 1302938615-699404926
              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction ID: d2236d7463839815b8bb3b9898cc52eff3e85672df0e5173d38bf8861d43ee2c
              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
              • Instruction Fuzzy Hash: DF81E231E2524A8FEF29CF6CC8917FEBFB1AF45720F984259DA61A7291C7708840CB51
              Function 013120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$[$]:%u
              • API String ID: 48624451-2819853543
              • Opcode ID: 74bffe2a51f293e46abefea15f4cdc5c1bbedebc38baed15a7d6dec5696eac8c
              • Instruction ID: 87cebf3b3e6227ada60b6c9a8a2796164e6ef747354a26c2bd52037d76a648d2
              • Opcode Fuzzy Hash: 74bffe2a51f293e46abefea15f4cdc5c1bbedebc38baed15a7d6dec5696eac8c
              • Instruction Fuzzy Hash: 0F21517AE10119ABDB15DF69CC40AFFBBF9AF54754F540126E905E3205E730DA018BA1
              Function 0128F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
              Download Yara Rule
              Strings
              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012D02E7
              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012D02BD
              • RTL: Re-Waiting, xrefs: 012D031E
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
              • API String ID: 0-2474120054
              • Opcode ID: e4bd0b6630932e6887f7dd0eac57ee9c04300973cfdf5040e10572eae0e08e59
              • Instruction ID: c43111dfd8f3a0920e559419b427925d2613899ea536fa1e53cc83de19dfde8e
              • Opcode Fuzzy Hash: e4bd0b6630932e6887f7dd0eac57ee9c04300973cfdf5040e10572eae0e08e59
              • Instruction Fuzzy Hash: 23E1BF30625742DFE725EF28C985B2ABBE0BB88714F140A1DF6A5CB2E1D774D844CB52
              Function 0129BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
              Download Yara Rule
              Strings
              • RTL: Re-Waiting, xrefs: 012D7BAC
              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 012D7B7F
              • RTL: Resource at %p, xrefs: 012D7B8E
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 0-871070163
              • Opcode ID: 84b841e30619de4486a6a577c107ddab680e95f9e65c377df34170d0c2d35980
              • Instruction ID: 90e7de1ada1a848fe2941fb048008c7883c751edd2593ea9fcba4a886d17e59f
              • Opcode Fuzzy Hash: 84b841e30619de4486a6a577c107ddab680e95f9e65c377df34170d0c2d35980
              • Instruction Fuzzy Hash: E241E3353207039FDB25DE2DD841F6AB7E5EF98710F100A2DFA5A9B680DB71E8058B91
              Function 0129B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
              Download Yara Rule
              APIs
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012D728C
              Strings
              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 012D7294
              • RTL: Re-Waiting, xrefs: 012D72C1
              • RTL: Resource at %p, xrefs: 012D72A3
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
              • API String ID: 885266447-605551621
              • Opcode ID: 3a5736caba91953578a657473219100150cb9486451aaba8a0b2e661ec7483e0
              • Instruction ID: 40ce60f8f81b1bcc0097b2d58aef2cdaae972e37f07113b762d193db758e4899
              • Opcode Fuzzy Hash: 3a5736caba91953578a657473219100150cb9486451aaba8a0b2e661ec7483e0
              • Instruction Fuzzy Hash: 21410231720243ABDB21DE29CC46F6AB7A5FF94714F100619FE55AB240DB25F84287D1
              Function 01312300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: ___swprintf_l
              • String ID: %%%u$]:%u
              • API String ID: 48624451-3050659472
              • Opcode ID: 9dcbb2cff774d79f913a7b6be5891e86af022c9e145f6cda8f549ff39edffc21
              • Instruction ID: 2951bef124f4616687db83b1de21cdfd4b3e3f77f8a8322379c1c5b1addc5e7a
              • Opcode Fuzzy Hash: 9dcbb2cff774d79f913a7b6be5891e86af022c9e145f6cda8f549ff39edffc21
              • Instruction Fuzzy Hash: 8331A272A102199FDB24DE2DCC40BEFB7B8EB04754F94045AE849E3204EB30EA548BA0
              Function 012A7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: __aulldvrm
              • String ID: +$-
              • API String ID: 1302938615-2137968064
              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction ID: 05c817ef4d2128881e908bc6e331d1b7f100cf819d17c85dd3abe158287495a6
              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
              • Instruction Fuzzy Hash: 5A91D570E202079BEF24DF6DC8816BEBBB9AF44320F94451AEB55E72C0D7328A408759
              Function 01269126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID:
              • String ID: $$@
              • API String ID: 0-1194432280
              • Opcode ID: 0f94c814cc604446b94718de545a88b56a0323d54485a809bc0d57a95a2341cf
              • Instruction ID: c77e8574062d951ff115a082a83027becbe91b8e96b7d5fe825e09e06559c729
              • Opcode Fuzzy Hash: 0f94c814cc604446b94718de545a88b56a0323d54485a809bc0d57a95a2341cf
              • Instruction Fuzzy Hash: A4811B71D1026ADFDB35DB54CC45BEEB6B8AB08754F1041DAEA19B7280EB705E84CFA0
              Function 012ECEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
              Download Yara Rule
              APIs
              • @_EH4_CallFilterFunc@8.LIBCMT ref: 012ECFBD
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2375938389.0000000001230000.00000040.00001000.00020000.00000000.sdmp, Offset: 01230000, based on PE: true
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_1230000_AWB-112-17259653.jbxd
              Similarity
              • API ID: CallFilterFunc@8
              • String ID: @$@4Cw@4Cw
              • API String ID: 4062629308-3101775584
              • Opcode ID: 52e549607ec7ced39e3a90e5111599180ea046d9f39ddbe5fb91964fa7d21b31
              • Instruction ID: 0d123994a076a6859828d0ce5569bf7f23a298b7f6c370f85db73c042bef509e
              • Opcode Fuzzy Hash: 52e549607ec7ced39e3a90e5111599180ea046d9f39ddbe5fb91964fa7d21b31
              • Instruction Fuzzy Hash: 57419BB192021ADFDB219FE9C844ABEBBF8FF54B44F44412AEA05EB254D7709801CB61