Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Signed Document..exe

Overview

General Information

Sample name:Signed Document..exe
Analysis ID:1499171
MD5:b04baf73f6244754828f8583d110dd88
SHA1:651c010d7d52be0dd2dad5f1408dbddf5a1e4e87
SHA256:86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b
Tags:exe
Infos:

Detection

Remcos, DarkTortilla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected PureLog Stealer
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Signed Document..exe (PID: 5032 cmdline: "C:\Users\user\Desktop\Signed Document..exe" MD5: B04BAF73F6244754828F8583D110DD88)
    • InstallUtil.exe (PID: 4072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • powershell.exe (PID: 5492 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 3692 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • schtasks.exe (PID: 6472 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vbc.exe (PID: 6676 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
      • vbc.exe (PID: 5404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
  • TWzqRLWZGd.exe (PID: 4436 cmdline: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "www.lig-gu.com:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZI0DZ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\fghjhh\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3044769283.0000000003DB9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6c4a8:$a1: Remcos restarted by watchdog!
            • 0x6ca20:$a3: %02i:%02i:%02i:%03i
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.InstallUtil.exe.8040000.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              5.2.InstallUtil.exe.8040000.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                5.2.InstallUtil.exe.333b54c.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.Signed Document..exe.55e0000.4.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    13.2.vbc.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 4072, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ProcessId: 5492, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 4072, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ProcessId: 5492, ProcessName: powershell.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 4072, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", ProcessId: 6472, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 4072, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ProcessId: 5492, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 4072, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp", ProcessId: 6472, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: C4 96 53 A5 48 B1 B1 6D C5 E0 17 3C 25 EB B1 B7 21 39 05 54 0C 57 F2 6D 84 17 19 8B B1 D5 C8 6D B9 25 55 1A 1C B8 A5 77 94 56 40 02 C6 BC 63 5A AC 4F 05 0C C3 F9 CA 90 35 60 2F 4E 55 C1 E2 BD 50 48 D9 15 6E 65 C1 F8 CA 7B DA 90 88 40 DF 25 F9 25 66 18 A5 14 54 B7 1B F4 96 3A B3 AE 6C E9 D1 E0 C0 71 40 2E 5B 10 73 CE A1 BE , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe, ProcessId: 5404, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZI0DZ3\exepath

                      Suricata Signatures

                      Timestamp:2024-08-26T17:41:41.369147+0200
                      SID:2032776
                      Severity:1
                      Source Port:49717
                      Destination Port:2404
                      Protocol:TCP
                      Classtype:Malware Command and Control Activity Detected
                      Timestamp:2024-08-26T17:42:03.775150+0200
                      SID:2032776
                      Severity:1
                      Source Port:49718
                      Destination Port:2404
                      Protocol:TCP
                      Classtype:Malware Command and Control Activity Detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "www.lig-gu.com:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZI0DZ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                      Multi AV Scanner detection for submitted file
                      Source: Signed Document..exeReversingLabs: Detection: 68%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fghjhh\logs.dat, type: DROPPED
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: Signed Document..exeJoe Sandbox ML: detected
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,13_2_00433837
                      Source: InstallUtil.exe, 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c2440151-b

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004074FD _wcslen,CoGetObject,13_2_004074FD
                      Source: Signed Document..exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: TWzqRLWZGd.exe, 0000000E.00000000.3033059620.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, TWzqRLWZGd.exe.5.dr
                      Source: Binary string: InstallUtil.pdb source: TWzqRLWZGd.exe, 0000000E.00000000.3033059620.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, TWzqRLWZGd.exe.5.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_00409253
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C291
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C34D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_00409665
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0044E879 FindFirstFileExA,13_2_0044E879
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_0040880C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040783C FindFirstFileW,FindNextFileW,13_2_0040783C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419AF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407C97
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_02C4BA48
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]0_2_02C4BA39

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49717 -> 103.161.133.100:2404
                      Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49718 -> 103.161.133.100:2404
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: www.lig-gu.com
                      Source: global trafficTCP traffic: 192.168.2.5:49717 -> 103.161.133.100:2404
                      Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00404B96 WaitForSingleObject,SetEvent,recv,13_2_00404B96
                      Source: global trafficDNS traffic detected: DNS query: www.lig-gu.com
                      Source: vbc.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: InstallUtil.exe, 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                      Source: InstallUtil.exe, 00000005.00000002.3027659257.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,0000000013_2_0040A2B8
                      Installs a global keyboard hook
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B70E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,13_2_004168C1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,13_2_0040B70E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,13_2_0040A3E0

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fghjhh\logs.dat, type: DROPPED

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041C9E2 SystemParametersInfoW,13_2_0041C9E2

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: Signed Document..exe
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012EA6A8 CreateProcessAsUserW,0_2_012EA6A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,13_2_004167B4
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012EAD880_2_012EAD88
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E38280_2_012E3828
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E4F900_2_012E4F90
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E56380_2_012E5638
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E85000_2_012E8500
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012EF9480_2_012EF948
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E41580_2_012E4158
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E001A0_2_012E001A
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E381A0_2_012E381A
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E00400_2_012E0040
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E8F080_2_012E8F08
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E73400_2_012E7340
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E47AF0_2_012E47AF
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E0F880_2_012E0F88
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E0F870_2_012E0F87
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E4F810_2_012E4F81
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E47C00_2_012E47C0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012EEEC80_2_012EEEC8
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E3AC80_2_012E3AC8
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_012E3AC70_2_012E3AC7
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130B9B00_2_0130B9B0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130C3810_2_0130C381
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130D2900_2_0130D290
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130B2880_2_0130B288
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_013096F40_2_013096F4
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130ED300_2_0130ED30
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130E1380_2_0130E138
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130ED200_2_0130ED20
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130E1280_2_0130E128
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130B1500_2_0130B150
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130B9BF0_2_0130B9BF
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130B1D00_2_0130B1D0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130F5D80_2_0130F5D8
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130F5C80_2_0130F5C8
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130F0200_2_0130F020
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130A4D30_2_0130A4D3
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130F3A00_2_0130F3A0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130F3930_2_0130F393
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_013096780_2_01309678
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130D2680_2_0130D268
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0130A6470_2_0130A647
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_02C46A280_2_02C46A28
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_02C448B00_2_02C448B0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_02C479180_2_02C47918
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_02C496180_2_02C49618
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_02C499F80_2_02C499F8
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073B24880_2_073B2488
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BAA500_2_073BAA50
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073B24480_2_073B2448
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_077818380_2_07781838
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0778C2980_2_0778C298
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0778C2870_2_0778C287
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_07830B300_2_07830B30
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0783E62D0_2_0783E62D
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0783E6600_2_0783E660
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_07830B170_2_07830B17
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0312E2BC5_2_0312E2BC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_065B09115_2_065B0911
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_065B09205_2_065B0920
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_08033B685_2_08033B68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080338E75_2_080338E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080339085_2_08033908
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0803BB485_2_0803BB48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0803BB585_2_0803BB58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080D5CD05_2_080D5CD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080D394B5_2_080D394B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080D3DB85_2_080D3DB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080D41F05_2_080D41F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_080D46285_2_080D4628
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043E0CC13_2_0043E0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041F0FA13_2_0041F0FA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0045415913_2_00454159
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043816813_2_00438168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004461F013_2_004461F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043E2FB13_2_0043E2FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0045332B13_2_0045332B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0042739D13_2_0042739D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004374E613_2_004374E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043E55813_2_0043E558
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043877013_2_00438770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004378FE13_2_004378FE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043394613_2_00433946
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0044D9C913_2_0044D9C9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00427A4613_2_00427A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041DB6213_2_0041DB62
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00427BAF13_2_00427BAF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00437D3313_2_00437D33
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00435E5E13_2_00435E5E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00426E0E13_2_00426E0E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043DE9D13_2_0043DE9D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00413FCA13_2_00413FCA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00436FEA13_2_00436FEA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00434E10 appears 54 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00402093 appears 50 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00434770 appears 41 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 00401E65 appears 34 times
                      Source: Signed Document..exe, 00000000.00000002.3044769283.0000000003DB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000002.3044769283.0000000003E6E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametasiO.exe: vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000002.3000915245.00000000010DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000002.3006553740.0000000001250000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll, vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000002.3007360066.0000000003512000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenametasiO.exe: vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000000.2103663600.0000000000A66000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAdobe Download ManagerN vs Signed Document..exe
                      Source: Signed Document..exe, 00000000.00000002.3054456996.00000000055E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs Signed Document..exe
                      Source: Signed Document..exeBinary or memory string: OriginalFilenameAdobe Download ManagerN vs Signed Document..exe
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ej8OdSEVAPu7fUtUfF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ej8OdSEVAPu7fUtUfF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: _0020.SetAccessControl
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: _0020.AddAccessRule
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: _0020.SetAccessControl
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ubgLl77gT8BXCb2LKf.csSecurity API names: _0020.AddAccessRule
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ej8OdSEVAPu7fUtUfF.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ej8OdSEVAPu7fUtUfF.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@19/15@1/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,13_2_00417952
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,13_2_0040F474
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,13_2_0041B4A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AA4A
                      Source: C:\Users\user\Desktop\Signed Document..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Signed Document..exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\zucsXd
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-ZI0DZ3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\tmp394.tmpJump to behavior
                      Source: Signed Document..exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Signed Document..exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Signed Document..exeReversingLabs: Detection: 68%
                      Source: unknownProcess created: C:\Users\user\Desktop\Signed Document..exe "C:\Users\user\Desktop\Signed Document..exe"
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Signed Document..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Signed Document..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Signed Document..exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: Signed Document..exeStatic file information: File size 2642944 > 1048576
                      Source: Signed Document..exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x282600
                      Source: Signed Document..exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: TWzqRLWZGd.exe, 0000000E.00000000.3033059620.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, TWzqRLWZGd.exe.5.dr
                      Source: Binary string: InstallUtil.pdb source: TWzqRLWZGd.exe, 0000000E.00000000.3033059620.00000000008F2000.00000002.00000001.01000000.0000000E.sdmp, TWzqRLWZGd.exe.5.dr

                      Data Obfuscation

                      barindex
                      Yara detected DarkTortilla Crypter
                      Source: Yara matchFile source: 0.2.Signed Document..exe.55e0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Signed Document..exe.3db9550.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Signed Document..exe.55e0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Signed Document..exe.3db9550.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3044769283.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3054456996.00000000055E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3007360066.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Signed Document..exe PID: 5032, type: MEMORYSTR
                      .NET source code contains potential unpacker
                      Source: Signed Document..exe, Cx.cs.Net Code: x0X System.Reflection.Assembly.Load(byte[])
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ubgLl77gT8BXCb2LKf.cs.Net Code: E9AM8kkAHA System.Reflection.Assembly.Load(byte[])
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ubgLl77gT8BXCb2LKf.cs.Net Code: E9AM8kkAHA System.Reflection.Assembly.Load(byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CB50
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_013067A4 push esi; retf 0004h0_2_013067A7
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_05E76D28 pushfd ; retf 0_2_05E76D31
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_05E7B585 push eax; ret 0_2_05E7B593
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_05E7B57F push eax; ret 0_2_05E7B583
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC73C push esp; retn 0000h0_2_073BC743
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC6B8 push esp; retn 0000h0_2_073BC6B9
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC69B push FFFFFF8Bh; iretd 0_2_073BC6A0
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC500 push esp; retn 0000h0_2_073BC501
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC5BC push FFFFFF8Bh; iretd 0_2_073BC5BE
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_073BC588 push esp; retn 0000h0_2_073BC589
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0778FB3E push FFFFFFE9h; retn 0001h0_2_0778FB40
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0778FC35 push FFFFFFE9h; ret 0_2_0778FC3F
                      Source: C:\Users\user\Desktop\Signed Document..exeCode function: 0_2_0778C8CC pushad ; retf 0_2_0778C8CD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0312AAC0 pushfd ; ret 5_2_0312AAC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_05E0A27E push cs; retf 5_2_05E0A27F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_065BB2BB push es; ret 5_2_065BB324
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_065BB355 push es; iretd 5_2_065BB358
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_08036198 pushfd ; retf 5_2_0803619C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_0803D3FE push esp; iretd 5_2_0803D401
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00457106 push ecx; ret 13_2_00457119
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0045B11A push esp; ret 13_2_0045B141
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0045E54D push esi; ret 13_2_0045E556
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00457A28 push eax; ret 13_2_00457A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00434E56 push ecx; ret 13_2_00434E69
                      Source: Signed Document..exe, Cx.csHigh entropy of concatenated method names: 'Wt46Xd', 'w3', 'Km', 'k7', 'e4', 'Ls', 'j3', 'r7', 'i0', 'Hi'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, CwQMvTvg8QkTnEF6Ok.csHigh entropy of concatenated method names: 'aPJ7wkmtd5', 'wZI7Jh94Dl', 'EZ57H17P7U', 'dsp7E0dlaL', 'xSX7ANEeC9', 'gJd7i7SIWg', 'w647qSHgTD', 'p2w7LHjKk6', 'bxU7meZyPm', 'XFV7UIPqWW'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, vAvprgtwNeXhNcpAeW.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AqWxOUFfKg', 'mscxpt1qng', 'PYUxzMMapy', 'Goi0h9Ll4A', 'rAL0er3wEg', 'O770xqQ6yF', 'ckH00b3gnA', 'hHuh1CJvx4TGtZndISn'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, irmemvhMvWkdnCVjvX.csHigh entropy of concatenated method names: 'rGDVTbJ1qm', 'WBfVdMsuFu', 'ToString', 'tITVgpbPw6', 't1wVf726sV', 'uQdVCZ1KRb', 'tBqV4hfp4E', 'XTRVaS0W7Z', 'MkgVR8DhcZ', 'v6pVup74lW'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, kS9TZK09RS9IaGYnvt.csHigh entropy of concatenated method names: 'om38mF19e', 'EupQ0pcEY', 'UYi6Wmt8s', 'DmXtUI0KR', 'oltJsJMAR', 'RvCYGhRjK', 'qW5y6cAfuvFMa0RWa8', 'NgdviqBrXSVyfu6AZp', 'CKIZvgwNi', 'QsC1MSqca'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ej8OdSEVAPu7fUtUfF.csHigh entropy of concatenated method names: 'bL1f5Iekqt', 'dJcf3hnuWd', 'sa6fkBD2hf', 'gVTfWMvAil', 'ke3fsWGffC', 'dEqfympbWA', 'k6sfNqY3Q1', 'jtTfoJv8y4', 'RuMfOI81C6', 'kEtfpRt0g4'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, UJFYNwKrO8iv592QC4.csHigh entropy of concatenated method names: 'y5dZgLyhAv', 'PZ5Zf5YCA6', 'NgcZCaeJFe', 'l6QZ4mYgUD', 'rerZaQuxMS', 'UtWZR1jcpg', 'XJIZuOaZnC', 'rKfZl7FUhF', 'sPdZTpOvem', 'WlFZdq4gD3'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, mxyKR16oIMJQkHIws0.csHigh entropy of concatenated method names: 'pH44BlTNDa', 'Pdl4tmWOaP', 'F0kCSIKqaf', 'nwZCAL0xKS', 'seCCihLFM8', 'UL6CKM9Tu2', 'PX0CqS2IIH', 'xXECLsPtba', 'rcTCvZh78M', 'QncCmiXr5G'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, DSdiTDSH6jLMQXtSaS.csHigh entropy of concatenated method names: 'ToString', 'GRwXUxT8mk', 'DeyXE2GnwE', 'G4wXS4dGMK', 'cM0XAgduAM', 'uVPXi4ZegJ', 'MPqXKKwd1C', 'eEfXqWy5Fn', 'sb1XLvAwgD', 'zN7Xv6L3Sw'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, esWjGfHURDxEMCTvqj.csHigh entropy of concatenated method names: 'Dispose', 'NayeOV0U6N', 'CO9xE0rcxd', 'VrY99Qmwi5', 'p9pepo6raf', 'QLmezaNWC6', 'ProcessDialogKey', 'JSjxhlTbsw', 'Wduxe17XTF', 't0NxxduXPO'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, aNcrudit9S9gKZdosD.csHigh entropy of concatenated method names: 'TxhRnSuo16', 'BS9R2tNNRF', 'T5aR8JyiFf', 'NMDRQv5aEf', 'tgGRBDhvss', 'SSJR6xEAo8', 'tp4RtgoHVZ', 'otKRwVJGDK', 'CpGRJvUBoE', 'GQuRYj7nKr'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, I2XYi7rTK9xQAb4rcC.csHigh entropy of concatenated method names: 'ajweRKqI6r', 'rGQeuM5KmB', 'lWceT30P1r', 'UUmedetyHP', 'WsAebrtEki', 'PWpeXHfNXU', 'JMSZavbvK6ssRDdR0X', 'PaJBe8yufteiiTtt0N', 'WW9eeYDbx4', 'cQTe0C2Xds'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, vnCksNO0SG5dFSdEpDn.csHigh entropy of concatenated method names: 'qNM1nUmEUW', 't5X12AtGPg', 'r1r18PaiuP', 'xbMGlOIyhoroKmoBplS', 'G7lKw5IZmJ62BL1Jc2V', 'hujogAI2OHmmEOaRQj0', 'CyUBwhInEVTJmVkeReI', 'RKihFVIOPMnu59r0Ugd'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, QAbs1fOJpJ2mDUuLZkg.csHigh entropy of concatenated method names: 'Ht3rnq7Fhm', 'j65r2SJI05', 'hFXr8w2nMj', 'EBJrQ7SSBK', 'AbJrB8dAvx', 'yFQr6E0Mh2', 'ysprtFDM9U', 'aZ7rw6Yxl9', 'KDKrJlL3qR', 'BY2rYQnCW3'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, rhvQSadoDuEYo1o4WL.csHigh entropy of concatenated method names: 'kNhRgmJcO8', 'SxlRCoMAHf', 'BQbRa3AXNC', 'FFTapU1rYW', 'iTJazvnp8N', 'dP2RhKi4rX', 'W94Rem1SQ6', 'jxGRxTmjC1', 'lQZR0tgua1', 'qQuRM3C0ir'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, SKtpa2bmOodxw7JdEL.csHigh entropy of concatenated method names: 'spLak34iRA', 'gUEaWjNSwZ', 'sJ0asDqZck', 'ToString', 'NvHaymLf5p', 'CgdaNhq8g6', 'PKTaXV4hErslqQrMpkN', 'Q2NhMW4HSe2b5Cd2XJY', 'P01FcF4ESHSpDsesMXa', 'svtQUq4QuckQF32qOrb'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, xRRgWip8QKa0lUPQ0l.csHigh entropy of concatenated method names: 'rmrbm927y9', 'y4kbGTCxCi', 'EHUb5knY0H', 'aHMb3iYJbn', 'gQ6bE9njdQ', 'mv1bSlbmot', 'QGCbAjhCKx', 'oFFbi661fF', 'NM2bK2ITVA', 'TclbqQNMK7'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, M0OmuR9QAlfSy6MfaJ.csHigh entropy of concatenated method names: 'pUVZHZYijx', 'FG2ZEoa5sW', 'LRfZSxamsv', 'DFPZAY7iyp', 'tOAZ5Yw2Os', 'lbkZimGUNZ', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, MW2N2ECw4ZmRfkZ0yT.csHigh entropy of concatenated method names: 'vKvCQWwcT7', 'rASC6iS0aC', 'dqOCwybtR2', 'sewCJvRVL2', 'tTxCbAP7nx', 'DIxCXq0ibu', 'mxaCVpfYAh', 'eeBCZxRS4m', 'JpKCrtXeoD', 'HcJC1Mcrlj'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, GIGVQf1cI5vJviOpNr.csHigh entropy of concatenated method names: 'p9creGn65F', 'J7ur00oCvO', 'MevrM9w4OJ', 'ryZrgLD5no', 'BNFrfq1EvC', 'XX1r48FSSc', 'T1fra8uPm2', 'A0CZNr5Pti', 'BMpZo4sxP4', 'PcwZOmBqZo'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, ubgLl77gT8BXCb2LKf.csHigh entropy of concatenated method names: 'PVO0DvZtbe', 'Mjg0ggUKcV', 'e0W0f1fSrf', 'UXq0Cw1tnm', 'OJd049vL92', 'ILd0a9QcD7', 'A5x0RgoxV1', 'HAb0uZs4f4', 'vWJ0lNJrxa', 'wrK0Tepsla'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, KF7dk8z8WeCEUg5LKa.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PjZr7EGmCC', 'GyErbsupfM', 'gNhrX6EYX8', 'LQdrVcxVsV', 'RILrZ09PWw', 'cBYrrUZwZF', 'aohr1tJXPY'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, pI0Ixxfq9w4e0DrCFc.csHigh entropy of concatenated method names: 'lo1VoDJ3GQ', 'WmRVpGhG0t', 'oSGZhdmiZb', 'va5Zeq9iyi', 'sWlVUps5ba', 'q7cVGtVOu6', 'LdgVFYfe5x', 'brSV5ysl2F', 'bDZV3lltw3', 'wVUVkt1OJe'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, wgXbhrOsouI4f4kSR7P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Awq15ICZjP', 'uig13kDBMy', 'F8i1kyWaEH', 'a4b1WfSb4R', 'ISo1sgkPjI', 'OGS1yBJyc4', 'P4y1NGqVmW'
                      Source: 5.2.InstallUtil.exe.4739ff0.4.raw.unpack, GAAfjelvscl3lXniGy.csHigh entropy of concatenated method names: 'cPHaD7jTYi', 'fCDafPR44X', 'ggGa4Ajuc2', 'k1gaRykmh4', 'PIUauXbH9e', 'A9A4sGNOsY', 'pPi4ybCA1D', 'XnD4NfCQTh', 'NqM4oeqoYT', 'X0A4O58ot3'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, CwQMvTvg8QkTnEF6Ok.csHigh entropy of concatenated method names: 'aPJ7wkmtd5', 'wZI7Jh94Dl', 'EZ57H17P7U', 'dsp7E0dlaL', 'xSX7ANEeC9', 'gJd7i7SIWg', 'w647qSHgTD', 'p2w7LHjKk6', 'bxU7meZyPm', 'XFV7UIPqWW'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, vAvprgtwNeXhNcpAeW.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'AqWxOUFfKg', 'mscxpt1qng', 'PYUxzMMapy', 'Goi0h9Ll4A', 'rAL0er3wEg', 'O770xqQ6yF', 'ckH00b3gnA', 'hHuh1CJvx4TGtZndISn'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, irmemvhMvWkdnCVjvX.csHigh entropy of concatenated method names: 'rGDVTbJ1qm', 'WBfVdMsuFu', 'ToString', 'tITVgpbPw6', 't1wVf726sV', 'uQdVCZ1KRb', 'tBqV4hfp4E', 'XTRVaS0W7Z', 'MkgVR8DhcZ', 'v6pVup74lW'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, kS9TZK09RS9IaGYnvt.csHigh entropy of concatenated method names: 'om38mF19e', 'EupQ0pcEY', 'UYi6Wmt8s', 'DmXtUI0KR', 'oltJsJMAR', 'RvCYGhRjK', 'qW5y6cAfuvFMa0RWa8', 'NgdviqBrXSVyfu6AZp', 'CKIZvgwNi', 'QsC1MSqca'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ej8OdSEVAPu7fUtUfF.csHigh entropy of concatenated method names: 'bL1f5Iekqt', 'dJcf3hnuWd', 'sa6fkBD2hf', 'gVTfWMvAil', 'ke3fsWGffC', 'dEqfympbWA', 'k6sfNqY3Q1', 'jtTfoJv8y4', 'RuMfOI81C6', 'kEtfpRt0g4'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, UJFYNwKrO8iv592QC4.csHigh entropy of concatenated method names: 'y5dZgLyhAv', 'PZ5Zf5YCA6', 'NgcZCaeJFe', 'l6QZ4mYgUD', 'rerZaQuxMS', 'UtWZR1jcpg', 'XJIZuOaZnC', 'rKfZl7FUhF', 'sPdZTpOvem', 'WlFZdq4gD3'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, mxyKR16oIMJQkHIws0.csHigh entropy of concatenated method names: 'pH44BlTNDa', 'Pdl4tmWOaP', 'F0kCSIKqaf', 'nwZCAL0xKS', 'seCCihLFM8', 'UL6CKM9Tu2', 'PX0CqS2IIH', 'xXECLsPtba', 'rcTCvZh78M', 'QncCmiXr5G'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, DSdiTDSH6jLMQXtSaS.csHigh entropy of concatenated method names: 'ToString', 'GRwXUxT8mk', 'DeyXE2GnwE', 'G4wXS4dGMK', 'cM0XAgduAM', 'uVPXi4ZegJ', 'MPqXKKwd1C', 'eEfXqWy5Fn', 'sb1XLvAwgD', 'zN7Xv6L3Sw'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, esWjGfHURDxEMCTvqj.csHigh entropy of concatenated method names: 'Dispose', 'NayeOV0U6N', 'CO9xE0rcxd', 'VrY99Qmwi5', 'p9pepo6raf', 'QLmezaNWC6', 'ProcessDialogKey', 'JSjxhlTbsw', 'Wduxe17XTF', 't0NxxduXPO'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, aNcrudit9S9gKZdosD.csHigh entropy of concatenated method names: 'TxhRnSuo16', 'BS9R2tNNRF', 'T5aR8JyiFf', 'NMDRQv5aEf', 'tgGRBDhvss', 'SSJR6xEAo8', 'tp4RtgoHVZ', 'otKRwVJGDK', 'CpGRJvUBoE', 'GQuRYj7nKr'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, I2XYi7rTK9xQAb4rcC.csHigh entropy of concatenated method names: 'ajweRKqI6r', 'rGQeuM5KmB', 'lWceT30P1r', 'UUmedetyHP', 'WsAebrtEki', 'PWpeXHfNXU', 'JMSZavbvK6ssRDdR0X', 'PaJBe8yufteiiTtt0N', 'WW9eeYDbx4', 'cQTe0C2Xds'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, vnCksNO0SG5dFSdEpDn.csHigh entropy of concatenated method names: 'qNM1nUmEUW', 't5X12AtGPg', 'r1r18PaiuP', 'xbMGlOIyhoroKmoBplS', 'G7lKw5IZmJ62BL1Jc2V', 'hujogAI2OHmmEOaRQj0', 'CyUBwhInEVTJmVkeReI', 'RKihFVIOPMnu59r0Ugd'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, QAbs1fOJpJ2mDUuLZkg.csHigh entropy of concatenated method names: 'Ht3rnq7Fhm', 'j65r2SJI05', 'hFXr8w2nMj', 'EBJrQ7SSBK', 'AbJrB8dAvx', 'yFQr6E0Mh2', 'ysprtFDM9U', 'aZ7rw6Yxl9', 'KDKrJlL3qR', 'BY2rYQnCW3'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, rhvQSadoDuEYo1o4WL.csHigh entropy of concatenated method names: 'kNhRgmJcO8', 'SxlRCoMAHf', 'BQbRa3AXNC', 'FFTapU1rYW', 'iTJazvnp8N', 'dP2RhKi4rX', 'W94Rem1SQ6', 'jxGRxTmjC1', 'lQZR0tgua1', 'qQuRM3C0ir'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, SKtpa2bmOodxw7JdEL.csHigh entropy of concatenated method names: 'spLak34iRA', 'gUEaWjNSwZ', 'sJ0asDqZck', 'ToString', 'NvHaymLf5p', 'CgdaNhq8g6', 'PKTaXV4hErslqQrMpkN', 'Q2NhMW4HSe2b5Cd2XJY', 'P01FcF4ESHSpDsesMXa', 'svtQUq4QuckQF32qOrb'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, xRRgWip8QKa0lUPQ0l.csHigh entropy of concatenated method names: 'rmrbm927y9', 'y4kbGTCxCi', 'EHUb5knY0H', 'aHMb3iYJbn', 'gQ6bE9njdQ', 'mv1bSlbmot', 'QGCbAjhCKx', 'oFFbi661fF', 'NM2bK2ITVA', 'TclbqQNMK7'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, M0OmuR9QAlfSy6MfaJ.csHigh entropy of concatenated method names: 'pUVZHZYijx', 'FG2ZEoa5sW', 'LRfZSxamsv', 'DFPZAY7iyp', 'tOAZ5Yw2Os', 'lbkZimGUNZ', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, MW2N2ECw4ZmRfkZ0yT.csHigh entropy of concatenated method names: 'vKvCQWwcT7', 'rASC6iS0aC', 'dqOCwybtR2', 'sewCJvRVL2', 'tTxCbAP7nx', 'DIxCXq0ibu', 'mxaCVpfYAh', 'eeBCZxRS4m', 'JpKCrtXeoD', 'HcJC1Mcrlj'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, GIGVQf1cI5vJviOpNr.csHigh entropy of concatenated method names: 'p9creGn65F', 'J7ur00oCvO', 'MevrM9w4OJ', 'ryZrgLD5no', 'BNFrfq1EvC', 'XX1r48FSSc', 'T1fra8uPm2', 'A0CZNr5Pti', 'BMpZo4sxP4', 'PcwZOmBqZo'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, ubgLl77gT8BXCb2LKf.csHigh entropy of concatenated method names: 'PVO0DvZtbe', 'Mjg0ggUKcV', 'e0W0f1fSrf', 'UXq0Cw1tnm', 'OJd049vL92', 'ILd0a9QcD7', 'A5x0RgoxV1', 'HAb0uZs4f4', 'vWJ0lNJrxa', 'wrK0Tepsla'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, KF7dk8z8WeCEUg5LKa.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PjZr7EGmCC', 'GyErbsupfM', 'gNhrX6EYX8', 'LQdrVcxVsV', 'RILrZ09PWw', 'cBYrrUZwZF', 'aohr1tJXPY'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, pI0Ixxfq9w4e0DrCFc.csHigh entropy of concatenated method names: 'lo1VoDJ3GQ', 'WmRVpGhG0t', 'oSGZhdmiZb', 'va5Zeq9iyi', 'sWlVUps5ba', 'q7cVGtVOu6', 'LdgVFYfe5x', 'brSV5ysl2F', 'bDZV3lltw3', 'wVUVkt1OJe'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, wgXbhrOsouI4f4kSR7P.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Awq15ICZjP', 'uig13kDBMy', 'F8i1kyWaEH', 'a4b1WfSb4R', 'ISo1sgkPjI', 'OGS1yBJyc4', 'P4y1NGqVmW'
                      Source: 5.2.InstallUtil.exe.97e0000.9.raw.unpack, GAAfjelvscl3lXniGy.csHigh entropy of concatenated method names: 'cPHaD7jTYi', 'fCDafPR44X', 'ggGa4Ajuc2', 'k1gaRykmh4', 'PIUauXbH9e', 'A9A4sGNOsY', 'pPi4ybCA1D', 'XnD4NfCQTh', 'NqM4oeqoYT', 'X0A4O58ot3'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00406EB0 ShellExecuteW,URLDownloadToFileW,13_2_00406EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,13_2_0041AA4A

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\Signed Document..exeFile opened: C:\Users\user\Desktop\Signed Document..exe\:Zone.Identifier read attributes | deleteJump to behavior
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CB50
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: Signed Document..exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Delayed program exit found
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040F7A7 Sleep,ExitProcess,13_2_0040F7A7
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 8A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 9A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: 9BF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: ABF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: AFC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: BFC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: CFC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 98A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A8A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: AAC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: BAC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,13_2_0041A748
                      Source: C:\Users\user\Desktop\Signed Document..exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239749Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239416Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239138Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238647Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238528Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238210Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 237931Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 237809Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeWindow / User API: threadDelayed 8602Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeWindow / User API: threadDelayed 1260Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 709Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1180Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7747Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1787Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8201Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1350Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exe TID: 1632Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exe TID: 1632Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -240000s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -239859s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -239749s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -239640s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -239416s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -239138s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238984s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238875s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238765s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238647s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238528s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238359s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238210s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -238062s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -237931s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 4768Thread sleep time: -237809s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6624Thread sleep count: 7747 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5436Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1708Thread sleep count: 1787 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 3668Thread sleep count: 47 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe TID: 6476Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_00409253
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,13_2_0041C291
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,13_2_0040C34D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,13_2_00409665
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0044E879 FindFirstFileExA,13_2_0044E879
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,13_2_0040880C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040783C FindFirstFileW,FindNextFileW,13_2_0040783C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,13_2_00419AF5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,13_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,13_2_0040BD37
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,13_2_00407C97
                      Source: C:\Users\user\Desktop\Signed Document..exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeThread delayed: delay time: 30000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 240000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239859Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239749Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239416Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 239138Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238984Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238647Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238528Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238210Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 238062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 237931Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 237809Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Signed Document..exe, 00000000.00000002.3044769283.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Signed Document..exe, 00000000.00000002.3054456996.00000000055E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: VBoxTray
                      Source: Signed Document..exe, 00000000.00000002.3054456996.00000000055E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
                      Source: InstallUtil.exe, 00000005.00000002.3040006325.0000000005A22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI call chain: ExitProcess graph end nodegraph_13-48894
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_004349F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,13_2_0041CB50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004432B5 mov eax, dword ptr fs:[00000030h]13_2_004432B5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00412077 GetProcessHeap,HeapFree,13_2_00412077
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_004349F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00434B47 SetUnhandledExceptionFilter,13_2_00434B47
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0043BB22
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00434FDC
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 512000Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 514000Jump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1118008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4B51008Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe13_2_004120F7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00419627 mouse_event,13_2_00419627
                      Source: C:\Users\user\Desktop\Signed Document..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"Jump to behavior
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.com:2404+
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3\ca|
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managere0
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.com:2404ensh
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3\4
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerppData\Roaming\TWzqRLWZGd.exe
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3\ca
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3\
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM d
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3\ac
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.13.drBinary or memory string: [Program Manager]
                      Source: vbc.exe, 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerv0J%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00434C52 cpuid 13_2_00434C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoA,13_2_0040F8D1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,13_2_00452036
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,13_2_004520C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,13_2_00452313
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,13_2_00448404
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,13_2_0045243C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,13_2_00452543
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,13_2_00452610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: GetLocaleInfoW,13_2_004488ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,13_2_00451CD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,13_2_00451F50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: EnumSystemLocalesW,13_2_00451F9B
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Users\user\Desktop\Signed Document..exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Signed Document..exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exeQueries volume information: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00404F51 GetLocalTime,CreateEventA,CreateThread,13_2_00404F51
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_0041B60D GetComputerNameExW,GetUserNameW,13_2_0041B60D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 13_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,13_2_00449190
                      Source: C:\Users\user\Desktop\Signed Document..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.8040000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.8040000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.333b54c.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.333b54c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3043550745.0000000008040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3027659257.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fghjhh\logs.dat, type: DROPPED
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data13_2_0040BA12
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\13_2_0040BB30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: \key3.db13_2_0040BB30

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZI0DZ3Jump to behavior
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.8040000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.8040000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.333b54c.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.333b54c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3043550745.0000000008040000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3027659257.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.InstallUtil.exe.43f99d0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 4072, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5404, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\fghjhh\logs.dat, type: DROPPED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: cmd.exe13_2_0040569A

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire Infrastructure1
                      Valid Accounts                      		1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Valid Accounts                      		1
                      Bypass User Account Control                      		1
                      Deobfuscate/Decode Files or Information                      		211
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol211
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Windows Service                      		1
                      Valid Accounts                      		3
                      Obfuscated Files or Information                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      Service Execution                      		1
                      Scheduled Task/Job                      		11
                      Access Token Manipulation                      		1
                      Software Packing                      		NTDS3
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Windows Service                      		1
                      DLL Side-Loading                      		LSA Secrets33
                      System Information Discovery                      		SSHKeylogging1
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts322
                      Process Injection                      		1
                      Bypass User Account Control                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input Capture11
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                      Scheduled Task/Job                      		1
                      Masquerading                      		DCSync31
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Valid Accounts                      		Proc Filesystem3
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                      Access Token Manipulation                      		Network Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd322
                      Process Injection                      		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                      Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                      Hidden Files and Directories                      		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499171 Sample: Signed Document..exe Startdate: 26/08/2024 Architecture: WINDOWS Score: 100 48 www.lig-gu.com 2->48 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 14 other signatures 2->66 9 Signed Document..exe 3 2->9         started        13 TWzqRLWZGd.exe 4 2->13         started        signatures3 process4 file5 40 C:\Users\user\...\Signed Document..exe.log, ASCII 9->40 dropped 82 Writes to foreign memory regions 9->82 84 Allocates memory in foreign processes 9->84 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->86 88 Injects a PE file into a foreign processes 9->88 15 InstallUtil.exe 5 9->15         started        19 conhost.exe 13->19         started        signatures6 process7 file8 44 C:\Users\user\AppData\Local\Temp\tmp394.tmp, XML 15->44 dropped 46 C:\Users\user\AppData\...\TWzqRLWZGd.exe, PE32 15->46 dropped 52 Uses schtasks.exe or at.exe to add and modify task schedules 15->52 54 Writes to foreign memory regions 15->54 56 Allocates memory in foreign processes 15->56 58 2 other signatures 15->58 21 vbc.exe 15->21         started        24 vbc.exe 3 2 15->24         started        28 powershell.exe 23 15->28         started        30 2 other processes 15->30 signatures9 process10 dnsIp11 68 Contains functionality to bypass UAC (CMSTPLUA) 21->68 70 Contains functionalty to change the wallpaper 21->70 72 Contains functionality to steal Chrome passwords or cookies 21->72 80 3 other signatures 21->80 50 www.lig-gu.com 103.161.133.100, 2404, 49717, 49718 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 24->50 42 C:\ProgramData\fghjhh\logs.dat, data 24->42 dropped 74 Detected Remcos RAT 24->74 76 Installs a global keyboard hook 24->76 78 Loading BitLocker PowerShell Module 28->78 32 conhost.exe 28->32         started        34 WmiPrvSE.exe 28->34         started        36 conhost.exe 30->36         started        38 conhost.exe 30->38         started        file12 signatures13 process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Signed Document..exe68%ReversingLabsWin32.Trojan.Jalapeno
                      Signed Document..exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe0%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://geoplugin.net/json.gp0%URL Reputationsafe
                      http://geoplugin.net/json.gp/C0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      www.lig-gu.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.lig-gu.com
                      		103.161.133.100
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        www.lig-gu.comtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gpvbc.exefalse
                        • URL Reputation: safe
                        		unknown
                        http://geoplugin.net/json.gp/CInstallUtil.exe, 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.3027659257.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        103.161.133.100
                        		www.lig-gu.comunknown
                        		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1499171
                        Start date and time:2024-08-26 17:39:12 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 31s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Signed Document..exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@19/15@1/1
                        EGA Information:
                        • Successful, ratio: 75%
                        HCA Information:
                        • Successful, ratio: 97%
                        • Number of executed functions: 355
                        • Number of non-executed functions: 36
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target TWzqRLWZGd.exe, PID 4436 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: Signed Document..exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        11:40:35API Interceptor222x Sleep call for process: Signed Document..exe modified
                        11:41:38API Interceptor17x Sleep call for process: InstallUtil.exe modified
                        11:41:40API Interceptor56x Sleep call for process: powershell.exe modified
                        11:42:12API Interceptor4x Sleep call for process: vbc.exe modified
                        17:41:41Task SchedulerRun new task: TWzqRLWZGd path: C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        AARNET-AS-APAustralianAcademicandResearchNetworkAARNebat.batGet hashmaliciousAsyncRAT, DcRat, PureLog Stealer, XWorm, zgRATBrowse
                        • 103.165.81.99
                        bat.batGet hashmaliciousAsyncRAT, DcRat, PureLog Stealer, XWorm, zgRATBrowse
                        • 103.165.81.99
                        700987654656676.exeGet hashmaliciousDBatLoader, FormBookBrowse
                        • 103.164.62.155
                        PURCHASE ORDER.xlsGet hashmaliciousRemcosBrowse
                        • 103.186.116.99
                        SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.21143.24066.rtfGet hashmaliciousRemcosBrowse
                        • 103.186.116.99
                        sora.arm.elfGet hashmaliciousUnknownBrowse
                        • 103.175.3.230
                        firmware.m68k.elfGet hashmaliciousUnknownBrowse
                        • 103.181.203.1
                        firmware.x86_64.elfGet hashmaliciousUnknownBrowse
                        • 103.35.13.16
                        firmware.i586.elfGet hashmaliciousUnknownBrowse
                        • 137.154.155.49
                        jew.arm7.elfGet hashmaliciousMiraiBrowse
                        • 103.186.137.207

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Roaming\TWzqRLWZGd.exePO CONTRACT.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                          image.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            ABA NEW ORDER No.2400228341.pdf.exeGet hashmaliciousAsyncRATBrowse
                              09099627362726.exeGet hashmaliciousAgentTeslaBrowse
                                SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                  719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                    ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                      F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                                        @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                                          SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse

                                            Created / dropped Files

                                            C:\ProgramData\fghjhh\logs.dat

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):290
                                            Entropy (8bit):3.5808116010948914
                                            Encrypted:false
                                            SSDEEP:6:6lm4l255YcIeeDAlOWAN5ZsUEZglJPZV7y/iBRdIWAv:6lqec0WbMJPHSW+
                                            MD5:B194AD896FC81928034F98DF28D40BDD
                                            SHA1:3B2C12CC617F337DFC172A59E1175CB0D70AAC4B
                                            SHA-256:43615EC2D224AC5009F36B504186C4781676238F3D2B45FC188816B580DBF6C8
                                            SHA-512:010C3E446341DE5750A4E13E4D8FD6B2CA611E1CAE5CA23998C5BA053EAC6239F1D2B904C4FEB94218DEECEC11EC631585C3193DEE118BDE2D79C15DD8077D16
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\fghjhh\logs.dat, Author: Joe Security
                                            Preview:....[.2.0.2.4./.0.8./.2.6. .1.1.:.4.1.:.4.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.T.W.z.q.R.L.W.Z.G.d...e.x.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Signed Document..exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\Signed Document..exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
                                            MD5:7B709BC412BEC5C3CFD861C041DAD408
                                            SHA1:532EA6BB3018AE3B51E7A5788F614A6C49252BCF
                                            SHA-256:733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
                                            SHA-512:B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
                                            Malicious:true
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TWzqRLWZGd.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe
                                            File Type:CSV text
                                            Category:modified
                                            Size (bytes):1089
                                            Entropy (8bit):5.3331074454898735
                                            Encrypted:false
                                            SSDEEP:24:ML9E4KlKNE4oK2nMK/KDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlIHoVnM6YHKh3oPtHo6hAHKzeR
                                            MD5:E54FE55F93C5501D5C4737CCF0E6E48B
                                            SHA1:BEF9C1A7166E3E8C2C7762C42F8FCBB753B63283
                                            SHA-256:2434AE4C4C8436A64A4F3317638DF77C38CB7FFC226037ADE1DC6F6CD4745619
                                            SHA-512:5422F02595B12ACFE23AF8C69ACF43B5529C700FC3FA5ADEDDBDFF36737C22D7AE23FCD4A39869DF6D02D7D708F951142983E60ED90EADFDCE5CC40B164AD19D
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\48ee4ec9441351bbe4d9095c96b8ea01\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\Nati

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2232
                                            Entropy (8bit):5.379552885213346
                                            Encrypted:false
                                            SSDEEP:48:fWSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCZfIfSKRHmOugw1s
                                            MD5:236CE6553B5DB20FA0B07F9FEA88F4A4
                                            SHA1:AEB5B156162EC5CD4E0BC3A0BA0F0D4739D40DBD
                                            SHA-256:3849E9437770B9804D942D293FFAB3C6449B82BA23C0CD3D48DE2C318938FCAD
                                            SHA-512:90B07AFD72EE353BEA8E2C7ECBB8CDAFB965C91E1B32C5FFE971F60C69004FDEBF5BA429B4DD455210772D2494A8AD60930A8F01C289D0199998A7CC36050FD6
                                            Malicious:false
                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pg3spsf.ni2.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aql14dgz.250.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_isqrmah4.pyc.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmgykv3c.rt0.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksoavl2d.z44.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhqiznp2.hjz.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rvqsbej3.u4t.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wshk0f0u.csk.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmp394.tmp

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1583
                                            Entropy (8bit):5.1148560338062
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtmxvn:cgergYrFdOFzOzN33ODOiDdKrsuTqv
                                            MD5:7C8CE2986A335B1CEE364B300D9E66FD
                                            SHA1:2DB83AE7F6E2DEDE8AAEC89DEF2290F1F6CB155D
                                            SHA-256:926889FF288543DD23EA065DAF486B5E736349020404CDD9592D7AA05FABE721
                                            SHA-512:ABB922FB8ED591D2CCD9B046BC7857C9DF7F391F5F0210203633FCF295B621904097084AC6EF29FA2D01F90F07BA22B915CC25B7307B105E4E8B4015B7E36159
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):42064
                                            Entropy (8bit):6.19564898727408
                                            Encrypted:false
                                            SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                                            MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                                            SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                                            SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                                            SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: PO CONTRACT.exe, Detection: malicious, Browse
                                            • Filename: image.exe, Detection: malicious, Browse
                                            • Filename: ABA NEW ORDER No.2400228341.pdf.exe, Detection: malicious, Browse
                                            • Filename: 09099627362726.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Detection: malicious, Browse
                                            • Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse
                                            • Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse
                                            • Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse
                                            • Filename: @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe, Detection: malicious, Browse
                                            • Filename: SPECIFICATIONS.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):2017
                                            Entropy (8bit):4.659840607039457
                                            Encrypted:false
                                            SSDEEP:48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
                                            MD5:3BF802DEB390033F9A89736CBA5BFAFF
                                            SHA1:25A7177A92E0283B99C85538C4754A12AC8AD197
                                            SHA-256:5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
                                            SHA-512:EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
                                            Malicious:false
                                            Preview:Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.320779251833559
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Signed Document..exe
                                            File size:2'642'944 bytes
                                            MD5:b04baf73f6244754828f8583d110dd88
                                            SHA1:651c010d7d52be0dd2dad5f1408dbddf5a1e4e87
                                            SHA256:86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b
                                            SHA512:63d2d8bccd200661846564f894eae8ed0bce14e7f92da5ad2a4fa0adbb637ac20c31e95e73803d665d950c0dde144fa06bf7c90419dac831c40b0cc93e568640
                                            SSDEEP:24576:d9zZqnxodZVAZgodXA+8NOxmSNfQ7GglYK68zcJAzQf2jYlnucOYZaxR7Ryw:d6odStNWOolY4YJAEf2oz/cxRV
                                            TLSH:6BC57C99EBE4BA01C03FF33A75566250837288E64D48E6C748C994D9B7BB3417FD2983
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......O.........."...P..&(..,.......D(.. ...`(...@.. ........................(...........`................................

                                            File Icon

                                            Icon Hash:4d9292f2c88cf60d

                                            Static PE Info

                                            General

                                            Entrypoint:0x6844de
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x4FB7D7B8 [Sat May 19 17:26:16 2012 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2844840x57.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2860000x29fc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x28a0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x2824e40x28260048479ffac696759bc0adb4897ec17584unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x2860000x29fc0x2a004a0c0743715d3daeeede00ff7bcd998cFalse0.13011532738095238data3.029904465691187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x28a0000xc0x20081d6a1615e3caeec92e4aa5b60eb3283False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x2860e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.10020746887966805
                                            RT_GROUP_ICON0x2886900x14data1.25
                                            RT_VERSION0x2886a40x358dataEnglishUnited States0.40654205607476634

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                            2024-08-26T17:41:41.369147+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin1497172404192.168.2.5103.161.133.100
                                            2024-08-26T17:42:03.775150+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin1497182404192.168.2.5103.161.133.100

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 26, 2024 17:41:41.362998962 CEST497172404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:41:41.367969990 CEST240449717103.161.133.100192.168.2.5
                                            Aug 26, 2024 17:41:41.368042946 CEST497172404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:41:41.369147062 CEST497172404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:41:41.373991966 CEST240449717103.161.133.100192.168.2.5
                                            Aug 26, 2024 17:42:02.762722015 CEST240449717103.161.133.100192.168.2.5
                                            Aug 26, 2024 17:42:02.762927055 CEST497172404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:42:02.763097048 CEST497172404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:42:02.767875910 CEST240449717103.161.133.100192.168.2.5
                                            Aug 26, 2024 17:42:03.769695997 CEST497182404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:42:03.774560928 CEST240449718103.161.133.100192.168.2.5
                                            Aug 26, 2024 17:42:03.774688959 CEST497182404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:42:03.775150061 CEST497182404192.168.2.5103.161.133.100
                                            Aug 26, 2024 17:42:03.779982090 CEST240449718103.161.133.100192.168.2.5

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 26, 2024 17:41:40.997601032 CEST4929853192.168.2.51.1.1.1
                                            Aug 26, 2024 17:41:41.341861010 CEST53492981.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Aug 26, 2024 17:41:40.997601032 CEST192.168.2.51.1.1.10xa0dbStandard query (0)www.lig-gu.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Aug 26, 2024 17:41:41.341861010 CEST1.1.1.1192.168.2.50xa0dbNo error (0)www.lig-gu.com103.161.133.100A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:11:40:08
                                            Start date:26/08/2024
                                            Path:C:\Users\user\Desktop\Signed Document..exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Signed Document..exe"
                                            Imagebase:0x7e0000
                                            File size:2'642'944 bytes
                                            MD5 hash:B04BAF73F6244754828F8583D110DD88
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.3044769283.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.3054456996.00000000055E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.3007360066.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:11:41:05
                                            Start date:26/08/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                            Imagebase:0xf40000
                                            File size:42'064 bytes
                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3043550745.0000000008040000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.3030034790.0000000004381000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3027659257.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                            Imagebase:0xe80000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe"
                                            Imagebase:0xe80000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWzqRLWZGd" /XML "C:\Users\user\AppData\Local\Temp\tmp394.tmp"
                                            Imagebase:0xa30000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:11:41:39
                                            Start date:26/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:11:41:40
                                            Start date:26/08/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                            Imagebase:0x140000
                                            File size:2'625'616 bytes
                                            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:11:41:40
                                            Start date:26/08/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
                                            Imagebase:0x140000
                                            File size:2'625'616 bytes
                                            MD5 hash:0A7608DB01CAE07792CEA95E792AA866
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3361214735.0000000004D3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:moderate
                                            Has exited:false

                                            General

                                            Target ID:14
                                            Start time:11:41:41
                                            Start date:26/08/2024
                                            Path:C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\TWzqRLWZGd.exe
                                            Imagebase:0x8f0000
                                            File size:42'064 bytes
                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:11:41:42
                                            Start date:26/08/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff6ef0c0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:16
                                            Start time:11:41:43
                                            Start date:26/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:16.9%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:15.6%
                                              Total number of Nodes:77
                                              Total number of Limit Nodes:7
                                              execution_graph 65592 7781838 65593 778186a 65592->65593 65597 7788670 65593->65597 65601 7788660 65593->65601 65594 7786f09 65598 77886a1 65597->65598 65605 7788900 65598->65605 65599 7788759 65599->65594 65602 7788670 65601->65602 65604 7788900 DeleteFileW 65602->65604 65603 7788759 65603->65594 65604->65603 65606 7788914 65605->65606 65610 7788ca0 65606->65610 65614 7788c9b 65606->65614 65607 7788c0a 65607->65599 65611 7788cc3 65610->65611 65618 7780f58 65611->65618 65615 7788ca0 65614->65615 65616 7780f58 DeleteFileW 65615->65616 65617 778905c 65616->65617 65617->65607 65619 7789140 DeleteFileW 65618->65619 65621 778905c 65619->65621 65621->65607 65536 5e70c42 65540 5e70c70 65536->65540 65544 5e70c60 65536->65544 65537 5e70c5a 65541 5e70cb2 65540->65541 65543 5e70cb9 65540->65543 65542 5e70d0a CallWindowProcW 65541->65542 65541->65543 65542->65543 65543->65537 65545 5e70c6b 65544->65545 65546 5e70d0a CallWindowProcW 65545->65546 65547 5e70cb9 65545->65547 65546->65547 65547->65537 65548 12ecd08 65549 12ecd50 WriteProcessMemory 65548->65549 65551 12ecda7 65549->65551 65552 12ed488 65553 12ed4cd Wow64SetThreadContext 65552->65553 65555 12ed515 65553->65555 65629 5e7fe00 FindCloseChangeNotification 65630 5e7fe67 65629->65630 65532 12e3720 65533 12e3723 VirtualProtect 65532->65533 65535 12e37a2 65533->65535 65559 12ed200 65560 12ed248 VirtualProtectEx 65559->65560 65562 12ed286 65560->65562 65622 12edae0 65623 12edc6b 65622->65623 65625 12edb06 65622->65625 65625->65623 65626 12e0f00 65625->65626 65627 12edd60 PostMessageW 65626->65627 65628 12eddcc 65627->65628 65628->65625 65631 12ec2c0 65632 12ec305 Wow64GetThreadContext 65631->65632 65634 12ec34d 65632->65634 65563 12ec990 65564 12ec9d0 VirtualAllocEx 65563->65564 65566 12eca0d 65564->65566 65567 12ed710 65568 12ed750 ResumeThread 65567->65568 65570 12ed781 65568->65570 65571 12e4f90 65573 12e4fb7 65571->65573 65572 12e5126 65573->65572 65575 12e5638 65573->65575 65576 12e567b 65575->65576 65577 12e5aac 65576->65577 65580 12e8020 65576->65580 65584 12e7b18 65576->65584 65577->65573 65582 12e8021 65580->65582 65581 12e8204 65581->65576 65582->65581 65588 12ea6a8 65582->65588 65585 12e7b26 65584->65585 65586 12e7b2d 65584->65586 65585->65576 65586->65585 65587 12ea6a8 CreateProcessAsUserW 65586->65587 65587->65586 65589 12ea727 CreateProcessAsUserW 65588->65589 65591 12ea828 65589->65591

                                              Executed Functions

                                              Function 02C47918 Relevance: 12.2, Strings: 9, Instructions: 951COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                              • API String ID: 0-99275883
                                              • Opcode ID: 92554504d3b0fe4610bf161bb9fcb0742ac9f635f7d5cbebe0cda4ec4dbc9139
                                              • Instruction ID: c7be874931316958eae4f6a7613bc1395d1018b1204e296e877d4ac3f5c586cb
                                              • Opcode Fuzzy Hash: 92554504d3b0fe4610bf161bb9fcb0742ac9f635f7d5cbebe0cda4ec4dbc9139
                                              • Instruction Fuzzy Hash: 56824B30A00609DFCB15CF69D984AAEBBF2FF88314F158659E805DB2A5DB30ED45CB60
                                              Function 02C46A28 Relevance: 11.1, Strings: 8, Instructions: 1140COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (o]q$(o]q$(o]q$,aq$,aq$,aq$,aq$Haq
                                              • API String ID: 0-2006068749
                                              • Opcode ID: 5d5415616e7a657e951a64abc5f64f1d0d449c5038fef3553bea4536af3b5308
                                              • Instruction ID: 8f380ec14794131faa72c2af0ac07f10893276a4e3b540650f8722f1fe2855ab
                                              • Opcode Fuzzy Hash: 5d5415616e7a657e951a64abc5f64f1d0d449c5038fef3553bea4536af3b5308
                                              • Instruction Fuzzy Hash: 90A26F70A00219CFCB15DF69C884AAEBBB6FF89304F258569E815EB3A5DF30D945CB50
                                              Function 073BAA50 Relevance: 11.0, Strings: 8, Instructions: 969COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 642 73baa50-73bdc07 645 73bdc0d-73bdc13 642->645 646 73bddb5-73bddf0 642->646 647 73bdc15-73bdc1c 645->647 648 73bdc54-73bdc68 645->648 671 73bddf2-73bde06 646->671 672 73bdd91-73bdd95 646->672 649 73bdc1e-73bdc2b 647->649 650 73bdc36-73bdc4f call 73bd630 647->650 652 73bdc8a-73bdc93 648->652 653 73bdc6a-73bdc6e 648->653 649->650 650->648 654 73bdcad-73bdcc9 652->654 655 73bdc95-73bdca2 652->655 653->652 656 73bdc70-73bdc7c 653->656 668 73bdccf-73bdcda 654->668 669 73bdd71-73bdd95 654->669 655->654 656->652 665 73bdc7e-73bdc84 656->665 665->652 680 73bdcdc-73bdce2 668->680 681 73bdcf2-73bdcf9 668->681 675 73bdd9f-73bdda0 669->675 676 73bdd97 669->676 677 73bde08-73bde15 671->677 678 73bde20-73bde2d 671->678 672->675 672->676 675->646 676->675 677->678 689 73bde35-73bde3a 678->689 685 73bdce6-73bdce8 680->685 686 73bdce4 680->686 682 73bdcfb-73bdd05 681->682 683 73bdd0d-73bdd30 call 73b941c 681->683 682->683 696 73bdd32-73bdd3f 683->696 697 73bdd41-73bdd52 683->697 685->681 686->681 692 73bde3c-73bde43 689->692 693 73bde81-73bde88 689->693 698 73bde5d-73bde72 692->698 699 73bde45-73bde52 692->699 694 73bde8a-73bde97 693->694 695 73bdea2-73bdeab 693->695 694->695 700 73bdead-73bdeaf 695->700 701 73bdeb1-73bdeb4 695->701 696->697 709 73bdd5f-73bdd6b 696->709 697->709 710 73bdd54-73bdd57 697->710 698->693 708 73bde74-73bde7b 698->708 699->698 704 73bdeb5-73bdec6 700->704 701->704 714 73bdf09-73bdf0c 704->714 715 73bdec8-73bdecf 704->715 708->693 711 73bdf0f-73bdf3a call 73b5a20 708->711 709->668 709->669 710->709 725 73bdf41-73bdfa2 call 73b5a20 711->725 717 73bdee9-73bdefe 715->717 718 73bded1-73bdede 715->718 717->714 723 73bdf00-73bdf07 717->723 718->717 723->714 723->725 733 73bdfba-73bdfc0 725->733 734 73bdfa4-73bdfb7 725->734 735 73bdfc2-73bdfc9 733->735 736 73be030-73be088 733->736 738 73be08f-73be0e7 735->738 739 73bdfcf-73bdfdf 735->739 736->738 743 73be0ee-73be1fc 738->743 739->743 744 73bdfe5-73bdfe9 739->744 786 73be24e-73be2a6 743->786 787 73be1fe-73be20e 743->787 747 73bdfec-73bdfee 744->747 750 73be013-73be015 747->750 751 73bdff0-73be000 747->751 752 73be017-73be021 750->752 753 73be024-73be02d 750->753 758 73bdfeb 751->758 759 73be002-73be011 751->759 758->747 759->750 759->758 790 73be2ad-73be3ba 786->790 787->790 791 73be214-73be218 787->791 825 73be3bc-73be3cf 790->825 826 73be3d2-73be3d8 790->826 792 73be21b-73be21d 791->792 795 73be21f-73be22f 792->795 796 73be231-73be233 792->796 795->796 802 73be21a 795->802 798 73be242-73be24b 796->798 799 73be235-73be23f 796->799 802->792 827 73be3da-73be3e1 826->827 828 73be452-73be4aa 826->828 830 73be4b1-73be509 827->830 831 73be3e7-73be3eb 827->831 828->830 833 73be510-73be614 830->833 832 73be3f1-73be3f5 831->832 831->833 835 73be3f8-73be405 832->835 878 73be670-73be6c8 833->878 879 73be616-73be61a 833->879 843 73be42a-73be437 835->843 844 73be407-73be417 835->844 853 73be439-73be443 843->853 854 73be446-73be44f 843->854 850 73be419-73be428 844->850 851 73be3f7 844->851 850->843 850->851 851->835 880 73be6cf-73be7e1 878->880 879->880 881 73be620-73be624 879->881 883 73be627-73be634 881->883 888 73be648-73be655 883->888 889 73be636-73be646 883->889 896 73be657-73be661 888->896 897 73be664-73be66d 888->897 889->888 895 73be626 889->895 895->883
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (aq$Haq$Haq$Haq$Haq$Haq$Haq$PH]q
                                              • API String ID: 0-1363861295
                                              • Opcode ID: a1d151d40089f60b18edb863e40cf4b5ac45dfc1f132f139dd92fea583503393
                                              • Instruction ID: 919cda046500ba7505a8e80088dcf1370d8b29b2cc5547312e1e813bef51b891
                                              • Opcode Fuzzy Hash: a1d151d40089f60b18edb863e40cf4b5ac45dfc1f132f139dd92fea583503393
                                              • Instruction Fuzzy Hash: 1D72DF75B002158FDB58AB7CD894AAE7BAABFC8310F148568D50ADB3A5CF34DC06C791
                                              Function 07830B17 Relevance: 5.6, Instructions: 5646COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1030 7830b17-7830b22 1031 7830b24-7830b29 1030->1031 1032 7830b2b-7830d5f 1030->1032 1031->1032 1060 7830d65-7831aaa 1032->1060 1061 7832db4-783309a 1032->1061 1471 7831ab0-7831d8e 1060->1471 1472 7831d96-7832dac 1060->1472 1136 7834053-78350ce 1061->1136 1137 78330a0-783404b 1061->1137 1727 7835415-7835428 1136->1727 1728 78350d4-783540d 1136->1728 1137->1136 1471->1472 1472->1061 1732 7835ad5-78369ae 1727->1732 1733 783542e-7835acd 1727->1733 1728->1727 2116 78369ae call 7838090 1732->2116 2117 78369ae call 78380c0 1732->2117 1733->1732 2115 78369b4-78369bb 2116->2115 2117->2115
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2916143be40ead54cf42b14a7706b461ae546c00aa02a4ffc92cf47fe39b01d8
                                              • Instruction ID: 9d2198549f7bb921f2567c64553129a19c0a1e42c8dfef7b616f28bb475c9482
                                              • Opcode Fuzzy Hash: 2916143be40ead54cf42b14a7706b461ae546c00aa02a4ffc92cf47fe39b01d8
                                              • Instruction Fuzzy Hash: F7C30971A11228CFCB58EF38D99966CBBB2BB89300F4049E9D049A7354EF345E85CF56
                                              Function 07830B30 Relevance: 5.6, Instructions: 5633COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2118 7830b30-7830d5f 2146 7830d65-7831aaa 2118->2146 2147 7832db4-783309a 2118->2147 2557 7831ab0-7831d8e 2146->2557 2558 7831d96-7832dac 2146->2558 2222 7834053-78350ce 2147->2222 2223 78330a0-783404b 2147->2223 2813 7835415-7835428 2222->2813 2814 78350d4-783540d 2222->2814 2223->2222 2557->2558 2558->2147 2818 7835ad5-78369ae 2813->2818 2819 783542e-7835acd 2813->2819 2814->2813 3202 78369ae call 7838090 2818->3202 3203 78369ae call 78380c0 2818->3203 2819->2818 3201 78369b4-78369bb 3202->3201 3203->3201
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 36eeb95a6609d0d7e294ea5517539937a851f1e96b497eb20e2e66a0dc1aa66d
                                              • Instruction ID: b98813a7c489fe166b4eacb5e1985f1c3fa63c6e93fb3549b57e3979bee4aa1f
                                              • Opcode Fuzzy Hash: 36eeb95a6609d0d7e294ea5517539937a851f1e96b497eb20e2e66a0dc1aa66d
                                              • Instruction Fuzzy Hash: BCC30A71A11228CFCB58EF38D99966CBBB2BB89300F4049E9D049A7354EF345E85CF56
                                              Function 07781838 Relevance: 5.2, Instructions: 5170COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 4328 7781838-7786f01 call 7787fb0 5284 7786f03 call 7788670 4328->5284 5285 7786f03 call 7788660 4328->5285 5283 7786f09-7786f10 5284->5283 5285->5283
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059229948.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7780000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3abdc65ad6c6f2d5cf673a441fb1e11162d543817748ef1a121e40b26b567d29
                                              • Instruction ID: d58e282d89a385d6df761bcdaefe651020562422786a26a36e0cf0c26a1e4ba1
                                              • Opcode Fuzzy Hash: 3abdc65ad6c6f2d5cf673a441fb1e11162d543817748ef1a121e40b26b567d29
                                              • Instruction Fuzzy Hash: 33B31B71A11228CFCB58EF78D98966CBBF2BB84300F5089E9D489A3250EF345D95CF95
                                              Function 012E3828 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5287 12e3828-12e3842 5289 12e3849-12e38f4 5287->5289 5290 12e3844 5287->5290 5300 12e38f7 5289->5300 5290->5289 5301 12e38fe-12e391a 5300->5301 5302 12e391c 5301->5302 5303 12e3923-12e3924 5301->5303 5302->5300 5302->5303 5304 12e395d-12e3977 5302->5304 5305 12e39cd-12e3a5d 5302->5305 5306 12e3929-12e392d 5302->5306 5307 12e3979-12e39ba call 12e4f38 5302->5307 5308 12e3a90-12e3a96 5302->5308 5303->5308 5304->5301 5325 12e3a5f-12e3a6e 5305->5325 5326 12e3a70-12e3a77 5305->5326 5309 12e392f-12e393e 5306->5309 5310 12e3940-12e3947 5306->5310 5321 12e39c0-12e39c8 5307->5321 5311 12e394e-12e395b 5309->5311 5310->5311 5311->5301 5321->5301 5327 12e3a7e-12e3a8b 5325->5327 5326->5327 5327->5301
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q!$Q!$$]q$S}
                                              • API String ID: 0-184890315
                                              • Opcode ID: f301d6309b5a6d62b4f3454a59dfc02ff63e793fec040aff45b761741bbfaf7d
                                              • Instruction ID: 1b167d7e00ccc19b325d46c2ae16a7650ebdd3f7e3d620d277f458be91c96f90
                                              • Opcode Fuzzy Hash: f301d6309b5a6d62b4f3454a59dfc02ff63e793fec040aff45b761741bbfaf7d
                                              • Instruction Fuzzy Hash: DA71E174E1020DDFDB04DFA9D4899AEBBF6BF88301F20842AE906A7364DB345945CF51
                                              Function 0130B150 Relevance: 4.0, Strings: 3, Instructions: 263COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5725 130b150-130b153 5726 130b1d4-130b20c 5725->5726 5727 130b155-130b198 5725->5727 5728 130b20e-130b25c 5726->5728 5727->5726 5728->5728 5730 130b25e-130b282 5728->5730 5731 130b284-130b286 5730->5731 5732 130b28b-130b2ab 5730->5732 5731->5732 5734 130b2b2-130b328 5732->5734 5735 130b2ad 5732->5735 5740 130b32b 5734->5740 5735->5734 5741 130b332-130b34e 5740->5741 5742 130b350 5741->5742 5743 130b357-130b358 5741->5743 5742->5740 5744 130b44a-130b4ba 5742->5744 5745 130b35d-130b396 5742->5745 5746 130b398-130b39c 5742->5746 5747 130b3c8-130b3fc 5742->5747 5748 130b429-130b445 5742->5748 5743->5744 5743->5745 5764 130b4bc call 130c381 5744->5764 5765 130b4bc call 130c7d9 5744->5765 5745->5741 5749 130b39e-130b3ad 5746->5749 5750 130b3af-130b3b6 5746->5750 5762 130b3fe call 130b9b0 5747->5762 5763 130b3fe call 130b9bf 5747->5763 5748->5741 5752 130b3bd-130b3c3 5749->5752 5750->5752 5752->5741 5759 130b404-130b424 5759->5741 5761 130b4c2-130b4cc 5762->5759 5763->5759 5764->5761 5765->5761
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q$Te]q$Cyzq^
                                              • API String ID: 0-431490236
                                              • Opcode ID: 33b2b1de0ee6d6fa45e5cfadbb945631481309f4cb62b23c6ac54ccb9aa655f9
                                              • Instruction ID: 8863b3aaba25c6171832f57d3c1013a79dc4e6937d599ec79b918204da8076ad
                                              • Opcode Fuzzy Hash: 33b2b1de0ee6d6fa45e5cfadbb945631481309f4cb62b23c6ac54ccb9aa655f9
                                              • Instruction Fuzzy Hash: 59B16974D053888FDB06CFB9C45469EFFF2BF8A304F2480AAD845AB26AD7355906CB51
                                              Function 02C448B0 Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5826 2c448b0-2c448d8 5827 2c448df-2c44936 5826->5827 5828 2c448da 5826->5828 5876 2c44939 call 2c44c88 5827->5876 5877 2c44939 call 2c44c98 5827->5877 5828->5827 5831 2c4493f-2c44946 5832 2c44967 5831->5832 5833 2c44948-2c44951 5831->5833 5836 2c4496a-2c449a5 5832->5836 5834 2c44953-2c44956 5833->5834 5835 2c44958-2c4495b 5833->5835 5837 2c44965 5834->5837 5835->5837 5841 2c44abf-2c44ad6 5836->5841 5837->5836 5843 2c44adc 5841->5843 5844 2c449aa-2c44a2d 5841->5844 5872 2c44adc call 2c48c10 5843->5872 5873 2c44adc call 2c48c01 5843->5873 5860 2c44a33-2c44abb 5844->5860 5861 2c44abd-2c44abe 5844->5861 5845 2c44ae2-2c44afd 5847 2c44aff-2c44b05 5845->5847 5848 2c44b0a-2c44bc7 5845->5848 5850 2c44c22-2c44c2b 5847->5850 5874 2c44bcd call 2c4ac70 5848->5874 5875 2c44bcd call 2c4ac2f 5848->5875 5860->5843 5861->5841 5866 2c44bd3-2c44c20 5866->5850 5872->5845 5873->5845 5874->5866 5875->5866 5876->5831 5877->5831
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8aq$8aq$h
                                              • API String ID: 0-1188309919
                                              • Opcode ID: 7b4edaada5f0e93c8860abd2ee3f6383ef36e78c6307075288e0a71122ffef6b
                                              • Instruction ID: 9fedb9c3cb2b3eb4592dfffbda36773e5e381286f1db6edc8502973a81257221
                                              • Opcode Fuzzy Hash: 7b4edaada5f0e93c8860abd2ee3f6383ef36e78c6307075288e0a71122ffef6b
                                              • Instruction Fuzzy Hash: ABB1A274E00218DFDB64DFA9D994B9DBBB2FF88300F2085A9E519A7394DB305A85CF50
                                              Function 012E381A Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5878 12e381a-12e3822 5879 12e382b-12e3842 5878->5879 5880 12e3824-12e3826 5878->5880 5881 12e3849-12e38f4 5879->5881 5882 12e3844 5879->5882 5880->5879 5892 12e38f7 5881->5892 5882->5881 5893 12e38fe-12e391a 5892->5893 5894 12e391c 5893->5894 5895 12e3923-12e3924 5893->5895 5894->5892 5894->5895 5896 12e395d-12e3977 5894->5896 5897 12e39cd-12e3a5d 5894->5897 5898 12e3929-12e392d 5894->5898 5899 12e3979-12e39ba call 12e4f38 5894->5899 5900 12e3a90-12e3a96 5894->5900 5895->5900 5896->5893 5917 12e3a5f-12e3a6e 5897->5917 5918 12e3a70-12e3a77 5897->5918 5901 12e392f-12e393e 5898->5901 5902 12e3940-12e3947 5898->5902 5913 12e39c0-12e39c8 5899->5913 5903 12e394e-12e395b 5901->5903 5902->5903 5903->5893 5913->5893 5919 12e3a7e-12e3a8b 5917->5919 5918->5919 5919->5893
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q!$$]q$S}
                                              • API String ID: 0-3994096182
                                              • Opcode ID: 12715c9c3a7c89f9ecac74f27a5b4978e7742f14668db04c25b348a289a73cf3
                                              • Instruction ID: 5fac45e6a4af45a8eec08c798fc21acdf15076b12badce87d5e977c1414fb4f1
                                              • Opcode Fuzzy Hash: 12715c9c3a7c89f9ecac74f27a5b4978e7742f14668db04c25b348a289a73cf3
                                              • Instruction Fuzzy Hash: FE71F074E1420DDFDB04CFA9D4899AEBBF6BF88301F20842AE906A7764DB345946CF51
                                              Function 0130B1D0 Relevance: 2.7, Strings: 2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q$Te]q
                                              • API String ID: 0-3320153681
                                              • Opcode ID: bb6d9422cc44545490f3bc1628885edb1215460692e242388b71be5040b3df3f
                                              • Instruction ID: 9449d775f0bc6236a7f18e2a4cbd5636266da73f00ab2c8d234ca4bc5175801e
                                              • Opcode Fuzzy Hash: bb6d9422cc44545490f3bc1628885edb1215460692e242388b71be5040b3df3f
                                              • Instruction Fuzzy Hash: 13A15974D063888FDB06CFB9C45459EFFF2AF8A304F2480AAD845AF26AD7355906CB51
                                              Function 012EAD88 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Q+(i$Q+(i
                                              • API String ID: 0-3998099878
                                              • Opcode ID: 1f4e7164122c211df3d72627671b6d9c4d925577ef41b5e3eb5687984a9f9dae
                                              • Instruction ID: 2885f643030c3bc6dd65376a2094d392be7949791975c064f79855b8dff28601
                                              • Opcode Fuzzy Hash: 1f4e7164122c211df3d72627671b6d9c4d925577ef41b5e3eb5687984a9f9dae
                                              • Instruction Fuzzy Hash: 5581FFB4D2122D8FCB04CFA9C4896EEBBF2BF89300F64942AD416BB254DB745A41CF55
                                              Function 0130B288 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q$Te]q
                                              • API String ID: 0-3320153681
                                              • Opcode ID: ebe1e3e97200465ebb5c597d0b779dc79418e4b96cf0fb426c36eda414cdb975
                                              • Instruction ID: aa9f8855d72b45a7dc6c6f7deeda627d7782ed633add7ec95d55b5bdd981d1cc
                                              • Opcode Fuzzy Hash: ebe1e3e97200465ebb5c597d0b779dc79418e4b96cf0fb426c36eda414cdb975
                                              • Instruction Fuzzy Hash: 8E71A274E002198FDB08CFA9C994A9EFBF6FF88300F24852AD915AB358D7359906CF51
                                              Function 012EA6A8 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 012EA813
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: CreateProcessUser
                                              • String ID:
                                              • API String ID: 2217836671-0
                                              • Opcode ID: f39a489582527fafe66aa346419c362f5b7dd28ff1af2c2976c72f7adee1aa67
                                              • Instruction ID: 0c6c929b1cbeca872a4307e2f1871289ff76ea03f9c2d951247faa00dd233052
                                              • Opcode Fuzzy Hash: f39a489582527fafe66aa346419c362f5b7dd28ff1af2c2976c72f7adee1aa67
                                              • Instruction Fuzzy Hash: 3251F47190022ADFDB24CF99C844BDDBBB5BF48300F4484AAE919B7250DB759A89CF90
                                              Function 0130A4D3 Relevance: 1.6, APIs: 1, Instructions: 128memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0130A60B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: dd85a95ca1e66faf03246bc49faec54c1b8ee089fb770947a28e35e01830b22a
                                              • Instruction ID: 7fbea5dd993ee30005ecaf63df5e8fa35771c90e16982fc2c104b9dfb3b1d1cf
                                              • Opcode Fuzzy Hash: dd85a95ca1e66faf03246bc49faec54c1b8ee089fb770947a28e35e01830b22a
                                              • Instruction Fuzzy Hash: E1417F758063849FC7138FB9C44469ABFB0AF5B228F1940DED494AF623C23A954ACB52
                                              Function 01309678 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <
                                              • API String ID: 0-4251816714
                                              • Opcode ID: 67b09c5fc81e9eeeebcee6db0e60db25a0e814c0b0822d3a7ec904d566bd3f8e
                                              • Instruction ID: 991c074e0decf7c8fe14d2bed98357ee1d9931f529910a4b0e13f79378c35664
                                              • Opcode Fuzzy Hash: 67b09c5fc81e9eeeebcee6db0e60db25a0e814c0b0822d3a7ec904d566bd3f8e
                                              • Instruction Fuzzy Hash: 86618575E006188FDB59CFAAC9446DDBBF2AF88305F14C1AAD408AB365DB345A81CF50
                                              Function 013096F4 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: <
                                              • API String ID: 0-4251816714
                                              • Opcode ID: 1c64507e1acd023df5b9541f73d0ef652b43013850d09573e3cc831e29cff3d3
                                              • Instruction ID: 904a3d69ec92e424ff1785ea32273441632930cceb5fb76ae80d7ef41d802611
                                              • Opcode Fuzzy Hash: 1c64507e1acd023df5b9541f73d0ef652b43013850d09573e3cc831e29cff3d3
                                              • Instruction Fuzzy Hash: 4D517274E01618CFCB55CFAAC9846DDBBF2BF89305F1480AAD409AB365D7349A85CF50
                                              Function 073B2448 Relevance: .6, Instructions: 601COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1edc4f550e24c5da029bd206b1ac4e1c140c9072bf90d47aa44407562284811
                                              • Instruction ID: 969e144fa6592f30bff717c5d4180ef0c6bbdf48c5cae7209b179baf3b32c91d
                                              • Opcode Fuzzy Hash: d1edc4f550e24c5da029bd206b1ac4e1c140c9072bf90d47aa44407562284811
                                              • Instruction Fuzzy Hash: 1C527D70A00349CFDB14DF68C844B99B7B2FF89314F2582A9D5586F3A1DB71A986CF81
                                              Function 073B2488 Relevance: .6, Instructions: 596COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c582b9279a07ae22fb5cfbac4daf08943a6ebfe7f18489c39af036f5fcf9e17
                                              • Instruction ID: cd4e92c27a3c1a64cd02de9405ba346004d928d26d6f210e61135e819771b7be
                                              • Opcode Fuzzy Hash: 6c582b9279a07ae22fb5cfbac4daf08943a6ebfe7f18489c39af036f5fcf9e17
                                              • Instruction Fuzzy Hash: 90526C30A00349CFDB14DF68C844B99B7B2FF89314F2582A9D5586F3A1DB71A986CF81
                                              Function 012E5638 Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f88703459e0a0ef69fd24e445ab63a97222ff0c84ed58dd9fc37a063af0c248
                                              • Instruction ID: a6984c54620657797356c707ae8aeb3e78661cebf7924ffea58af9c995695825
                                              • Opcode Fuzzy Hash: 6f88703459e0a0ef69fd24e445ab63a97222ff0c84ed58dd9fc37a063af0c248
                                              • Instruction Fuzzy Hash: 8ED12874E25269CFCB64CF25D944BDDBBF6BF89300F108AE6D409AB214E7749A858F40
                                              Function 0130D268 Relevance: .3, Instructions: 285COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eac3cf1de25b5f1b12ba561a7943894dac057120b9f692f68084fc6b89c6164e
                                              • Instruction ID: 4a4881e967d7071b244f095cae445400856261c210c19bf738f438a9fe66b8f3
                                              • Opcode Fuzzy Hash: eac3cf1de25b5f1b12ba561a7943894dac057120b9f692f68084fc6b89c6164e
                                              • Instruction Fuzzy Hash: F2C13370A0420ADFCB05CFE9C4919AEFBF6FF89314B648159D415AB295C734EA82CF94
                                              Function 0130D290 Relevance: .3, Instructions: 278COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 41a27b21424d5c6b413b838280b1f122d57b9064f4bfd74d8a24cddf83159730
                                              • Instruction ID: 2826dc56d4a9feaab4b21135c0875c1d7ce493e839d5eb4b0be1fec344bb5b97
                                              • Opcode Fuzzy Hash: 41a27b21424d5c6b413b838280b1f122d57b9064f4bfd74d8a24cddf83159730
                                              • Instruction Fuzzy Hash: 4EC10370E0420ADFCB05CFE9C4919AEFBF6FF89314B648159D415AB694C734AA82CF94
                                              Function 0130B9B0 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c66d89c86ecc62ea64b5d9155ee2508320fee89875a9c584754c012156d93f5
                                              • Instruction ID: 8996995b298cd861e81713c19169070b4bfc687eb7acad2078c32e7cea46cf29
                                              • Opcode Fuzzy Hash: 8c66d89c86ecc62ea64b5d9155ee2508320fee89875a9c584754c012156d93f5
                                              • Instruction Fuzzy Hash: EE615C74E14209CFDB09CFAAC5506AEFBF2EF89301F24D06AD419A7299D7348A41CF95
                                              Function 0130B9BF Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a58937febdceef0126c90ef20004ec669f200cfa1e8403ce812d9664ee15083b
                                              • Instruction ID: 7ea25bb17e260bac69558fa8c4a8c863d1ae809b88ccfd5eab8134cc49529f3a
                                              • Opcode Fuzzy Hash: a58937febdceef0126c90ef20004ec669f200cfa1e8403ce812d9664ee15083b
                                              • Instruction Fuzzy Hash: EC512A74E1420ACFDB09CFAAC5506AEFBF2EF89301F24D06AD415A7298D7349A41CF95
                                              Function 012E4F90 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 41d2cc87ab3bd294f69e24435a724c6d76ff2d857e7bf4e9a4f2acf4f50117d8
                                              • Instruction ID: ef4279f9c7b4f584789dd3cad76afd348a1bc24610a29bd7382fe75b649a89d6
                                              • Opcode Fuzzy Hash: 41d2cc87ab3bd294f69e24435a724c6d76ff2d857e7bf4e9a4f2acf4f50117d8
                                              • Instruction Fuzzy Hash: 944165B4D2520A9BCB04CFA6D8496EEFBF5FF89300F50942AE511BA210D77896518FA4
                                              Function 012E4F81 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c12736e4597908142c3a071023b7d8e481e63fbc5883b7fc4b91dc7f45c597c4
                                              • Instruction ID: 9b87a66ec761f1fd1afb7eb2ac377525351f14067f458014be2992573b3292b2
                                              • Opcode Fuzzy Hash: c12736e4597908142c3a071023b7d8e481e63fbc5883b7fc4b91dc7f45c597c4
                                              • Instruction Fuzzy Hash: E14167B4D2424A9FCB04CFA6D8496AEBFF1FF89300F10942AE511A7250D7789652CFA5
                                              Function 02C4BA39 Relevance: .1, Instructions: 108COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c81672f461e1a769866fbeb91d0571dbd3721902a918a6d145dfb4620e1dab2e
                                              • Instruction ID: 448f7b5b5178347eccab34ece95a2b9fd613c02b73b83ccbd11cbf05249fc433
                                              • Opcode Fuzzy Hash: c81672f461e1a769866fbeb91d0571dbd3721902a918a6d145dfb4620e1dab2e
                                              • Instruction Fuzzy Hash: 2D41D074E01209DFCB04CFA9D984AEEBBB2FF89314F14846AE415A7260DB359E45CF90
                                              Function 02C4BA48 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db90fd0a1136d3772b57d8775e9167dbc552f79c8ff01ee517c3e0066d4c5d23
                                              • Instruction ID: 300acbb0ca28949c7f2e0a550f6cb3147c37c55559b51b62022b75c5ce77e357
                                              • Opcode Fuzzy Hash: db90fd0a1136d3772b57d8775e9167dbc552f79c8ff01ee517c3e0066d4c5d23
                                              • Instruction Fuzzy Hash: 3841BF74E012099FCB04CFA9D584ADEBBB2BF88314F14806AE815A7364DB359941CF50
                                              Function 0130C381 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96399bf54fbb88fd9da0d903970b79c20e5ee5e7e3114a36b01ef26ca4690084
                                              • Instruction ID: 59e832f3d5389a9bf1f0053c2afcb56db432c43f64f04e240c815fcea8c34e2e
                                              • Opcode Fuzzy Hash: 96399bf54fbb88fd9da0d903970b79c20e5ee5e7e3114a36b01ef26ca4690084
                                              • Instruction Fuzzy Hash: A13114B1E106188BEB19CFAAD9543DEFBF6AFC8300F14C16AD409A6268DB750A45CF50
                                              Function 02C46338 Relevance: 2.9, Strings: 2, Instructions: 425COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq
                                              • API String ID: 0-4016896955
                                              • Opcode ID: b069b7b6448363694a8e020d90c31caa700b6d76d824f3481a1a3f39172857c8
                                              • Instruction ID: 420388adfb52b1dcb268c28535590d3646016deefda58f5157b2bd06c50bbb02
                                              • Opcode Fuzzy Hash: b069b7b6448363694a8e020d90c31caa700b6d76d824f3481a1a3f39172857c8
                                              • Instruction Fuzzy Hash: 08E1CD307002159FCB15AF68D858B6F7BAAAFC9745F248429E906CB398DF74CD81CB91
                                              Function 073BAE30 Relevance: 2.8, Strings: 2, Instructions: 295COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q$PH]q
                                              • API String ID: 0-1166926398
                                              • Opcode ID: f73f24fbffec53c61ab8f0662cc68f8177ff50d5784359aa520f51fb0284966d
                                              • Instruction ID: 6b42109909971eddda63cf94cbf18fd663ed9a08067b7ad00a19dc88b60a5f88
                                              • Opcode Fuzzy Hash: f73f24fbffec53c61ab8f0662cc68f8177ff50d5784359aa520f51fb0284966d
                                              • Instruction Fuzzy Hash: 57C12AB4600609CFDB28DF68D594AADBBF5BF89310F1145A8E50AEB7A1CB31EC41CB50
                                              Function 073B2380 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (aq$Haq
                                              • API String ID: 0-3785302501
                                              • Opcode ID: 2a8a067f31ba635c5d382de3eb4d0c809557a74624a7fb8efb3cea3a774eae70
                                              • Instruction ID: 060c4091a071a549a49be43f4a4d38ec31489fd3f0dbffdf2e95630abef558eb
                                              • Opcode Fuzzy Hash: 2a8a067f31ba635c5d382de3eb4d0c809557a74624a7fb8efb3cea3a774eae70
                                              • Instruction Fuzzy Hash: FC5134B16042219FE724EF2CC4546EABBA6FF85700F2985AAD50D9BB55CF34AC02C791
                                              Function 078395A8 Relevance: 2.1, Strings: 1, Instructions: 888COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: 1f2680a39f909209ebb9dcaca9485cbc4545758be5d37dbd2ef5a479e4c3ea1d
                                              • Instruction ID: 7710e5d2a27332397994f9e07797f9ece21e0ca88e1c4a13f33265426d1e1ed2
                                              • Opcode Fuzzy Hash: 1f2680a39f909209ebb9dcaca9485cbc4545758be5d37dbd2ef5a479e4c3ea1d
                                              • Instruction Fuzzy Hash: 54627E71A14218CFC708AF79E89955DBFB2BF89304F404969E489E7390EF785C46CB52
                                              Function 0783A518 Relevance: 1.9, Strings: 1, Instructions: 601COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID: 0-4174289123
                                              • Opcode ID: 434c0cb326e7af98182d858034dcb1909cfa2991b048db2933ee604926cac5e6
                                              • Instruction ID: 57ba4c630bdb59e5e5d8071a047d50c16410abd3ce0548c788b58ed6d6b9abc1
                                              • Opcode Fuzzy Hash: 434c0cb326e7af98182d858034dcb1909cfa2991b048db2933ee604926cac5e6
                                              • Instruction Fuzzy Hash: 0212F671B182158FC709BBB8D95462E7FB2AF86204F454969E089F7381EE3C9C06C763
                                              Function 07839AA5 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @
                                              • API String ID: 0-2766056989
                                              • Opcode ID: c156f16a19943a7e1228b85308b72bbd3530e46d14215eb70686dfab2723fba3
                                              • Instruction ID: b804b11a7461e61aa73cf20e286b876b77309fcd6e85354d383d2d14ba2447b9
                                              • Opcode Fuzzy Hash: c156f16a19943a7e1228b85308b72bbd3530e46d14215eb70686dfab2723fba3
                                              • Instruction Fuzzy Hash: 0C126070E18258CFC705AB78E85D65DBFB1BF85304F0449A9E489EB381EF785C468B92
                                              Function 073B86C4 Relevance: 1.7, Strings: 1, Instructions: 457COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (aq
                                              • API String ID: 0-600464949
                                              • Opcode ID: 7c86833f2b028c481f8522a8f5fc0f24f19cf6856150b7acdefaeed1d4c68125
                                              • Instruction ID: 70e3b5bc1bfbf1b2b056bb73fef5606b6a8d94c83e651fc9233b42b1f9841d43
                                              • Opcode Fuzzy Hash: 7c86833f2b028c481f8522a8f5fc0f24f19cf6856150b7acdefaeed1d4c68125
                                              • Instruction Fuzzy Hash: C1123674A00205CFDB58DF68D498AADBBB6BF88314F1581A8E509DB7A5CB34EC45CB90
                                              Function 05E70C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05E70D31
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3056645809.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e70000_Signed Document.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: a2c5ea2b6d74840a04e6a4ba49b3fdb784f5d2d517ba222352969e1399b29d46
                                              • Instruction ID: ef782c1dca888b02e1634394f022d28c316b463d05f9cffded7c8ab7bac7b9ae
                                              • Opcode Fuzzy Hash: a2c5ea2b6d74840a04e6a4ba49b3fdb784f5d2d517ba222352969e1399b29d46
                                              • Instruction Fuzzy Hash: 904147B8900309CFDB14DF99C488AAABBF5FF88314F24C459D559AB321D374A941CFA0
                                              Function 012ECD08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 012ECD98
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: e30ff8ce677a238892551b73321ad6a5d72040bf2864ca90d61f76a721801fe6
                                              • Instruction ID: c00ba9f76289b37e74e1d4a283832a2ed7247b4988c742a56e8a245d22ac887b
                                              • Opcode Fuzzy Hash: e30ff8ce677a238892551b73321ad6a5d72040bf2864ca90d61f76a721801fe6
                                              • Instruction Fuzzy Hash: 2A2155B59003099FCB10DFAAC884BEEBFF5FF48310F10842AE919A7240C7799954CBA0
                                              Function 012ED488 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 012ED506
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: aada3a6a454560c6b6e0c13297c4893f76553336ef4699a3f26b21da959626dc
                                              • Instruction ID: 709fe60e7f298492b102d040d03b934af5af79b9e64a235c40caa22d365690fe
                                              • Opcode Fuzzy Hash: aada3a6a454560c6b6e0c13297c4893f76553336ef4699a3f26b21da959626dc
                                              • Instruction Fuzzy Hash: 3B2134B19002098FDB10DFAAC485BEEBFF4EF48314F54842AD519A7241CB78A985CFA0
                                              Function 012EC2C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 012EC33E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 53065e05df9e247ad4249ff2c8d8a346aff3be22d8079a1c33914033364fabcb
                                              • Instruction ID: edf9263d0780689f7b25901af6d0a58314ce8588a12c2234728e2ff1b4347066
                                              • Opcode Fuzzy Hash: 53065e05df9e247ad4249ff2c8d8a346aff3be22d8079a1c33914033364fabcb
                                              • Instruction Fuzzy Hash: 222135B19003098FDB10DFAAC4857EEBBF4EF48314F54842AD519A7240CB78AA85CFA0
                                              Function 012ED200 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 012ED277
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: bff3dde9e8dd50b63a2c63b0fc24fee083b5952d71be9b3fbe48ea12092b596f
                                              • Instruction ID: 140aaa4e43081536641ecfe678707c2d7c4ef0888c5de20a1d0024aea94239c7
                                              • Opcode Fuzzy Hash: bff3dde9e8dd50b63a2c63b0fc24fee083b5952d71be9b3fbe48ea12092b596f
                                              • Instruction Fuzzy Hash: 162115B18003099FDB10DFAAC444AEEBBF5FF48320F54842AD519A7251CB799945CFA1
                                              Function 07780F58 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 077891B0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059229948.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7780000_Signed Document.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: b9a500d20baf5d0755d715faee404004275b73ba754c8399d4401ae64eaeb4e1
                                              • Instruction ID: 65a1739710a5172705db9f3fda3a214d9030f5f8b28ad874960aa49e932fa7ea
                                              • Opcode Fuzzy Hash: b9a500d20baf5d0755d715faee404004275b73ba754c8399d4401ae64eaeb4e1
                                              • Instruction Fuzzy Hash: 2C2127B1C0461A9FCB10DF9AC5447AEFBB5FF48320F148969D918A7240D778A944CFE5
                                              Function 012E3719 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 012E3793
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 970dc34b9d64a86b34cb064bd805d8caefdce4563aa117524775dd9238575095
                                              • Instruction ID: f7a01617ec60da1d652ac6bb6be23ced9679dd729cc410933abc58a8b1b561a7
                                              • Opcode Fuzzy Hash: 970dc34b9d64a86b34cb064bd805d8caefdce4563aa117524775dd9238575095
                                              • Instruction Fuzzy Hash: D62106B69002499FDB10DF9AC584BDEBBF4FB48321F10842AE958A7251D378A544CFA1
                                              Function 012E3720 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 012E3793
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: b454355440704c00feadd2f0b2124504d3450652b12df4ca8672b13831d797cb
                                              • Instruction ID: c57d924b446cfc1b916a178e9cec6dd9672b1d48aa2f0a81076147618494663b
                                              • Opcode Fuzzy Hash: b454355440704c00feadd2f0b2124504d3450652b12df4ca8672b13831d797cb
                                              • Instruction Fuzzy Hash: 8621F6B59002499FDB10DF9AC984BDEFBF5FF48320F108429E958A7251D378A944CFA1
                                              Function 0130A598 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0130A60B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 1ccf4325af47d6610d96814a948e364ee4c73949b7a28bd8f037531a25938635
                                              • Instruction ID: bf09aecc360526daa7c6c644edf4b62cd8967773d6061146c58447557a8f5a79
                                              • Opcode Fuzzy Hash: 1ccf4325af47d6610d96814a948e364ee4c73949b7a28bd8f037531a25938635
                                              • Instruction Fuzzy Hash: BB21D3B59002499FCB10DF9AD984ADEFBF4FB48320F108429E958A7251D378A544CFA5
                                              Function 012EC990 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 012EC9FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 6f39245576f094253f4464e4218dd12458b6d877344996c6f71b42434a781c7f
                                              • Instruction ID: 9267568b5b28626e45d94b5186a9c2c914f6cde442deffc40411e81c67fe9b64
                                              • Opcode Fuzzy Hash: 6f39245576f094253f4464e4218dd12458b6d877344996c6f71b42434a781c7f
                                              • Instruction Fuzzy Hash: C91137758002499FCB10DFAAC845AEEBFF5EF48320F148419E519A7250C779A554CFA0
                                              Function 012ED710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 014f322b2bc5a01b57b11e88761690c6f17d1759bbd3eaed52c05fecf2c09f64
                                              • Instruction ID: 28796087a569102535caddfcb6b476de5ab214838958d123dadcd91ce97af9fa
                                              • Opcode Fuzzy Hash: 014f322b2bc5a01b57b11e88761690c6f17d1759bbd3eaed52c05fecf2c09f64
                                              • Instruction Fuzzy Hash: A91128B59002498FDB24DFAAC4457AEFBF5EF88314F248419D519A7250CB79A544CBA0
                                              Function 05E7FDF8 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 05E7FE58
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3056645809.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e70000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: b88ce764a0a690f0e9c54e8f343fbcf31d90711dce2af7dd7cfe8b007b14dbec
                                              • Instruction ID: 6b77b0ff611c4d64751b76f578841a3fd49140fd1abc5244259d4e6f4b3d1976
                                              • Opcode Fuzzy Hash: b88ce764a0a690f0e9c54e8f343fbcf31d90711dce2af7dd7cfe8b007b14dbec
                                              • Instruction Fuzzy Hash: 3C1155B1800349CFCB20DF99C545BEEBBF4EF48320F10842AD869A7241D339A984CFA1
                                              Function 012E0F00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 012EDDBD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 9bcaae0bcdae069406370f248e97e18d197e776f519748a75000a839a3bf6eb7
                                              • Instruction ID: 5f515d75a4547921142d037c7eb70d9f98824c3e8b3f1217ae92125d94c00660
                                              • Opcode Fuzzy Hash: 9bcaae0bcdae069406370f248e97e18d197e776f519748a75000a839a3bf6eb7
                                              • Instruction Fuzzy Hash: E51106B581034DDFDB10DF99C489BDEBBF8EB48310F108459E518A7200C375A944CFA5
                                              Function 05E7FE00 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 05E7FE58
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3056645809.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5e70000_Signed Document.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: cbc01dfe975ce2a813ae176d8ea3b9f3d9a5b3e5ec612f846138b4d2b2086424
                                              • Instruction ID: 91d17ac4e17a8253af91c715fadc1aa6dc792e5e523406d178e03bc0269249b6
                                              • Opcode Fuzzy Hash: cbc01dfe975ce2a813ae176d8ea3b9f3d9a5b3e5ec612f846138b4d2b2086424
                                              • Instruction Fuzzy Hash: 521133B5800349CFCB20DF9AC545BDEBBF4EB48320F10841AD968A7241D339A584CFA5
                                              Function 0783B408 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 9127f959725a0093ba87afd84c09323e2736a5f9ec16d414347897df204dd8a5
                                              • Instruction ID: d08cfb78b0d68fe580aa1f5c624b3986dd9c831338b66e29e36043e1a702193e
                                              • Opcode Fuzzy Hash: 9127f959725a0093ba87afd84c09323e2736a5f9ec16d414347897df204dd8a5
                                              • Instruction Fuzzy Hash: BC919CF1A14119CBC704FBBCE98966E7BF6EB89205F408869D449E7344EA389C05C7A2
                                              Function 02C48C10 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: d1027eb07bb62b4627d23eaadc917a90833f2f9f5826253afcf101bed2c8db75
                                              • Instruction ID: 7107e853a6f9df62e00326cbb23793382286baa14019529d4493d15c3614081f
                                              • Opcode Fuzzy Hash: d1027eb07bb62b4627d23eaadc917a90833f2f9f5826253afcf101bed2c8db75
                                              • Instruction Fuzzy Hash: F0818F75A01259DFCB15DF68D988B5EBBB1FF84304F1685A9E8059B262DB30EE44CB80
                                              Function 073B2F10 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq
                                              • API String ID: 0-725504367
                                              • Opcode ID: 06c2916e9592423b90f287eb219cc4282989d0093d34fdd7243f80f4469e8590
                                              • Instruction ID: 1cf4c6c860e0e05620b0d93d887eaa831aa29d02f857e0565ccb18fa4692f82d
                                              • Opcode Fuzzy Hash: 06c2916e9592423b90f287eb219cc4282989d0093d34fdd7243f80f4469e8590
                                              • Instruction Fuzzy Hash: F54154763002259BD7166F7898906BF7AABFFC5710B644425E90ACB395DE38CC42C3D2
                                              Function 073BDBD7 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: dc7bbd16eddb5b3e1e923b143124163014761181af0899b671761d9e2b4bdda6
                                              • Instruction ID: fed3e35bd66de1fe98a8fecff49bb25aa60f93977047297f5124bc38bf8431b5
                                              • Opcode Fuzzy Hash: dc7bbd16eddb5b3e1e923b143124163014761181af0899b671761d9e2b4bdda6
                                              • Instruction Fuzzy Hash: 515189B17105068FEB28DF28C984BA9BBB5FF49310F1581A9E54ADB665CB70EC05CB90
                                              Function 073BAE20 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: aa9c254a19cfe3079a6ec1d29ffa8c2972cce192e2441a33e6b4bff454b3ea9a
                                              • Instruction ID: a54631b8bfce330a9116d57e4ad2c8deee42f003919b47f4b6474eefb14b0696
                                              • Opcode Fuzzy Hash: aa9c254a19cfe3079a6ec1d29ffa8c2972cce192e2441a33e6b4bff454b3ea9a
                                              • Instruction Fuzzy Hash: 3D5148B0A01605CFD728DF68C988A99BBF1BF49314F1185A9E50AEB7A1CB30EC41CF50
                                              Function 073BDDB4 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (aq
                                              • API String ID: 0-600464949
                                              • Opcode ID: 0ed94de4aa215324f63594602ff5ec0d146fa8b47053da3025fa68a271ea803f
                                              • Instruction ID: e4be66848f6a2f310226eabe0770f1d3635647f597f94e1e23a50ac6ea06c829
                                              • Opcode Fuzzy Hash: 0ed94de4aa215324f63594602ff5ec0d146fa8b47053da3025fa68a271ea803f
                                              • Instruction Fuzzy Hash: 164192703106018FD768DF38D849B963BA6BF81724F1585A9E55ECB3A1DF74E88ACB40
                                              Function 02C448A2 Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8aq
                                              • API String ID: 0-538729646
                                              • Opcode ID: f167e605b446388865ed774501402962a7384d35705741c8e7d1a1fa5331295d
                                              • Instruction ID: b4a3346b87d05f83d4c38cb13fde390963dcc3e0ba551d199a956375a679e52e
                                              • Opcode Fuzzy Hash: f167e605b446388865ed774501402962a7384d35705741c8e7d1a1fa5331295d
                                              • Instruction Fuzzy Hash: 4641E4B4D00258CFDB18CFA6D488BADBBF2BF88305F24806AE415AB394DB745A45CF50
                                              Function 02C44D72 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8aq
                                              • API String ID: 0-538729646
                                              • Opcode ID: 6644f33cd5086a6196a7edb2878198be78ce1d79c6c690906cfacf1045ca9307
                                              • Instruction ID: 1d66eda3b616d1f24c77a3859ed148c9e878a84d741a75a2b4009b59ef8cc6fa
                                              • Opcode Fuzzy Hash: 6644f33cd5086a6196a7edb2878198be78ce1d79c6c690906cfacf1045ca9307
                                              • Instruction Fuzzy Hash: 6C31C174E00249CFDB58DFA9D884AAEBBB1BF89710F248029E419B7354DB306942CF50
                                              Function 073B7688 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q
                                              • API String ID: 0-1007455737
                                              • Opcode ID: bfb71f85f715cdea080b54fbf939e4066af49e0e44c18c127686f35197eb1a4f
                                              • Instruction ID: 696ad09040b24e21b4bc0fa8566c48ae408e68f12be6aa5e800012b0cc40d930
                                              • Opcode Fuzzy Hash: bfb71f85f715cdea080b54fbf939e4066af49e0e44c18c127686f35197eb1a4f
                                              • Instruction Fuzzy Hash: C52156B43502018FA7359A39D959A7A37E9EFC965171580AAD609CBBB4EF34CC02C711
                                              Function 073B7677 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q
                                              • API String ID: 0-1007455737
                                              • Opcode ID: b96ef31ba56654b83b2c3032bdae16211fb310ee540a1636e22b5a53aa99afb5
                                              • Instruction ID: 2dab14fcf0cc213fb3ecae73883499ec5389fdff82ba5241a9b8231f20c7c109
                                              • Opcode Fuzzy Hash: b96ef31ba56654b83b2c3032bdae16211fb310ee540a1636e22b5a53aa99afb5
                                              • Instruction Fuzzy Hash: B72186B43101028FEB359B39D95DA7977E5EFC5651B1541AAE60ACB6A0EF24C801C710
                                              Function 0783F491 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: +H2k^
                                              • API String ID: 0-2319402720
                                              • Opcode ID: af4807098a53cc3552a673a4b467511826a867f8fc8aa5cbd7e75715dac88c00
                                              • Instruction ID: e9dfa34b43984a2139325dd4fb0653593fe80ebc0ffb77cc3dc62e5dcaa00402
                                              • Opcode Fuzzy Hash: af4807098a53cc3552a673a4b467511826a867f8fc8aa5cbd7e75715dac88c00
                                              • Instruction Fuzzy Hash: ED21B5F5E043468FEB10DFACD805E6EBFF0AF55220F1085AAD654DB251E73496058BD1
                                              Function 02C4AC70 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (aq
                                              • API String ID: 0-600464949
                                              • Opcode ID: 89faf9f68fd626532f912eafb63da226eee70454aebb4486ea8e79bd71154476
                                              • Instruction ID: 445df3d1a17616bea97d53616bb2f76033059fe40ebd2f053b5670c3fb70e323
                                              • Opcode Fuzzy Hash: 89faf9f68fd626532f912eafb63da226eee70454aebb4486ea8e79bd71154476
                                              • Instruction Fuzzy Hash: 7F1125323086950BC7125B7EE81871A7FE5DBC6665F2440AFE509C7792CE62DC068391
                                              Function 073B681F Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: TextQset_Hea5erText
                                              • API String ID: 0-2231878855
                                              • Opcode ID: 82ef52428af3d5fe59749d03d6d62500af2573b07e075ff2451566df60b3e09b
                                              • Instruction ID: 8bd7ec81c20caab154b10bfa5c0ad6b78acba92eb2c7c22492db3f9ad378f740
                                              • Opcode Fuzzy Hash: 82ef52428af3d5fe59749d03d6d62500af2573b07e075ff2451566df60b3e09b
                                              • Instruction Fuzzy Hash: 34E08C7A70001047E6051768F61E3AD7A9FDFD8611F08002AEA0BE77A6DE684C0247A5
                                              Function 0783F540 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: +GR
                                              • API String ID: 0-4043610377
                                              • Opcode ID: 48dd12892ad5928b4acada2a1b23fab8975ee598cd4de735bb0b50a74e7a93b6
                                              • Instruction ID: 149efa08d20711b28412fe30b6bdfb8c299b3f5e3d136be43b2c2afbc041ef1e
                                              • Opcode Fuzzy Hash: 48dd12892ad5928b4acada2a1b23fab8975ee598cd4de735bb0b50a74e7a93b6
                                              • Instruction Fuzzy Hash: 87D012721541089E9B40EF98E844C537BDCBB646407008033F648CA130E621E968E7D1
                                              Function 073B0040 Relevance: .8, Instructions: 750COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9cf862a1ee2d6dfca50ba483ddae3be6abf4a8880f6bdd2e5c32e766167d580e
                                              • Instruction ID: 813b59a359cf2f4bcc125eaf221a1d3dce10623764cf63bcd8252d00c53ddef3
                                              • Opcode Fuzzy Hash: 9cf862a1ee2d6dfca50ba483ddae3be6abf4a8880f6bdd2e5c32e766167d580e
                                              • Instruction Fuzzy Hash: 2B62E7F0D01B428AEB749FB4D5883EE7AA1AB41348F604A1ED2FECA740DB75D542CB15
                                              Function 073B0006 Relevance: .5, Instructions: 473COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad6be3b0a7afeef3c8d6691f9f6b68ee1e4678446b5873f39c7169217f0dafe0
                                              • Instruction ID: 88018afc505912da231f912faf713656f639234d117e9bdca987e7b05a05a308
                                              • Opcode Fuzzy Hash: ad6be3b0a7afeef3c8d6691f9f6b68ee1e4678446b5873f39c7169217f0dafe0
                                              • Instruction Fuzzy Hash: C5226BF0905B438AE7789BB484843DEB690AB06388F704A5BC1FECA755D774D187CB4A
                                              Function 07839B20 Relevance: .4, Instructions: 426COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17b27ca51242e960b98c3456a04f464a1d1e36db69f382c0134023a2a1cffab3
                                              • Instruction ID: 31b1da8906f510e3498b7385954ab7a7d0497ec6745049d9818614674153417e
                                              • Opcode Fuzzy Hash: 17b27ca51242e960b98c3456a04f464a1d1e36db69f382c0134023a2a1cffab3
                                              • Instruction Fuzzy Hash: 65F14070E14218CBDB18AF78E94D65DBBB1BF88304F404969E489E7344EF785C468B92
                                              Function 07838E56 Relevance: .4, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c9476961deee90f2c25059837fc36938175eb77658810558f1ade3f338d091c
                                              • Instruction ID: 10c1e9663e10d730eb7d061dafa923167ab076645fa150505b7f5fba07bb8237
                                              • Opcode Fuzzy Hash: 5c9476961deee90f2c25059837fc36938175eb77658810558f1ade3f338d091c
                                              • Instruction Fuzzy Hash: 18D1F371A18254CFC706BB78D85925C3FB2BF8A208F4549A9D089E7391DB3CAC46C762
                                              Function 07838240 Relevance: .4, Instructions: 366COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1b1280e62479de972b7a7da86c01025c33f1ab3e83692de0fc51447dbb2e369
                                              • Instruction ID: df97e92fdbe2e42e1fb3524470dce6871b0be5cbd816b7da244a26cf79f301ad
                                              • Opcode Fuzzy Hash: c1b1280e62479de972b7a7da86c01025c33f1ab3e83692de0fc51447dbb2e369
                                              • Instruction Fuzzy Hash: 05C17272A10215CBC705BBBCE89912D7FF2EF89605F454D68E449E7384EE389C85C7A2
                                              Function 0783F578 Relevance: .4, Instructions: 355COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a24b4103dd3b825e9b7e55b1ecddfc82d63a12e6f6c28a1889a9b6de7d3a4849
                                              • Instruction ID: 4981d710d2da48d2c368db2f10f64dfd6ae45f81b45f11641d656c8efe4bcf52
                                              • Opcode Fuzzy Hash: a24b4103dd3b825e9b7e55b1ecddfc82d63a12e6f6c28a1889a9b6de7d3a4849
                                              • Instruction Fuzzy Hash: 91C17171B14210CFC308BB7DE95921D7BE6AB89314F418D6CE499E7394EE389C49CB92
                                              Function 07838F30 Relevance: .4, Instructions: 351COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8748902fbb741d67d311b1a794816147f5f30c4ad027d5267d30c3516d097de9
                                              • Instruction ID: a4aa530c2c980134ba262acad47af7c00a54842125603ec09e3ab33828103c73
                                              • Opcode Fuzzy Hash: 8748902fbb741d67d311b1a794816147f5f30c4ad027d5267d30c3516d097de9
                                              • Instruction Fuzzy Hash: 12C19271B10225CBD704BBB8E89965D7BB2BF89308F414968D049E7394EF7CAC46C762
                                              Function 07839597 Relevance: .3, Instructions: 343COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 385b6bb066a55fdd31e43c08ac5e3effc12658cd0016ccab6eeea0216d113fc7
                                              • Instruction ID: 5919e05b661ad0f0c0eb58e182b8093dc4f939ca6ea5fce4450c2818f47cf444
                                              • Opcode Fuzzy Hash: 385b6bb066a55fdd31e43c08ac5e3effc12658cd0016ccab6eeea0216d113fc7
                                              • Instruction Fuzzy Hash: 1DC19F71E10214CFC708FBB9E48956D7BF2AF89308F408969E499E7394EF78A845CB51
                                              Function 073BEE70 Relevance: .3, Instructions: 332COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc2756869f9e243613bfd412336b3d327ca4fb63d867c9c768212d08503bcc81
                                              • Instruction ID: 2c8865566a685a050b2e45275dabb404803d51572ecd87b560b86f2c52c62197
                                              • Opcode Fuzzy Hash: fc2756869f9e243613bfd412336b3d327ca4fb63d867c9c768212d08503bcc81
                                              • Instruction Fuzzy Hash: BBD1D3B4B10B05CFE734DF78C844AAA77B6AF89310B504A79E61A8B7E1CB35D945CB10
                                              Function 07838EC4 Relevance: .3, Instructions: 329COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37cdcd837fe0bb5650b1ce348d2a2db172550fdbee7863686e78707a11922f78
                                              • Instruction ID: 5b811d4aeabeb7428e8cd7348af678fea0ba9b395e803f6351b589739ae8aa8a
                                              • Opcode Fuzzy Hash: 37cdcd837fe0bb5650b1ce348d2a2db172550fdbee7863686e78707a11922f78
                                              • Instruction Fuzzy Hash: 47B1C371A14214CFCB05BB78E89925D7BB2FF89308F414968D089E7394EB7CAC46C762
                                              Function 07838F07 Relevance: .3, Instructions: 310COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfb812b325397c99276bcfba2551b534430885994fe2cd31459a040e77338681
                                              • Instruction ID: ff6e65078fa62a57a5dc6c590fd8b50a3428edac38ba485f6df04f078b3b7568
                                              • Opcode Fuzzy Hash: dfb812b325397c99276bcfba2551b534430885994fe2cd31459a040e77338681
                                              • Instruction Fuzzy Hash: 95B19371A14214CFD705BB78E89925D7BB2BF89308F414968D089E7394EF7CAC46C762
                                              Function 0783F569 Relevance: .3, Instructions: 299COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8bdb8beb21de29f65449c478dda8939a7a1fa13592edd3f98d0238266d919831
                                              • Instruction ID: 7f3aa5e78cc3bc1f3a5ac96be5706202d6bece36b32623b1bf26936c5389e8c0
                                              • Opcode Fuzzy Hash: 8bdb8beb21de29f65449c478dda8939a7a1fa13592edd3f98d0238266d919831
                                              • Instruction Fuzzy Hash: D9A19E71B14210CFC308BB7DE95921D7BE2AB89314F408D6DE499E7394EE389849CB92
                                              Function 078381F7 Relevance: .3, Instructions: 287COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6168d8efdb44697d5f2d1a388467eed6d99556497b7c0bc2c0a00efd3d43733
                                              • Instruction ID: 7619039046439483860877a01f97b0548396d6e671b4de81110b994791568cb0
                                              • Opcode Fuzzy Hash: c6168d8efdb44697d5f2d1a388467eed6d99556497b7c0bc2c0a00efd3d43733
                                              • Instruction Fuzzy Hash: 1CA1B372A14215CFC705BBB8E49922D7FF2FF89205F444869E485E7394EE389C45C7A1
                                              Function 07838230 Relevance: .3, Instructions: 273COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 53bdde900d81b639a6b1b7dc86878bb89c425a46fb6cd835c2cfaab0e736b8c4
                                              • Instruction ID: 3786ea7a03de9bc54a9bb1df3669a527570852c411c52659e64f74d938ae3ea7
                                              • Opcode Fuzzy Hash: 53bdde900d81b639a6b1b7dc86878bb89c425a46fb6cd835c2cfaab0e736b8c4
                                              • Instruction Fuzzy Hash: 3D917076A10215CFC705BBB8E49912D7FF2AF89605F444878E449E7394EE389C86C7A1
                                              Function 0783B0CC Relevance: .2, Instructions: 218COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 533dd0d580c891fcd9c87f8dc2e26175540ccd77f8f553a914f0b0d0f8d72717
                                              • Instruction ID: 99862ae53deb253e73c5aba519ab82fb5e05bd8b5929effb1241b956c432ac74
                                              • Opcode Fuzzy Hash: 533dd0d580c891fcd9c87f8dc2e26175540ccd77f8f553a914f0b0d0f8d72717
                                              • Instruction Fuzzy Hash: A771A3B1B14215CBC704FBBCE89966EBFF1AB85604F404969D488E7394EE3C9C498792
                                              Function 073BD950 Relevance: .2, Instructions: 217COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c258b0f9efbf94105b7a664f718b6d0cd8a011ebbf9ae8784b01d5c0248e5193
                                              • Instruction ID: f8a5f7cbda402faa5802a15f7581f5fd935062ae6a28934941d4b5f6f62f9cf4
                                              • Opcode Fuzzy Hash: c258b0f9efbf94105b7a664f718b6d0cd8a011ebbf9ae8784b01d5c0248e5193
                                              • Instruction Fuzzy Hash: B4816DB1B1420ADFEB34DF68C444BEABBB6EF84314F148129D61997A90DB31D881CB51
                                              Function 0783B0F8 Relevance: .2, Instructions: 200COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d62fd5053d34de8074d0414893eae194ddf3da652c975a4e9779c31880c73f8
                                              • Instruction ID: 9b0ba6ebeb82cb96bdf1855a8b4c45b4cbe0ec72c3a30c444e89ce2bf6322c45
                                              • Opcode Fuzzy Hash: 8d62fd5053d34de8074d0414893eae194ddf3da652c975a4e9779c31880c73f8
                                              • Instruction Fuzzy Hash: 686163B1B14125CBC704FBBDE88966EBFF5AB89704F404969E448E3344EE3C9C498792
                                              Function 073BAA70 Relevance: .2, Instructions: 183COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8eb680f8b3365699148acf8caaa3a26aba5e4fa3a78b23d96f09ebc7214e842e
                                              • Instruction ID: 59dc45409c29347be18ac64bb10c0e970e0ea28548ea8337b95be819c61faea4
                                              • Opcode Fuzzy Hash: 8eb680f8b3365699148acf8caaa3a26aba5e4fa3a78b23d96f09ebc7214e842e
                                              • Instruction Fuzzy Hash: BE710270240605CFDB24DF28D898EA97BB5FF85304F1594A9D64A8B672DB30EC09CBA0
                                              Function 073BEE5F Relevance: .2, Instructions: 179COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 507cb57839d2dd601dfca74fc8c7f0b61e09bd477fe0e075dfb976a1e217fb6d
                                              • Instruction ID: dc8463e94916e5996f7b194705246c815331c60c37bacf7905fb5366c09ead8c
                                              • Opcode Fuzzy Hash: 507cb57839d2dd601dfca74fc8c7f0b61e09bd477fe0e075dfb976a1e217fb6d
                                              • Instruction Fuzzy Hash: 5761C5B4700605CFE7348F68C844BAABBB6FF89320F144669E6568B7E1CB75D841CB50
                                              Function 073B2364 Relevance: .1, Instructions: 123COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c28fcf60ecbb251f108ead186e916b47662deac9c7ed2ab29518ab467cc76622
                                              • Instruction ID: d94b8a231e31ca82c573e2596b8d308cbcb17c2b007c8328e43020f05af3d28e
                                              • Opcode Fuzzy Hash: c28fcf60ecbb251f108ead186e916b47662deac9c7ed2ab29518ab467cc76622
                                              • Instruction Fuzzy Hash: 7B41C1B1A003199FDB10DF69D884AEFBBF9FF84310F14C42AE909A7640D7359549CB61
                                              Function 073B8164 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5010b797c16491ac63e5571927958ba37a9ecab71b88f784df060405b46f8e52
                                              • Instruction ID: d58386e992d3d0e8c12898c1c8bda3106d08ce6ae68b867fd8314f6e34a95b86
                                              • Opcode Fuzzy Hash: 5010b797c16491ac63e5571927958ba37a9ecab71b88f784df060405b46f8e52
                                              • Instruction Fuzzy Hash: CD4153B0700601DFEB749B24D494BAAB3BAFF85710F544529D34A8BAA0CF75BC46CB51
                                              Function 073B98E9 Relevance: .1, Instructions: 117COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a7db6f0634d24420ddc7a090dcb0410383eadc9ec03952138432e64bd042073
                                              • Instruction ID: 8358507d13f93d3e001ce88d0add1b484512cfe11ecc59126055570c5d9bbc8b
                                              • Opcode Fuzzy Hash: 5a7db6f0634d24420ddc7a090dcb0410383eadc9ec03952138432e64bd042073
                                              • Instruction Fuzzy Hash: 7F4162B0300601DFEB35AB24C884BAEB3BAFF85710F144569D3498BAA1CF75B846CB51
                                              Function 0783AF93 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a865e6ea34ae8dcf62794a028f6dd37220af9e419c314e3c11a5408a13a928a
                                              • Instruction ID: 96a88287f8610c16c659713d494fb085ca73fd8319e6d0f8f71d0a512982382a
                                              • Opcode Fuzzy Hash: 5a865e6ea34ae8dcf62794a028f6dd37220af9e419c314e3c11a5408a13a928a
                                              • Instruction Fuzzy Hash: 273168B16083548FC306BBB8DC986597FB1EF46214F4408ABE088DB241EE3C9C06C792
                                              Function 073B8538 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1730b1875ae5c1df725406476788456394f8d5b18ec4efea4ebaea0c429af22
                                              • Instruction ID: 2372459489dae2d4df126e7d5c53b88388471164ced429f517ffdf3b6e8887c8
                                              • Opcode Fuzzy Hash: d1730b1875ae5c1df725406476788456394f8d5b18ec4efea4ebaea0c429af22
                                              • Instruction Fuzzy Hash: AD318D707002408FE769EF3898509AABBE6BFC9204B14497CD50A9B791DF35DD06C7A2
                                              Function 073BC040 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a181ee09a1be1eafda510d6ff2f31159ffb6cd6f0b12ec21cdc6ea1b6b7c649f
                                              • Instruction ID: ebf80af260c657755a59b44b2dbdfaa6d3f55824fd1504635d0aaeed174150bb
                                              • Opcode Fuzzy Hash: a181ee09a1be1eafda510d6ff2f31159ffb6cd6f0b12ec21cdc6ea1b6b7c649f
                                              • Instruction Fuzzy Hash: 8B41B3B1700A118FD729AB38D45866DBBE6FFC9211B144669E10ACB7A1DF74DC02CB51
                                              Function 073B7780 Relevance: .1, Instructions: 103COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd8d69b2c55d992ffd7928e86897837c170fd5bed4431bb58f0acfd6c138fc8e
                                              • Instruction ID: 7e6fdf623e1b357b527f20b86f31df45d28c8fba9c1601bed508be128d345149
                                              • Opcode Fuzzy Hash: cd8d69b2c55d992ffd7928e86897837c170fd5bed4431bb58f0acfd6c138fc8e
                                              • Instruction Fuzzy Hash: 8931AFB4700305CFE7299B68D889AAA7BABEFC4244B14442ED60AC7B94DF75D845CB90
                                              Function 073BC050 Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85aed957f0e16df36c7306a91ed634fb00ee77512ca6b20d91a1af483b7f913a
                                              • Instruction ID: 7730c13eaca4209434ca15f6b165f397594cef10af7a3a3b1c6f1d215ee771df
                                              • Opcode Fuzzy Hash: 85aed957f0e16df36c7306a91ed634fb00ee77512ca6b20d91a1af483b7f913a
                                              • Instruction Fuzzy Hash: B23160B4700A118FDB29EF38D45866DBBE6BF89611B14466DE10ACB7A0DF74DC02CB52
                                              Function 073B95C4 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 296db695b132a925322d472fd37eb301865e381de1ecb83407b22ee404052e66
                                              • Instruction ID: b8c352e2f2f48907c020cfb124e6c58a27ce828365d573409b3ce329e3a3ca2f
                                              • Opcode Fuzzy Hash: 296db695b132a925322d472fd37eb301865e381de1ecb83407b22ee404052e66
                                              • Instruction Fuzzy Hash: F7311DB4710A018FEB28DB29C484BA97BE9EF85710F158469E60DCBB61DE34E842CB50
                                              Function 073BCDB7 Relevance: .1, Instructions: 99COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 73640b6bd0cd9cbc114dcb16c45e78eae508949ad91ca138242d07062912b1ad
                                              • Instruction ID: 85a131599939da3bd77f37c9e18549d3847b74cf632e079f7f3096fc2ff602ca
                                              • Opcode Fuzzy Hash: 73640b6bd0cd9cbc114dcb16c45e78eae508949ad91ca138242d07062912b1ad
                                              • Instruction Fuzzy Hash: 90317A757102158FDB199F38D46CA6D7BEAAF8961271440ADE50BCB7A2DF38DC02CB50
                                              Function 02C485A0 Relevance: .1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 33eed2f8905f0ea783c79ba06bd37300fa1bcab39546ce1cdbee745e6b65f5fe
                                              • Instruction ID: eac3e473fac82a399e21fc8f66b91dccc2d7d0ad4e1459cdde674c72419e4735
                                              • Opcode Fuzzy Hash: 33eed2f8905f0ea783c79ba06bd37300fa1bcab39546ce1cdbee745e6b65f5fe
                                              • Instruction Fuzzy Hash: 7C317835B102049FCB04AF69E859BAE7BB6BF88710F148569E906E7390DF309C05CB94
                                              Function 073BED58 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27561fa94326ee5b037308e63e87f539245687ee1d608a99acea140b05c7c093
                                              • Instruction ID: df6b404a1e0ebebdea3ba2884b997dea804a96385abd3f45894b6bac0ccd3a16
                                              • Opcode Fuzzy Hash: 27561fa94326ee5b037308e63e87f539245687ee1d608a99acea140b05c7c093
                                              • Instruction Fuzzy Hash: 243149757402159FDB24DF68C884EADBBB6BF88220F144269E6299B3B1CB71DD01CB90
                                              Function 02C45400 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b27b1f950a2207bbda3918ae7544ebb1e2ce488ddda5e13f12a4aa470a5709f5
                                              • Instruction ID: 6805e3124b5814945736fa8f46a5b4f6e86db97f44a089a152f006f896429d2e
                                              • Opcode Fuzzy Hash: b27b1f950a2207bbda3918ae7544ebb1e2ce488ddda5e13f12a4aa470a5709f5
                                              • Instruction Fuzzy Hash: DA315031600209DFCF069F54E898AAE7BB2FF98755F808018F906AB394CF75C991CB51
                                              Function 073BA770 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31e04f6659d52105ff09ec78cde3d8efbfe026761e680ff0ddb04b8920356302
                                              • Instruction ID: e110be45de38c3e5e08a63732f42e311f080031b29dec3608e03602db641245a
                                              • Opcode Fuzzy Hash: 31e04f6659d52105ff09ec78cde3d8efbfe026761e680ff0ddb04b8920356302
                                              • Instruction Fuzzy Hash: 1431F974710A018FEB24DB29C444F9A7BF9EF89714F1580A9E64ACBB61DE34E842CB50
                                              Function 073BED4B Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 65da8f76cd224d4a134af57d8c139c0881ae07ec191a71da523544e8c79fbc6a
                                              • Instruction ID: 235cff3dd48411fbce6c6f8d280d589833a8f977c3c4366cdf45e60988c09a6e
                                              • Opcode Fuzzy Hash: 65da8f76cd224d4a134af57d8c139c0881ae07ec191a71da523544e8c79fbc6a
                                              • Instruction Fuzzy Hash: 75314AB57402159FDB24DF68C884AADBBB6BF48320F1446A9E6299B3B1CB71DD01CB50
                                              Function 073BC9FB Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c20b5d99596791e0baf1defbed5d2999b97af80c1898330ad880692657f286d
                                              • Instruction ID: d5fddc3a7868b39a7b5dc9aa50e495915ae4bfed7fece39b9df4a46c27c01a08
                                              • Opcode Fuzzy Hash: 3c20b5d99596791e0baf1defbed5d2999b97af80c1898330ad880692657f286d
                                              • Instruction Fuzzy Hash: 72411170200505CFDB24DF28D988E99BBF5FF48314F2195A9E54A8B276CB30EC49CBA0
                                              Function 02C453B7 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3977a5ed03fcbf1bfdf6e0dfeeecc89204f80ace75e3bb703c11dd520afc4577
                                              • Instruction ID: 5159ede4934d08550a0146f91eadc8eafd61850ac5df9b16b7ad5e8bb6fe1a36
                                              • Opcode Fuzzy Hash: 3977a5ed03fcbf1bfdf6e0dfeeecc89204f80ace75e3bb703c11dd520afc4577
                                              • Instruction Fuzzy Hash: 13313872608254CFDB029F78D8647AA3B70EF91355F8440AAE445DF292DF78C94AC7A1
                                              Function 02C48E88 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a053e0ad587ff52d9f8d62812997652d6ae259f5c23df33cc6611319fb791d5
                                              • Instruction ID: e72b9d66f536cb45db7b327a110ca703cf1af318fabd592933b97c142568195a
                                              • Opcode Fuzzy Hash: 3a053e0ad587ff52d9f8d62812997652d6ae259f5c23df33cc6611319fb791d5
                                              • Instruction Fuzzy Hash: DF410274D01208DFDB04DFA9E9493EEBFB2BF88304F14856AE405B2290EB394A45CF90
                                              Function 02C48E98 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb060cfd5f970743bdc04963ff0f0d58122e3061260f3ca81b15ee6b224f5851
                                              • Instruction ID: 83c75ed8248840a13b27778e5239096d89196b983197a972a17b7efc68d937bb
                                              • Opcode Fuzzy Hash: fb060cfd5f970743bdc04963ff0f0d58122e3061260f3ca81b15ee6b224f5851
                                              • Instruction Fuzzy Hash: C041F374D01209DFDB04EFA9D8496EEBFB2BF88304F10852AE415B3290DB394A85CF90
                                              Function 02C4BB98 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9ba7d4d65b59dc65b0f4b10810a309b04023feec3e3122915936f6e14bb57ea
                                              • Instruction ID: 9c937bc0aa8821e50945c74738d3401c34f255f362ff7153f27fe181e527e120
                                              • Opcode Fuzzy Hash: d9ba7d4d65b59dc65b0f4b10810a309b04023feec3e3122915936f6e14bb57ea
                                              • Instruction Fuzzy Hash: 2931E570E016098FDB09DFAED8909EEBBB2BF88315F149429D814B7354DB359A41CFA0
                                              Function 073BD630 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 273adfd3d6c1f790765c01ed9ec7f79b5166f4cd4618d46dee9222fee6cdc4af
                                              • Instruction ID: 0669d691c05373ad758364cd107dcc990431b564cb3cffba54f6bb0bc43eb159
                                              • Opcode Fuzzy Hash: 273adfd3d6c1f790765c01ed9ec7f79b5166f4cd4618d46dee9222fee6cdc4af
                                              • Instruction Fuzzy Hash: 19318F703106018FD768DF68D889B9637A9FF80724F148569E25E8B3B1DF70E88ACB40
                                              Function 073BB460 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b95ca92965dfcaa5aed3e0531b309e53ceec845b55f3056972c681954f33a42
                                              • Instruction ID: 4746c82798f114c878c107f6debfa767daa4874ce1966e64b66b1fae1b7fab6b
                                              • Opcode Fuzzy Hash: 6b95ca92965dfcaa5aed3e0531b309e53ceec845b55f3056972c681954f33a42
                                              • Instruction Fuzzy Hash: 8021CBF4710116CB6B356629D5949BEB9EB9FC46407454026D70ECBFA4EF38CC02C7A2
                                              Function 073B1258 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 34b1fac9852b59cf685b78fefdb5829484a181b09812a7ecdf93a18dbae45e37
                                              • Instruction ID: e1c48c3f24cfbf85252ee339edc63f09694eee91d574bd59a27903872e9efba8
                                              • Opcode Fuzzy Hash: 34b1fac9852b59cf685b78fefdb5829484a181b09812a7ecdf93a18dbae45e37
                                              • Instruction Fuzzy Hash: D0310775A20219DFDB14DFA8D894EEDB7B5FF89700F1141A9E919AB760C730A904CB90
                                              Function 073B8528 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bac00666ccfa60161f2208e109bf56a1def3c538cb5ecfa9f40cf8e61d06dc2
                                              • Instruction ID: 6c374de1d4e487e07fca94fca8118ac0a48e91bc73fd3ff35fbcd3d5591109c8
                                              • Opcode Fuzzy Hash: 2bac00666ccfa60161f2208e109bf56a1def3c538cb5ecfa9f40cf8e61d06dc2
                                              • Instruction Fuzzy Hash: EC2180B0701600CFE728DF39D98099AB7FAEFC9604B20457CD50A9B761DB31E805CB91
                                              Function 073BB125 Relevance: .1, Instructions: 79COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b65d3697c6430057ec311dee13793ae930cc2ea6e81ddf96ad0a04ed75377c99
                                              • Instruction ID: 108b7516b38e5b1e8225d48949972351154dd995e3e5918c7f1ddb70a2fa773b
                                              • Opcode Fuzzy Hash: b65d3697c6430057ec311dee13793ae930cc2ea6e81ddf96ad0a04ed75377c99
                                              • Instruction Fuzzy Hash: 4031E6B4600209CFEB24DB65D988ADDB7F6EF88350F144068DA09AB6A0DF35ED45CB50
                                              Function 073B2EFF Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0a026699779843828157d9ab9a7246426ee328b02f6a4bc0944b9dd2c0be206
                                              • Instruction ID: 7274e5f44e26da6d37190562ef9f98c3fd0c9f28184ccc9ef1257152ba29493e
                                              • Opcode Fuzzy Hash: b0a026699779843828157d9ab9a7246426ee328b02f6a4bc0944b9dd2c0be206
                                              • Instruction Fuzzy Hash: 2C21F47A2005219BD7215F68D984ABF7BABFF84311F508115E909D7294DB34CC41C391
                                              Function 073BFAE8 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b2ae9be0db7df3fe80e1330eb32c5200f83a6145786914cdba5e071609821175
                                              • Instruction ID: ade8a0c94558e285e8a128439d3d36eb4ff721f42265ab4ae3ee1060d57ca6ff
                                              • Opcode Fuzzy Hash: b2ae9be0db7df3fe80e1330eb32c5200f83a6145786914cdba5e071609821175
                                              • Instruction Fuzzy Hash: 1A21B5B0314306CBEB30EE35C8608EA77B9FF82345B104A7DE55A47A80DB36D445CB51
                                              Function 073B960C Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1142c974714b9a5982e9567fea056278c18dd518c0fd2b96a86bd0bd7e82007f
                                              • Instruction ID: 84e391012b1db5496b23a5a8d7ad3821ada897b7ce1dd1f6d6f3c205a9fdb788
                                              • Opcode Fuzzy Hash: 1142c974714b9a5982e9567fea056278c18dd518c0fd2b96a86bd0bd7e82007f
                                              • Instruction Fuzzy Hash: 03314C302506058FD7649F38D888BA677E5FF85311F558469E24ECB361CF70AC8ACB40
                                              Function 0783AFE0 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e2bcc429bcff2a4fb30faebe3c6de3f0cf01f6943ecba5f0568ea35215da663
                                              • Instruction ID: fa7a01c58e1d95472cff284a37f7378ef8b3d9654909b20452a0f4f74956cd70
                                              • Opcode Fuzzy Hash: 8e2bcc429bcff2a4fb30faebe3c6de3f0cf01f6943ecba5f0568ea35215da663
                                              • Instruction Fuzzy Hash: 4E11BB71B141258BC304B7B9EC9562E7BE6FB88614F404939D00CE3340DE3C9C058791
                                              Function 02C46890 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 302464ebae4983dd4f49e1e5c89608113507cb952f802a8b08cd65d7703a6195
                                              • Instruction ID: 0834ac18559b95ed19ca4d6e6c93274efefe928ca4044424133a5f5a7b8874f3
                                              • Opcode Fuzzy Hash: 302464ebae4983dd4f49e1e5c89608113507cb952f802a8b08cd65d7703a6195
                                              • Instruction Fuzzy Hash: CC21C335700512CBC7299B29D45892F77AAFFC6759B248068E906DB394CF71DC42CBD0
                                              Function 0136D1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007038686.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eac94d4bd1269d403b8e879540af0904b6af96950831e40cb46908bb5c663180
                                              • Instruction ID: ec9896c4a22410f82c16fa3b6268cb243244eab4fc14906bd2f02a7c1ced9222
                                              • Opcode Fuzzy Hash: eac94d4bd1269d403b8e879540af0904b6af96950831e40cb46908bb5c663180
                                              • Instruction Fuzzy Hash: E7210771604204DFDB05DF98D5C0F26BB69FB88328F24C56DD9894B35AC37AD446CA61
                                              Function 0136D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007038686.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e42fc21ff68a34e952cfb60d04b07eaeaeaaba1fe7e999104dc2193230411390
                                              • Instruction ID: 935296aaf4c766636bcf7a5b98e03ce56379fa7382a378a424de766f8efb4c9e
                                              • Opcode Fuzzy Hash: e42fc21ff68a34e952cfb60d04b07eaeaeaaba1fe7e999104dc2193230411390
                                              • Instruction Fuzzy Hash: 51212271604204DFCB15DF68D980B26BF69FB88318F20C56DE98A0B35AC33BD407CAA1
                                              Function 073BA913 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be0033b7630e0fa357b594463f3e1bbe40984e75a242f59853b0a7a450eff490
                                              • Instruction ID: 746cf9bab152cce4aa26afcf671e5d015f55f9393a596211dd753ab7ba3a827a
                                              • Opcode Fuzzy Hash: be0033b7630e0fa357b594463f3e1bbe40984e75a242f59853b0a7a450eff490
                                              • Instruction Fuzzy Hash: B4314A302106058FD764DB38D858BA577E6FF85314F5584A9E18ECB7A2DF74A88ACB40
                                              Function 073B7771 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0ab2ecbf41f95d82a242fc4bd9f675ed74494e733d17ee44b9155e7802d45ec7
                                              • Instruction ID: aaa0f21bec27ee3d3d6d5d9eba0035043b21798421abf46c99aee858fe0f2933
                                              • Opcode Fuzzy Hash: 0ab2ecbf41f95d82a242fc4bd9f675ed74494e733d17ee44b9155e7802d45ec7
                                              • Instruction Fuzzy Hash: 7821D5B57143059FEB268B24D84ABBA7BAAEFC5255F14412AE60AC7B80DB34D841C790
                                              Function 073BB44F Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03843bdf3d2364162c1c5f254e80b3dffa4e13fed97181855f02c6e35f162204
                                              • Instruction ID: f96087cafbf49e1bbb243f8c1fd93f423903874bfc3a1bbb4b8fc74a3b2a2496
                                              • Opcode Fuzzy Hash: 03843bdf3d2364162c1c5f254e80b3dffa4e13fed97181855f02c6e35f162204
                                              • Instruction Fuzzy Hash: 1B11DAF5B10111CBAB255629D1585BDB79B5FC46417090026DB0AD7FD4EF38CC02C7A2
                                              Function 02C4BB88 Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09f97e7d3116819978227a5c5a965999f0452db8b2932000a11678728ef759e2
                                              • Instruction ID: 1480f5a41e159e5e6a70acb354c197a015dbff8bf70d0e055d6bd5caa344ac19
                                              • Opcode Fuzzy Hash: 09f97e7d3116819978227a5c5a965999f0452db8b2932000a11678728ef759e2
                                              • Instruction Fuzzy Hash: A4214771E012098BCB08DFBAD4406DEBBF2BF88304F14D06AD414B7250EB319A41CFA0
                                              Function 073B8184 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfda08277ebb221408512140ef351a4ed3e7cd9ff5e9099d8d2b1591931587c3
                                              • Instruction ID: e6a6141cd7407807de0a26017da31ea30b9722ba59bfcbe42f905a6c92641add
                                              • Opcode Fuzzy Hash: cfda08277ebb221408512140ef351a4ed3e7cd9ff5e9099d8d2b1591931587c3
                                              • Instruction Fuzzy Hash: B011D3B5710A45CFD7349F38C4909AAB7B9EF86301B5085AEE20ACB671DA31EC85CB51
                                              Function 073B3BA7 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4c1248f7a2c1c1468a351e07b48ddff1efd73c2485330f48732556669e75efd
                                              • Instruction ID: af7883cd72891cabf60fc28cecd4dd22089f4263e1cfa898945f1ca04fee40da
                                              • Opcode Fuzzy Hash: b4c1248f7a2c1c1468a351e07b48ddff1efd73c2485330f48732556669e75efd
                                              • Instruction Fuzzy Hash: B711E7707043105BE739A669C995BAA73DAEFC5310F54C83DD6498B694CF75D8068780
                                              Function 0783AF8F Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf879650e64c62d7617b0d7ef6391a466cfe53aa9c31b57ea83f5c71fc2b672b
                                              • Instruction ID: 774e492087e7a6f42a156ce6da9a0412ca8b959a3eae07de452a7429d64e259e
                                              • Opcode Fuzzy Hash: cf879650e64c62d7617b0d7ef6391a466cfe53aa9c31b57ea83f5c71fc2b672b
                                              • Instruction Fuzzy Hash: B21151B2B141158BD704BBB8EC9966DBBA2BB88614F844969D05CE7340EE7898058791
                                              Function 02C48590 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94dda46ba2a59223700e8b8698d03cbbd842cbbdd8b7517a4dfd6c8f37195762
                                              • Instruction ID: cde553feb87a701b8cc2cb7087a1bb26704809ebe4b176abf589f09789db62bf
                                              • Opcode Fuzzy Hash: 94dda46ba2a59223700e8b8698d03cbbd842cbbdd8b7517a4dfd6c8f37195762
                                              • Instruction Fuzzy Hash: C5116D35A112049BDB008E69E849ADEBBB6BF88310F14812AF912A7390DF71AD50CB90
                                              Function 02C4687F Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63700c0ab53184e0867b36770a3f41fadf4d31704443c73482c5768e9c2ae6f3
                                              • Instruction ID: a277579c578be9db27ca795fb37555cb58aa07db1d7b0056ed4b5b8df2498fe4
                                              • Opcode Fuzzy Hash: 63700c0ab53184e0867b36770a3f41fadf4d31704443c73482c5768e9c2ae6f3
                                              • Instruction Fuzzy Hash: 8311E576B00912CFC7195A29D898A3E77AAFFC575572940B8E906EB394DF31DC02CB90
                                              Function 073B3BB8 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69f09298a7f18343445a987a9d51396750ec490918bb41abf31c3849bf1c813d
                                              • Instruction ID: f08d3639238f9bdd1f4bc4ea8060772b0ee8f4f04ef2f10530a66fdf7e29e60c
                                              • Opcode Fuzzy Hash: 69f09298a7f18343445a987a9d51396750ec490918bb41abf31c3849bf1c813d
                                              • Instruction Fuzzy Hash: F41102703003108FE738EAA9C881BAA73DAEFC4310F14C839D6498B694CFB5D8028780
                                              Function 02C46328 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aeb8bccc2861cd061c63a2f30e3c9258b360aaa55a0ae04df505a2bfc51c9769
                                              • Instruction ID: 2770912f5cc2aa4b7628d349ce111f6dc28979f1fa29f2a3a9ca5b09627acd82
                                              • Opcode Fuzzy Hash: aeb8bccc2861cd061c63a2f30e3c9258b360aaa55a0ae04df505a2bfc51c9769
                                              • Instruction Fuzzy Hash: 88110132B00514CFDB04DE24D48875A77A6FBC6719F258129E92ADB288DF70DD81CB90
                                              Function 073B3859 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e946840ded58f772519025dd15afacc7a64161deecfdecc1654429f6fd4912a0
                                              • Instruction ID: 60ab97e4dd38d6bff079f2d46e6a1afe54cbca6708aa4ac6c65b416f7ee8725e
                                              • Opcode Fuzzy Hash: e946840ded58f772519025dd15afacc7a64161deecfdecc1654429f6fd4912a0
                                              • Instruction Fuzzy Hash: 7A01C0B270022A96FB18DE19DCC05FF77AAFFC0204B04C42AE909DB544EA36D80AC791
                                              Function 02C4AD28 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f67a88b3beececb7c8c1c0956aea289e7a930c82cc92228e1762972640b2854b
                                              • Instruction ID: 546d5bdfb4b81666603b835d4a8de838ef35f3d78b731373bd57e03c9f48b3d3
                                              • Opcode Fuzzy Hash: f67a88b3beececb7c8c1c0956aea289e7a930c82cc92228e1762972640b2854b
                                              • Instruction Fuzzy Hash: 44111C743406008FC739DF69E4A4A66B7F9EFC5325714896DE44AC76A1CF61EC06CB50
                                              Function 02C4ADC3 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c43c0e1874671eb967d13210d30e2a2c84412a71a6cdf49c46e79307d17145d7
                                              • Instruction ID: fcb73f8e19738a080d52374d513595468ffb9a6381b363198aca62094ae3aabd
                                              • Opcode Fuzzy Hash: c43c0e1874671eb967d13210d30e2a2c84412a71a6cdf49c46e79307d17145d7
                                              • Instruction Fuzzy Hash: A0110275E002099BDB04DFA9D855BEEBBB1FB88710F10802AE514B7390DB74A944CBA0
                                              Function 0136D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007038686.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 4f3e4eb00bb0ce3bc4310016d7608d395d29fa31220f7c283fc5b73dc29d49c7
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: A711BE75604280CFDB12CF54D5C4B15BF71FB88318F24C6A9D8494B65AC33AD40ACB62
                                              Function 0136D1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007038686.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_136d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 8634b204f79b4fdc34461e048424d6e5abd26eb9db41a0714523fd1ab1391996
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: CB11BB75604280DFDB12CF54C5C4B15BFB1FB84228F28C6A9D8894B29AC33AD44ACB62
                                              Function 073BD940 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cc8318d7b92da3ab4946c5e4fbea45f63fb5ef760f7155d01a418aed62dc534c
                                              • Instruction ID: f66733c9338d8a672ed82be14e2d1742788c9a8d43ffaafde57059760b4af30e
                                              • Opcode Fuzzy Hash: cc8318d7b92da3ab4946c5e4fbea45f63fb5ef760f7155d01a418aed62dc534c
                                              • Instruction Fuzzy Hash: 2B11A1F1F142465FEB35DF7A98446EEBBF6AF89200B04816ADA4DE7605EB30D4008B55
                                              Function 02C4ADD0 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 451224d5c51bd69afa4e121e4572a1c1cdbca125fc0aad577135b4b1da1419e6
                                              • Instruction ID: cd40a60057dbfaf413cb38e2a1830d147f59b2a635050d0c4c5f9b398b8345ce
                                              • Opcode Fuzzy Hash: 451224d5c51bd69afa4e121e4572a1c1cdbca125fc0aad577135b4b1da1419e6
                                              • Instruction Fuzzy Hash: 9111F275E00219DBCB14DFA9D854BEEBBF5BB88711F10842AE514B7390DB745940CBA0
                                              Function 073BCC88 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0cadd1c2314eab1d3ae9e41fb66aa21a2af7da7cdd2164f9dfeee364b4e58d5
                                              • Instruction ID: 45f5cf96473b9bb22f3927a820fe96ebb8edd280b323646012102307544d94ce
                                              • Opcode Fuzzy Hash: f0cadd1c2314eab1d3ae9e41fb66aa21a2af7da7cdd2164f9dfeee364b4e58d5
                                              • Instruction Fuzzy Hash: B10184753501058FD724A72C845897E36EFEFC96507191069DA0ADBB65EE28DC0287A1
                                              Function 073B69A8 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bc2169694c2acd5d03bbb768b3184e5a7d2b83be563c5c2e9cf232afe7255e2
                                              • Instruction ID: 4167f4328cabd2972bd8b5ec337e3debb772dafc744b7c9cbfc17a258f20646f
                                              • Opcode Fuzzy Hash: 2bc2169694c2acd5d03bbb768b3184e5a7d2b83be563c5c2e9cf232afe7255e2
                                              • Instruction Fuzzy Hash: 49115131210B518FC324DF29E90871B7BEAEF89325F10872CE1964B794DB74A8068F90
                                              Function 073BA6B8 Relevance: .0, Instructions: 48COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a592917c9ea2219d2fdae9d2c43c3e65ab528366812ce7e0fd2ce1f78a20089c
                                              • Instruction ID: 27e376f35136e7f434738469de4b43b4fa9229617dbe139d0228b7443d9ee801
                                              • Opcode Fuzzy Hash: a592917c9ea2219d2fdae9d2c43c3e65ab528366812ce7e0fd2ce1f78a20089c
                                              • Instruction Fuzzy Hash: 4C01D8B5204644CFD7349F39D540A967BF9EF5A215B1440AEE209CB661DA31D841C711
                                              Function 0135D79D Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007003341.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_135d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9934d73dc69022a11aa3f660c081e716d5a775994eaed23843c2551d14a156a7
                                              • Instruction ID: fceba364c7ab4fe2bc0675ae333611fa606d6d74180aab6eadb8818d963e2c9e
                                              • Opcode Fuzzy Hash: 9934d73dc69022a11aa3f660c081e716d5a775994eaed23843c2551d14a156a7
                                              • Instruction Fuzzy Hash: B5012B310043449EE7608EA9CC84F67FF9CEF45B68F18C429ED084A286C2799800CA71
                                              Function 073BCC78 Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed182ab97d446d785c0381b13a48d0ec4f3cfa0fb3eedda34bb6aad2a3f46ede
                                              • Instruction ID: 49fca870df9515cc301bf62cfe0e1e6c64d4d090ab6dcd2b1a5563c3dc42f98a
                                              • Opcode Fuzzy Hash: ed182ab97d446d785c0381b13a48d0ec4f3cfa0fb3eedda34bb6aad2a3f46ede
                                              • Instruction Fuzzy Hash: 11F0A4753500008FC715A73CD458A7E3BEFEFC9654B1940A9EA06D77A6DE64CC0287D1
                                              Function 02C4AC2F Relevance: .0, Instructions: 44COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e024d61f0e93031588f6f40f667034a3fed478c49470289cce734365fa1ea2c4
                                              • Instruction ID: 7c0e242536fde1c87d22c1cda70bb69fb5b342a8430b6621d1355be85a09f345
                                              • Opcode Fuzzy Hash: e024d61f0e93031588f6f40f667034a3fed478c49470289cce734365fa1ea2c4
                                              • Instruction Fuzzy Hash: 89F06D13A0D3E01FC703227D987549A7FB99D835A431A01EBC085CF2A3E848980987AA
                                              Function 073B69B8 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d36c568e6037ad1201e485a232ec528e566b9061938fdb0698c739de8af20139
                                              • Instruction ID: 7080c082b41084ed7206177f740f6c35ea6f0c1e009806cf3b553e5dffe4c31d
                                              • Opcode Fuzzy Hash: d36c568e6037ad1201e485a232ec528e566b9061938fdb0698c739de8af20139
                                              • Instruction Fuzzy Hash: 5D016531200B018FC324DF29E51860B7BEAFF84721F108B2CD09A4B7D4DB74A8068F90
                                              Function 073B1409 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c85339d63db03a52bb3b2e2963bf954b1abdbebae9f82f46c0c6c7d15fbb0ce
                                              • Instruction ID: 45b4aa47c6993771a1c5285905e074894bcde3d546fec8443b9414406908f326
                                              • Opcode Fuzzy Hash: 1c85339d63db03a52bb3b2e2963bf954b1abdbebae9f82f46c0c6c7d15fbb0ce
                                              • Instruction Fuzzy Hash: E1F09CB13211254BD7289E39D554AAA37BD9F81E55B040069E606CBB60FF51DC419790
                                              Function 02C44698 Relevance: .0, Instructions: 42COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf3703d3b117e2d0f91edc2a22b78a12648cb6a7a1de70f31a0aeb2302b2d786
                                              • Instruction ID: 386264d0eb24124fdc8e890059b5ff906de94076e51e1c5372bb15d9cb05836e
                                              • Opcode Fuzzy Hash: cf3703d3b117e2d0f91edc2a22b78a12648cb6a7a1de70f31a0aeb2302b2d786
                                              • Instruction Fuzzy Hash: 09012876E00208CBCB08DFAAE9452EDBBB2AF8D321F14D529C415B3394DB344605CB61
                                              Function 07838090 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c37920c2f6309aae18d1934261b6a208f7ecbd2e659e5c5e95c60bd86ed9c557
                                              • Instruction ID: 43b9fdd78a5347cf483a2c4c7ce59b1366663188d5aea4ad6f941cf8a482f9a4
                                              • Opcode Fuzzy Hash: c37920c2f6309aae18d1934261b6a208f7ecbd2e659e5c5e95c60bd86ed9c557
                                              • Instruction Fuzzy Hash: 73F062B1115380CFDB335B34E86A1953F71BE76211345449AF052CF2D6DA35A486CB61
                                              Function 073B1418 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b31672fe180773276e41ec48fde86ae17c987de516ff9ce6b6fbbd720ee9b83b
                                              • Instruction ID: e653c7e595f5e759ae0a317a5fd85ca58580321cd436c81708c780d1d7913124
                                              • Opcode Fuzzy Hash: b31672fe180773276e41ec48fde86ae17c987de516ff9ce6b6fbbd720ee9b83b
                                              • Instruction Fuzzy Hash: 39F05BB43201254BA738DE3AD46497A37FD9FC5E557050069EA09CBB60FE61DC418791
                                              Function 073BAA30 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9b9835f8e4a5c867dd9e931edabe8737c08f12c342148b7f05f0e7c62377003
                                              • Instruction ID: 1699119c2f42943ee19ea6ef7f8ccbcb8bbc55192fa5c8210102d2d032d24ac1
                                              • Opcode Fuzzy Hash: c9b9835f8e4a5c867dd9e931edabe8737c08f12c342148b7f05f0e7c62377003
                                              • Instruction Fuzzy Hash: 77F0CDB07902198FD225A629C590AAAB6AAEFC0251F854439D30EDBE24DE34DC05C3A1
                                              Function 02C446A8 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ff617260c7042cb38597b559ec0b68d7669e38bd31b4e0125dd86be5aade9b36
                                              • Instruction ID: c6f0c20b416740f6ffb19f01f13e81c336361c694302a0a9999ecc2a955e5c46
                                              • Opcode Fuzzy Hash: ff617260c7042cb38597b559ec0b68d7669e38bd31b4e0125dd86be5aade9b36
                                              • Instruction Fuzzy Hash: E3F0F670E00208CBCB08DFAAE9096EEBBF6BB8D311F14D529D405B3264DF345905CB65
                                              Function 0135D79C Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007003341.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_135d000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 32d979caa55cbcd11072cd451a49f6e7dd19827e51adac70ad3b72cb9b96c802
                                              • Instruction ID: 74a0b1b7aa08153e0f662b15f07c2bb5cb9664a754e5029d6c7c9568f8198820
                                              • Opcode Fuzzy Hash: 32d979caa55cbcd11072cd451a49f6e7dd19827e51adac70ad3b72cb9b96c802
                                              • Instruction Fuzzy Hash: C4F096714043449EEB618E1ADC84B62FF98EF55774F18C45AED4C4F287C3799844CAB1
                                              Function 073BB3D9 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 955a9855a136b4eb6165d1817f2b96a883d76edbfced926bd67b8e3701462a6c
                                              • Instruction ID: 0191c39e20315994fccc6b19fa60cfb55267d34c82f5b0d64730ec769f04d8c7
                                              • Opcode Fuzzy Hash: 955a9855a136b4eb6165d1817f2b96a883d76edbfced926bd67b8e3701462a6c
                                              • Instruction Fuzzy Hash: 28F0BBF17501148FD2319629C551BEA77A9EFC0651F894079D34DDBA70DE34DC01C7A1
                                              Function 073BB009 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d287925666b23155c4f8884cb967ace7072968b6d27e23fec5cb43d9f06bbac8
                                              • Instruction ID: 169abcbe3fdf3e86253bad98d086fa6b3b78c0b9c3aecb09d869cb32101868bb
                                              • Opcode Fuzzy Hash: d287925666b23155c4f8884cb967ace7072968b6d27e23fec5cb43d9f06bbac8
                                              • Instruction Fuzzy Hash: F20192B9601508CFDB14DF68C584DD8BBB1EF48325F254195E915AB7A0CB32ED91CF50
                                              Function 0783F438 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0796bb530d978ce6531703fb936b246647446d259b2df9b5325eb44a0abbc8d2
                                              • Instruction ID: 510643fbf54810a34753367da28f79748bbb125d44cfe0f1ba6ff35cfdc808c9
                                              • Opcode Fuzzy Hash: 0796bb530d978ce6531703fb936b246647446d259b2df9b5325eb44a0abbc8d2
                                              • Instruction Fuzzy Hash: 75F0B4F1D402059FEB00DBBCC905E9A7FF0AB18224F5085A9D225E7362E77556068BC1
                                              Function 0783F4A0 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a847d1c7fb5a4ac91e79e6ef1d2904a5939074c2c855156e8dfd3fcc5f86cd64
                                              • Instruction ID: 8bf64669853fd4f1aac7f3aaedf9c1205ed6e3c6d2d68878fcffb70a4b381b7e
                                              • Opcode Fuzzy Hash: a847d1c7fb5a4ac91e79e6ef1d2904a5939074c2c855156e8dfd3fcc5f86cd64
                                              • Instruction Fuzzy Hash: E6F0DAB0D1420A9FDB44DFADD845AAEBBF4EB48204F1089AAE518E7301E77496008FD1
                                              Function 02C44738 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8088c977fc951f66211a2180f52ac5edceca1e755004a872fc248bf6a40e9f47
                                              • Instruction ID: b2e0c63757d2236dc5b9acef1500844ac3683e91f9ffe42471895b72e29d8f21
                                              • Opcode Fuzzy Hash: 8088c977fc951f66211a2180f52ac5edceca1e755004a872fc248bf6a40e9f47
                                              • Instruction Fuzzy Hash: A2E02662D081808FCB294BE5582A2BA7FB4EEAB10575440C6C046CB265DE18D507E612
                                              Function 02C44C88 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f51ebef1beb5807d2c280f03f7bfd9b1fbf091b9c10f194c08afa0f065d56349
                                              • Instruction ID: f6fb1237483584e3c6bac2bdfede9e7b3f96e77a6ceacdecc95083d322a4f224
                                              • Opcode Fuzzy Hash: f51ebef1beb5807d2c280f03f7bfd9b1fbf091b9c10f194c08afa0f065d56349
                                              • Instruction Fuzzy Hash: 35E0ED749042049FCB21CBA8E98539C7FE0EB09321F2882D5980896382DA350B02D600
                                              Function 073B239C Relevance: .0, Instructions: 23COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e5fb521ffce69973a0ff53e51935879cb5cde59feb5c9c5e573b32365c0903a
                                              • Instruction ID: ee9429a12d7128804ac16c601c8f7dca5c69154b095026310a7d9d7d292b219b
                                              • Opcode Fuzzy Hash: 1e5fb521ffce69973a0ff53e51935879cb5cde59feb5c9c5e573b32365c0903a
                                              • Instruction Fuzzy Hash: E2E08672290024CFC725E61CC489BD573A8EF4A354F5985B3F60DDB729C775A8468741
                                              Function 073B22CC Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 188aceffccace20d59ee4a62ebbd8b68496424ef2f204284ee201c24b2292957
                                              • Instruction ID: 6138a2b91f78fabe0ea708ae12fb635e4a9eeeaff83c43c8ec0fdcc717d08633
                                              • Opcode Fuzzy Hash: 188aceffccace20d59ee4a62ebbd8b68496424ef2f204284ee201c24b2292957
                                              • Instruction Fuzzy Hash: 0BE08C76185128BF871227899884CD6BF9DEF59370B08C562F30D8B632C6529814EB95
                                              Function 073B3128 Relevance: .0, Instructions: 22COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98198752df46e63cb669c22ebcf706731c36e7a900b2866ef75dac835d9f89c6
                                              • Instruction ID: d3b58b07440c8267275844284cd1e28d255c7e59f48bc4dce0902f2fd8480e5e
                                              • Opcode Fuzzy Hash: 98198752df46e63cb669c22ebcf706731c36e7a900b2866ef75dac835d9f89c6
                                              • Instruction Fuzzy Hash: 96E0863B104258AFC7064BC59C04DC6BFBAFB09260B09C192E28D47232D2528450E791
                                              Function 02C44C98 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eccbbcd5648271c2157229d0781da27183dd758b17245e8200fd879d3a4777de
                                              • Instruction ID: 57790fc7b265ac9e26113cbeb54796d29a1ec556463b5a828fdd3ce3a14671d5
                                              • Opcode Fuzzy Hash: eccbbcd5648271c2157229d0781da27183dd758b17245e8200fd879d3a4777de
                                              • Instruction Fuzzy Hash: 5BE04674D14208EFCB54EFB9A5492ADBFF8EB48305F2485A6D808A3305EB315B40DB90
                                              Function 073B5A20 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3495dbc1b05cb385cc1b557d3300c113025870a223a42b1847028a11ff7e31a3
                                              • Instruction ID: 814852112ce1cee22556520bc4d14cd8e4fcbba80185cc22563d3ff393115f1b
                                              • Opcode Fuzzy Hash: 3495dbc1b05cb385cc1b557d3300c113025870a223a42b1847028a11ff7e31a3
                                              • Instruction Fuzzy Hash: 09D05E323502249FD3149BB8F848E977BECEB48665B0540A6F60CCB621DAA2D8008780
                                              Function 073B6830 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c6314f1560c9df591e6a010af482263d1edb8864e4e1ffe73664aab067c5f1a9
                                              • Instruction ID: 565a411e17a31c3cb50e7a5096d4b2e0031ffec5c8100233185c18aad0f0119e
                                              • Opcode Fuzzy Hash: c6314f1560c9df591e6a010af482263d1edb8864e4e1ffe73664aab067c5f1a9
                                              • Instruction Fuzzy Hash: 8DD05E353100144BC608226EB51E6AEBEEFDFC8721F04002AF90BD77A5DEA94C0247F6
                                              Function 073B91E8 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 683410c5203ee2d7f78aeddc518af315889e7b4648089978d6867c0d82a97d3d
                                              • Instruction ID: 76bfdfbb098f1cd550fb23804f57b496d8cffa594dee3471ce4a2e9ccae62d56
                                              • Opcode Fuzzy Hash: 683410c5203ee2d7f78aeddc518af315889e7b4648089978d6867c0d82a97d3d
                                              • Instruction Fuzzy Hash: EFD0C7123181A067C255526C7C46AAA6E5BDBCF965B4D115EF606D7744CD504C024350
                                              Function 073B1178 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4154328dc577eea7cd5c7451d2d7055357cc6196f2abb355d7167a15b1e1aa2
                                              • Instruction ID: 762f6a0d0c7ce0da4eaf5ee117d90777417ce16800d349122328b7599d496f08
                                              • Opcode Fuzzy Hash: c4154328dc577eea7cd5c7451d2d7055357cc6196f2abb355d7167a15b1e1aa2
                                              • Instruction Fuzzy Hash: DDD05BB17199E50BD72B237CA93B17D2F350F8191174821DAD1D98F6A2CD4C091747CD
                                              Function 0783F448 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06314796e8a8b6093e2b75010766e904213b6a971d59284f05f22d382880e8f0
                                              • Instruction ID: da4d43acdb4484f26f70bc00ee50cfd20a390e91205e2f08fd13fd0fb57a658e
                                              • Opcode Fuzzy Hash: 06314796e8a8b6093e2b75010766e904213b6a971d59284f05f22d382880e8f0
                                              • Instruction Fuzzy Hash: 33E092B0D402099FD740EFB9C905A5EBBF0AB08604F1185A9D119E7321E77496058F91
                                              Function 02C4AEC8 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b1f339ed77769b88795ef841f9c2d06406d0289b0980605e1d6758d31a9838d
                                              • Instruction ID: 00e8c4b0ddba1ba4c4cdc4421d0b14f9d039da640ba1804d7fafb19693ce3565
                                              • Opcode Fuzzy Hash: 5b1f339ed77769b88795ef841f9c2d06406d0289b0980605e1d6758d31a9838d
                                              • Instruction Fuzzy Hash: 8AD01732444649CBC246EB78F865B563B7EAF81304FE495B0A0068B269EB79A8898644
                                              Function 073B1188 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 40acd506cac0126f4dd4fa9b70e3c1fd6c6a71f55b758d1dc55de7900a007d2a
                                              • Instruction ID: 5a06b1d8b7f5ad19e8207b400e7544e1d0ef605234487e0460a281371358bc2f
                                              • Opcode Fuzzy Hash: 40acd506cac0126f4dd4fa9b70e3c1fd6c6a71f55b758d1dc55de7900a007d2a
                                              • Instruction Fuzzy Hash: D4D012F2720D3D03592E326CA8291BD3A6D4FC5970B8421AAE24E8F790DE480E1303CE
                                              Function 073B3828 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dafb601245c3a93053f36e09fd2b4a3f5010b5efd437d707f590813f189b3d4b
                                              • Instruction ID: 2814aeb8c3ba19b9c3a86e23dbd6ed0db7b2941ac26c81a89c6d4c493cb82bfd
                                              • Opcode Fuzzy Hash: dafb601245c3a93053f36e09fd2b4a3f5010b5efd437d707f590813f189b3d4b
                                              • Instruction Fuzzy Hash: F8D09E37044108AFEB426F95DC45FC6BB6EEB58610F49C091A64C4A172D632D160FB91
                                              Function 078380C0 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 71485f1f6190d389ea840e265ac0a181ad178f593fdb56ac6b4d4331c4e64438
                                              • Instruction ID: 38753d4926f3fe21f854cb9e7142cd5fa96bd463811e56325b3342203d25ba72
                                              • Opcode Fuzzy Hash: 71485f1f6190d389ea840e265ac0a181ad178f593fdb56ac6b4d4331c4e64438
                                              • Instruction Fuzzy Hash: 5FE09970220205CBD725AF74F81E5293BAABF646123844468F4068A6C4EF72E841CAA1
                                              Function 073B224C Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cfe4d05a67e8e6c191754b22cf16d25d8e8621d8b4ef3a11efbc859d9f38b61f
                                              • Instruction ID: 52f0892d05516a1799226c975ffa6081a0720ca4ce8594bed6017ebe48eb4a84
                                              • Opcode Fuzzy Hash: cfe4d05a67e8e6c191754b22cf16d25d8e8621d8b4ef3a11efbc859d9f38b61f
                                              • Instruction Fuzzy Hash: 01D0A97608400CBFDB822BC0DC44DA5BBADFF58300F44C4A1FB0C8A432C222D228EB42
                                              Function 02C4AED8 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ad3b64760ec422e961849756787a147dace41e5e19c2023598d937052c46a622
                                              • Instruction ID: 45c497b8958443654c5a1b1c28f0815dd812f5164009626013b8af5f5b3fc636
                                              • Opcode Fuzzy Hash: ad3b64760ec422e961849756787a147dace41e5e19c2023598d937052c46a622
                                              • Instruction Fuzzy Hash: 92C0123144420ACBC64AFB75F845D19373EAF80304B909530E0060627DEF78D9898694

                                              Non-executed Functions

                                              Function 012EF948 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q$PH]q
                                              • API String ID: 0-1166926398
                                              • Opcode ID: 0b2776345ac72735dca72b0321c5e8855f97f00b8afcce1ba20d64a70e4f42df
                                              • Instruction ID: 82dec5047ce709a61899994d28fa42f1b7600e44a873373d63f039235f8138be
                                              • Opcode Fuzzy Hash: 0b2776345ac72735dca72b0321c5e8855f97f00b8afcce1ba20d64a70e4f42df
                                              • Instruction Fuzzy Hash: 59D1B634A10605CFDB18DF69C698AA9B7F1BF8D701F6580A8E509AB371DB31AD41CF60
                                              Function 02C49618 Relevance: 2.8, Strings: 2, Instructions: 260COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xaq$$]q
                                              • API String ID: 0-1280934391
                                              • Opcode ID: 291b1320fc9c685a2eafcd30812ed55d75427cb5eee2f360d6e68b2121ef9c76
                                              • Instruction ID: 3837b4e53712520c694e6792a01565decd7644327ee3ca7db830f18ca0fbf3b9
                                              • Opcode Fuzzy Hash: 291b1320fc9c685a2eafcd30812ed55d75427cb5eee2f360d6e68b2121ef9c76
                                              • Instruction Fuzzy Hash: 11814F75F002289BDB1DABB9985467F7BB7BFC8710F04892DE406E7288DE349806D791
                                              Function 02C499F8 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3007270184.0000000002C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2c40000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Xaq
                                              • API String ID: 0-686314484
                                              • Opcode ID: e0d47fe6faea47556648f6539ea897985403e079f9b20280b4dcc7ab2e68d95a
                                              • Instruction ID: 518e678bb93a993cd8c1c71bc7ed74ba3b7c9eb299488299a0beda6a27702e55
                                              • Opcode Fuzzy Hash: e0d47fe6faea47556648f6539ea897985403e079f9b20280b4dcc7ab2e68d95a
                                              • Instruction Fuzzy Hash: 90B16030704275CBDB385E3B958533B7AF6AFC5B51F698829D886C6288CF34C941CB96
                                              Function 0130E138 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L~
                                              • API String ID: 0-3876828424
                                              • Opcode ID: e6debef12a5c1dc283ab38965a28bffe18d1155c803e03082894f138d43f2d20
                                              • Instruction ID: a73fbf4d8ad99cd060e13a1132c48233bc8a0010ba115df4f69d5230c98120d2
                                              • Opcode Fuzzy Hash: e6debef12a5c1dc283ab38965a28bffe18d1155c803e03082894f138d43f2d20
                                              • Instruction Fuzzy Hash: DF91F274E15219DFCB08CFA9C9808DEFBF5FF88214F24986AD415AB664D334AA41CF91
                                              Function 0130E128 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: L~
                                              • API String ID: 0-3876828424
                                              • Opcode ID: 8d18bb678bb67b1342e85352d883779a252ceec822e2b35ea527a90eecb05e4c
                                              • Instruction ID: 430ebf22c4728514a3f25b1d55cf24023fc8c5ac7f7e372e13fff9d91dc175c8
                                              • Opcode Fuzzy Hash: 8d18bb678bb67b1342e85352d883779a252ceec822e2b35ea527a90eecb05e4c
                                              • Instruction Fuzzy Hash: 33910574E15219DFCB09CFA9C58089EFBF5FF88214F24986AD015EB664D334AA42CF91
                                              Function 0783E660 Relevance: .7, Instructions: 739COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 319760576b5bead8ea26de7abc1b76f0f4fab64e5f3931135c28defb6fff1493
                                              • Instruction ID: e972ab6bf339015564251fa2fea33b229e206e3234b77377d0edbed7389088c7
                                              • Opcode Fuzzy Hash: 319760576b5bead8ea26de7abc1b76f0f4fab64e5f3931135c28defb6fff1493
                                              • Instruction Fuzzy Hash: E6320271E043558FC706EFB8D89455DBFF2BF8A204B058A6AD049EB391EF389845CB51
                                              Function 0783E62D Relevance: .6, Instructions: 572COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059471797.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7830000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0666007df0672ff1e69ed821476b5d68df8c9c0a6814d3b5f0b442c471d6bbdb
                                              • Instruction ID: d291109511a0d03ecc7b1eb6f05e4e57bb4bcfe80033ec6ed452e89c6535c2c0
                                              • Opcode Fuzzy Hash: 0666007df0672ff1e69ed821476b5d68df8c9c0a6814d3b5f0b442c471d6bbdb
                                              • Instruction Fuzzy Hash: 8D22A271E10219CFCB09EFB9D88455EBBF2BF89304B558A29D049E7354EF389846CB91
                                              Function 012EEEC8 Relevance: .4, Instructions: 427COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25e896f911d5bfb38d74d0754a43b94741b48dfe535baea5f229af0ecdbf6037
                                              • Instruction ID: 1505ae6a3d26dc5f18e41f5f6b4ae85f54f92fbdb097183500f9a5e2f296612b
                                              • Opcode Fuzzy Hash: 25e896f911d5bfb38d74d0754a43b94741b48dfe535baea5f229af0ecdbf6037
                                              • Instruction Fuzzy Hash: 8EF1CD31B106018FEB19EB79C568BAE7BF6AFC9300F54846DD2469B391DB35E802CB51
                                              Function 0778C287 Relevance: .3, Instructions: 268COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059229948.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7780000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6ca93ba6e4eb4253d5a152603025ef972c549f75018e7d42113dfcefb90815e
                                              • Instruction ID: 07686166a7aac95a1a34a3e59553408f02dabc11bed01fb86d857cafe193f136
                                              • Opcode Fuzzy Hash: e6ca93ba6e4eb4253d5a152603025ef972c549f75018e7d42113dfcefb90815e
                                              • Instruction Fuzzy Hash: 16D10931D2075ACACB01EF64D990A9DB7B5FF95300F10879AE40977624EBB0AAC5CF91
                                              Function 0778C298 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3059229948.0000000007780000.00000040.00000800.00020000.00000000.sdmp, Offset: 07780000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_7780000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 638ee5245713c60dbdb974b42f00b7a77e391cd2780d3d82286a4f510611916f
                                              • Instruction ID: dbe5cd277c4f5029be7c7b920f56c380df90d82607b512ad9c562593980967f3
                                              • Opcode Fuzzy Hash: 638ee5245713c60dbdb974b42f00b7a77e391cd2780d3d82286a4f510611916f
                                              • Instruction Fuzzy Hash: CFD1F831D2075ACACB01EF64D990A9DB7B5FF95300F10879AD40977624EBB0AAC9CF91
                                              Function 012E8500 Relevance: .2, Instructions: 250COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4049cc438bf579d8ae1ff3dcc50a52ab30d5f0b8eb145c80ea79b05f7d62bcf2
                                              • Instruction ID: d30fd718acc6a9aab2d6937570e153848589bcde6211460936d65478a51ca255
                                              • Opcode Fuzzy Hash: 4049cc438bf579d8ae1ff3dcc50a52ab30d5f0b8eb145c80ea79b05f7d62bcf2
                                              • Instruction Fuzzy Hash: 9BA13574E24218CFCB48CFA9E98959DBBF6FF89300F14952AD54ABB258DB349801CF14
                                              Function 0130F5C8 Relevance: .2, Instructions: 184COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa65f9b90e685b4f9349384d8962108c1cd99e840c0448cead7d2d3f4d280adc
                                              • Instruction ID: b55c6fa0ef7c567fcf6d96a7a852f0eeb5e1e499830732b368d93e12b1145361
                                              • Opcode Fuzzy Hash: aa65f9b90e685b4f9349384d8962108c1cd99e840c0448cead7d2d3f4d280adc
                                              • Instruction Fuzzy Hash: 0E710474E0520D8FCB15CFA9C9909DEFBF6FF89324F24946AD405B7264D3349A428B68
                                              Function 0130F5D8 Relevance: .2, Instructions: 173COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e664c185af32af6cf4ad576be5893ffd429e21cb67d3c27b06e3cddf131abdfe
                                              • Instruction ID: 1ced849683534047d3508c614e2f0c05f83e35e7741c5389ff6089925eb1329b
                                              • Opcode Fuzzy Hash: e664c185af32af6cf4ad576be5893ffd429e21cb67d3c27b06e3cddf131abdfe
                                              • Instruction Fuzzy Hash: C671F674E0520D9FCB14CFA9C9809DEFBFAFF89314F24942AD415B7264D3349A428B68
                                              Function 0130ED30 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2411e8c635eabe0b9cbb7ffe213d2111fee5692133f63ab60dd581a40fee2dce
                                              • Instruction ID: 2fa0cc559b5165209000753d4d6a0de326074793fda9ce9ba8295191bfa633fe
                                              • Opcode Fuzzy Hash: 2411e8c635eabe0b9cbb7ffe213d2111fee5692133f63ab60dd581a40fee2dce
                                              • Instruction Fuzzy Hash: 4C7102B4E0421A8FCB15CF99D4908AEFBF2FF88354F18882AD415A7254D334A982CF94
                                              Function 0130ED20 Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56f4b586083e547ef9bb1b277d0a19bc6755720a8a224e020b0652e46f6aef0d
                                              • Instruction ID: 2ec5568072a56ee72c4fc51a34961f928cbee0e35bf63c3741c3f2af8b2f02b7
                                              • Opcode Fuzzy Hash: 56f4b586083e547ef9bb1b277d0a19bc6755720a8a224e020b0652e46f6aef0d
                                              • Instruction Fuzzy Hash: 8D610774E0421A8FCB05CF99C5908AEFBF2FF88314F18896AD415A7255D334AA82CF95
                                              Function 0130F020 Relevance: .2, Instructions: 158COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18b261039970c3fe5bf1d0c665a91dcadd4a64ce906ca17adc0596dff80dc208
                                              • Instruction ID: ab67da73e4bb2a597094d96ac95f57e64626e0e69bdaa2b9dfd72999525cbf61
                                              • Opcode Fuzzy Hash: 18b261039970c3fe5bf1d0c665a91dcadd4a64ce906ca17adc0596dff80dc208
                                              • Instruction Fuzzy Hash: F26113B0E05209DFDB15CFA9C8915EEFBF9BF89304F1485AAD415A7294D3349A42CF90
                                              Function 012E001A Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4a0c262b5569608218e460a1d91101fafaf24d3c5b66d7a5271693f6e06560cc
                                              • Instruction ID: c969d6f588bdf28b0ba55962da9e29e9caaa05b90c83e64e867120cd7cb8f9a0
                                              • Opcode Fuzzy Hash: 4a0c262b5569608218e460a1d91101fafaf24d3c5b66d7a5271693f6e06560cc
                                              • Instruction Fuzzy Hash: 7D5129B0E152198FDB58CFAAC94468EFBF3BF89300F54C0AAD509AB215D7348A46CF55
                                              Function 0130F3A0 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 61b6b74c434a0e7ec46692ae564664b9daf230d235362255d1edc767ae45c11c
                                              • Instruction ID: d9b302116e507aece3812e6092602a2bbf41366838a1eae22cdee67927d79069
                                              • Opcode Fuzzy Hash: 61b6b74c434a0e7ec46692ae564664b9daf230d235362255d1edc767ae45c11c
                                              • Instruction Fuzzy Hash: 1B4107B0E0420A9FCB58CFAAC5905AEFBF6BF88314F24D46AC415A7294E3349641CF94
                                              Function 0130F393 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23414c8f27adb6f1edf69e46c687c8f35786ed6608d86269be25f5930fde1a58
                                              • Instruction ID: daeb7c29661c03db56ab029e8b1776c5f025ff01a32be1a83895e54c01554fd2
                                              • Opcode Fuzzy Hash: 23414c8f27adb6f1edf69e46c687c8f35786ed6608d86269be25f5930fde1a58
                                              • Instruction Fuzzy Hash: 9A416B70E0420A8FCB19CFAAC5915AEFBF6FF89314F24C46AC415A7295D3349642CF94
                                              Function 012E0040 Relevance: .1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 198bf3e68193d8ffe4866c3bc4681dd109d360bc7e949c7901d00ad808e0478b
                                              • Instruction ID: 764cc8b3b3cff5c82f5758f18986686d3c31de25339fd998ce6492995dac272c
                                              • Opcode Fuzzy Hash: 198bf3e68193d8ffe4866c3bc4681dd109d360bc7e949c7901d00ad808e0478b
                                              • Instruction Fuzzy Hash: 2541FA70E112198FDB58CFAAD84469EFBF3BFC8300F54C0AAD508AB214D7709A468F55
                                              Function 012E0F88 Relevance: .1, Instructions: 106COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1e58c90a20e819feb00c0cd2ae576ac331e5e8ec363cbca161d0b5a9a1826ab0
                                              • Instruction ID: f79fb12fc31e9448a60db8613a7dd8bce1f445db3176a0c896f94af382657a53
                                              • Opcode Fuzzy Hash: 1e58c90a20e819feb00c0cd2ae576ac331e5e8ec363cbca161d0b5a9a1826ab0
                                              • Instruction Fuzzy Hash: CA415C71E116188BEB28CF6B8D4569EFBF3BFC8301F14C1BA950CA6214EB3409868F11
                                              Function 012E0F87 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fae1a466a05b64c2c7ec7e406f5350497a32b5606bb9bdbbc90df74eb32d0d23
                                              • Instruction ID: 65944385b3602598d19a49917a7870ae8e299cc721c09d49c1c02b3e8619d405
                                              • Opcode Fuzzy Hash: fae1a466a05b64c2c7ec7e406f5350497a32b5606bb9bdbbc90df74eb32d0d23
                                              • Instruction Fuzzy Hash: D5411EB1E116588BEB58CF6B8D4579EFAF3BFC8301F14C1BA950CA6259EB3409858F11
                                              Function 0130A647 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006805727.0000000001300000.00000040.00000800.00020000.00000000.sdmp, Offset: 01300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1300000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96c8acfac27dd047806712946f715fec3eb5d4b70b0070f60b858aafd202cf9a
                                              • Instruction ID: 5ad3810527172a31cc6bc1e3b4add14db81b303cab9effad7745074bfc7ae1b4
                                              • Opcode Fuzzy Hash: 96c8acfac27dd047806712946f715fec3eb5d4b70b0070f60b858aafd202cf9a
                                              • Instruction Fuzzy Hash: B131D971E006188FEB19CFABD85069EFBF7AFC8300F14C1AAD518A6264EB340A458F51
                                              Function 012E4158 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f5eac94583ef537d13143457c083cbb31f6cf79335e2bbd978b7c09508381235
                                              • Instruction ID: eb736972e6cdb3d052542dc439228f3fdb9e826e0e13a653182b3f42850231e2
                                              • Opcode Fuzzy Hash: f5eac94583ef537d13143457c083cbb31f6cf79335e2bbd978b7c09508381235
                                              • Instruction Fuzzy Hash: 38213671E116198BDB08DFAAD8406EEFBF7AFC9310F14C12AD518A7254EB345A418F51
                                              Function 012E8F08 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d0e1c9aaa7d749657225a8d9dd245cc7513d0c14b93ab7a9009ab8a524b79286
                                              • Instruction ID: cf0cbb4a5f71bba080de963e42dfffa62c0191e67b22fcc7307cd60528a719c6
                                              • Opcode Fuzzy Hash: d0e1c9aaa7d749657225a8d9dd245cc7513d0c14b93ab7a9009ab8a524b79286
                                              • Instruction Fuzzy Hash: 92111771E116198BDB08CFAAD94569EFBF7AFC8210F14C06AD518A7214DA345A41CB51
                                              Function 012E7340 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14e61762814b0a0110a058141cc11017835260d49e51ced3bfe78dcfb985fcbf
                                              • Instruction ID: 831828147f2603c9a33702dd182f10402c0ea9661656d65b83aac8ba44d44859
                                              • Opcode Fuzzy Hash: 14e61762814b0a0110a058141cc11017835260d49e51ced3bfe78dcfb985fcbf
                                              • Instruction Fuzzy Hash: 75112C71E116198BDB48CFAAD8456DEFBF7EFC8210F14C03AD508A7218DB745A418F91
                                              Function 012E47C0 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e578bb3730a33715f70c27d36fdc905557dde9726b0749ed009f176fa62b247
                                              • Instruction ID: 4db37f412533404e97c1e6b9e3528d558e64b8df66551ea5d9d935861ffd450e
                                              • Opcode Fuzzy Hash: 8e578bb3730a33715f70c27d36fdc905557dde9726b0749ed009f176fa62b247
                                              • Instruction Fuzzy Hash: 8C115671E106188BDB08CFABE9446AEFBF7EFC8210F14C06AD508A7214DB304A018B61
                                              Function 012E3AC8 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b508b8b3b018cab086096dd55fc0c4cda92d0ee6298cdf3d85da0ce6f8776b65
                                              • Instruction ID: b550d8978b5322eac625f2f1a444a05ee8d139e5b6edc2dce437c8f92b5da431
                                              • Opcode Fuzzy Hash: b508b8b3b018cab086096dd55fc0c4cda92d0ee6298cdf3d85da0ce6f8776b65
                                              • Instruction Fuzzy Hash: 62114771E112198BDB18CFAAE8446EEFBF7ABC8200F14C03AD408A7314EA305A418B55
                                              Function 012E47AF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d32558aad747f135d06b12bb73d60b56dbb8ee1454da5802e9cb8f9405c4419a
                                              • Instruction ID: 158d6f13e863d2aa15a64a43d821e6f19c0862933c35baf32832be889bf95a01
                                              • Opcode Fuzzy Hash: d32558aad747f135d06b12bb73d60b56dbb8ee1454da5802e9cb8f9405c4419a
                                              • Instruction Fuzzy Hash: DF1149B1E116488FDB49CFAAD9456AEBBF7EFC9300F18C06AD408E7214DA344A428F51
                                              Function 012E3AC7 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3006775670.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_12e0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fae3382ef828d1888f8487c0a2168d6dd478ce5fd389b62022942aca84c3a25
                                              • Instruction ID: 640440b484a4fdc42ea7389e2c191f0636ae2f0eb14a2095b2d88e8550911c61
                                              • Opcode Fuzzy Hash: 9fae3382ef828d1888f8487c0a2168d6dd478ce5fd389b62022942aca84c3a25
                                              • Instruction Fuzzy Hash: 5C11FB71E116199BDB58CFAAD9456AEFAF7AFC8200F14C03AD408B7314EA344A458F55
                                              Function 073BF7A8 Relevance: 6.4, Strings: 5, Instructions: 137COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$B$B$Haq
                                              • API String ID: 0-1778894865
                                              • Opcode ID: 78a6c9cb5c5458a1d30419d3dfb2a7412b7896a1168b6ab4d8e200ae7e4f792e
                                              • Instruction ID: f30e492283c2a6b203bece55b1594617c6ace0b3bc81b8bdf2ee6b319426b15e
                                              • Opcode Fuzzy Hash: 78a6c9cb5c5458a1d30419d3dfb2a7412b7896a1168b6ab4d8e200ae7e4f792e
                                              • Instruction Fuzzy Hash: D741D1B1B002078FD724CB7CD8844AEBBB6FF89250B2445A6E21DD7AA1DB30DD01C791
                                              Function 073BF798 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.3058898289.00000000073B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73b0000_Signed Document.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: @$@$B$B
                                              • API String ID: 0-685577651
                                              • Opcode ID: 1bc3c9553447dc4b2c750d9be9300a32502b5649a6236207510d2b01765ca470
                                              • Instruction ID: de53b106dd5d171a7e298bd5e77853fbaf753c2e17cfdc8d8ba7e41c95dac3d7
                                              • Opcode Fuzzy Hash: 1bc3c9553447dc4b2c750d9be9300a32502b5649a6236207510d2b01765ca470
                                              • Instruction Fuzzy Hash: 7D21B5F1A002178FDB24CF6DCD859AABBF5EF89210B145066E209EBA71D730DD40CB81

                                              Execution Graph

                                              Execution Coverage:10.1%
                                              Dynamic/Decrypted Code Coverage:99%
                                              Signature Coverage:0%
                                              Total number of Nodes:311
                                              Total number of Limit Nodes:12
                                              execution_graph 45237 312b350 45238 312b35f 45237->45238 45240 312b442 45237->45240 45241 312b459 45240->45241 45242 312b474 45240->45242 45241->45242 45245 312bad2 45241->45245 45249 312bae0 45241->45249 45242->45238 45246 312baf4 45245->45246 45248 312bb19 45246->45248 45253 312a830 45246->45253 45248->45242 45250 312baf4 45249->45250 45251 312a830 LoadLibraryExW 45250->45251 45252 312bb19 45250->45252 45251->45252 45252->45242 45254 312bca0 LoadLibraryExW 45253->45254 45256 312bd19 45254->45256 45256->45248 45101 65b834d 45102 65b8357 45101->45102 45103 65b7c58 2 API calls 45102->45103 45104 65b8360 45103->45104 45105 65b7c58 2 API calls 45104->45105 45106 65b837e 45105->45106 45107 65b7c58 2 API calls 45106->45107 45108 65b82cf 45107->45108 45109 65b82d4 45108->45109 45111 65b7c58 45108->45111 45109->45109 45112 65b7c63 45111->45112 45113 65bb623 45112->45113 45116 3128da8 45112->45116 45121 31266bc 45112->45121 45113->45108 45118 3128de3 45116->45118 45117 31290a9 45117->45113 45118->45117 45126 312d3e0 45118->45126 45131 312d3f0 45118->45131 45122 31266c7 45121->45122 45123 31290a9 45122->45123 45124 312d3f0 2 API calls 45122->45124 45125 312d3e0 2 API calls 45122->45125 45123->45113 45124->45123 45125->45123 45127 312d411 45126->45127 45128 312d435 45127->45128 45136 312d6b0 45127->45136 45140 312d6c0 45127->45140 45128->45117 45132 312d411 45131->45132 45133 312d435 45132->45133 45134 312d6b0 2 API calls 45132->45134 45135 312d6c0 2 API calls 45132->45135 45133->45117 45134->45133 45135->45133 45137 312d6cd 45136->45137 45139 312d707 45137->45139 45144 312b9c8 45137->45144 45139->45128 45141 312d6cd 45140->45141 45142 312d707 45141->45142 45143 312b9c8 2 API calls 45141->45143 45142->45128 45143->45142 45145 312b9d3 45144->45145 45146 312e420 45145->45146 45148 312dfe0 45145->45148 45149 312dfeb 45148->45149 45150 31266bc 2 API calls 45149->45150 45151 312e48f 45150->45151 45155 65b043a 45151->45155 45160 65b0448 45151->45160 45152 312e4c9 45152->45146 45156 65b0485 45155->45156 45157 65b0479 45155->45157 45156->45152 45157->45156 45165 65b128f 45157->45165 45170 65b12a0 45157->45170 45161 65b0479 45160->45161 45162 65b0485 45160->45162 45161->45162 45163 65b128f 2 API calls 45161->45163 45164 65b12a0 2 API calls 45161->45164 45162->45152 45163->45162 45164->45162 45166 65b12cb 45165->45166 45167 65b137a 45166->45167 45175 65b2071 45166->45175 45183 65b2180 45166->45183 45171 65b12cb 45170->45171 45172 65b137a 45171->45172 45173 65b2071 2 API calls 45171->45173 45174 65b2180 CreateWindowExW 45171->45174 45173->45172 45174->45172 45176 65b2132 45175->45176 45177 65b21be CreateWindowExW 45176->45177 45178 65b2186 45176->45178 45182 65b22f4 45177->45182 45186 65b0190 45178->45186 45184 65b21b5 45183->45184 45185 65b0190 CreateWindowExW 45183->45185 45184->45167 45185->45184 45187 65b21d0 CreateWindowExW 45186->45187 45189 65b22f4 45187->45189 45339 80d6e74 45344 80d9abe 45339->45344 45359 80d9a10 45339->45359 45373 80d9a00 45339->45373 45340 80d6e83 45345 80d9a4c 45344->45345 45347 80d9ac1 45344->45347 45346 80d9a32 45345->45346 45387 80da56d 45345->45387 45391 80da477 45345->45391 45396 80da254 45345->45396 45401 80da174 45345->45401 45406 80da015 45345->45406 45411 80d9e98 45345->45411 45416 80da103 45345->45416 45421 80da2e0 45345->45421 45426 80da506 45345->45426 45430 80da0ae 45345->45430 45434 80da6ee 45345->45434 45346->45340 45347->45340 45360 80d9a2a 45359->45360 45361 80da56d 2 API calls 45360->45361 45362 80da6ee 2 API calls 45360->45362 45363 80da0ae 2 API calls 45360->45363 45364 80d9a32 45360->45364 45365 80da506 2 API calls 45360->45365 45366 80da2e0 2 API calls 45360->45366 45367 80da103 2 API calls 45360->45367 45368 80d9e98 2 API calls 45360->45368 45369 80da015 2 API calls 45360->45369 45370 80da174 2 API calls 45360->45370 45371 80da254 2 API calls 45360->45371 45372 80da477 2 API calls 45360->45372 45361->45364 45362->45364 45363->45364 45364->45340 45365->45364 45366->45364 45367->45364 45368->45364 45369->45364 45370->45364 45371->45364 45372->45364 45374 80d9a10 45373->45374 45375 80d9a32 45374->45375 45376 80da56d 2 API calls 45374->45376 45377 80da6ee 2 API calls 45374->45377 45378 80da0ae 2 API calls 45374->45378 45379 80da506 2 API calls 45374->45379 45380 80da2e0 2 API calls 45374->45380 45381 80da103 2 API calls 45374->45381 45382 80d9e98 2 API calls 45374->45382 45383 80da015 2 API calls 45374->45383 45384 80da174 2 API calls 45374->45384 45385 80da254 2 API calls 45374->45385 45386 80da477 2 API calls 45374->45386 45375->45340 45376->45375 45377->45375 45378->45375 45379->45375 45380->45375 45381->45375 45382->45375 45383->45375 45384->45375 45385->45375 45386->45375 45438 80d6739 45387->45438 45442 80d6740 45387->45442 45388 80da088 45388->45346 45392 80da48f 45391->45392 45394 80d6739 WriteProcessMemory 45392->45394 45395 80d6740 WriteProcessMemory 45392->45395 45393 80da4b3 45394->45393 45395->45393 45397 80da263 45396->45397 45446 80d6678 45397->45446 45450 80d6680 45397->45450 45398 80da4f0 45402 80da17a 45401->45402 45454 80d6828 45402->45454 45458 80d6830 45402->45458 45403 80da19d 45408 80d9fc2 45406->45408 45407 80da7c6 45407->45346 45408->45407 45462 80dad88 45408->45462 45467 80dad98 45408->45467 45412 80d9ebe 45411->45412 45480 80d69bc 45412->45480 45484 80d69c8 45412->45484 45417 80da110 45416->45417 45419 80d6739 WriteProcessMemory 45417->45419 45420 80d6740 WriteProcessMemory 45417->45420 45418 80da4b3 45419->45418 45420->45418 45422 80d9fc2 45421->45422 45423 80da7c6 45422->45423 45424 80dad88 2 API calls 45422->45424 45425 80dad98 2 API calls 45422->45425 45423->45346 45424->45422 45425->45422 45488 80d65a8 45426->45488 45492 80d65a1 45426->45492 45427 80da520 45432 80d6739 WriteProcessMemory 45430->45432 45433 80d6740 WriteProcessMemory 45430->45433 45431 80d9f71 45431->45346 45432->45431 45433->45431 45436 80d65a8 Wow64SetThreadContext 45434->45436 45437 80d65a1 Wow64SetThreadContext 45434->45437 45435 80da708 45436->45435 45437->45435 45439 80d6788 WriteProcessMemory 45438->45439 45441 80d67df 45439->45441 45441->45388 45443 80d6788 WriteProcessMemory 45442->45443 45445 80d67df 45443->45445 45445->45388 45447 80d6680 VirtualAllocEx 45446->45447 45449 80d66fd 45447->45449 45449->45398 45451 80d66c0 VirtualAllocEx 45450->45451 45453 80d66fd 45451->45453 45453->45398 45455 80d6830 ReadProcessMemory 45454->45455 45457 80d68bf 45455->45457 45457->45403 45459 80d687b ReadProcessMemory 45458->45459 45461 80d68bf 45459->45461 45461->45403 45463 80dad8b 45462->45463 45472 80d64f8 45463->45472 45476 80d64f1 45463->45476 45464 80dadc0 45464->45408 45468 80dadad 45467->45468 45470 80d64f8 ResumeThread 45468->45470 45471 80d64f1 ResumeThread 45468->45471 45469 80dadc0 45469->45408 45470->45469 45471->45469 45473 80d6538 ResumeThread 45472->45473 45475 80d6569 45473->45475 45475->45464 45477 80d6538 ResumeThread 45476->45477 45479 80d6569 45477->45479 45479->45464 45481 80d69c8 CreateProcessA 45480->45481 45483 80d6c13 45481->45483 45485 80d6a51 CreateProcessA 45484->45485 45487 80d6c13 45485->45487 45489 80d65ed Wow64SetThreadContext 45488->45489 45491 80d6635 45489->45491 45491->45427 45493 80d65ed Wow64SetThreadContext 45492->45493 45495 80d6635 45493->45495 45495->45427 45190 3124988 45191 3124991 45190->45191 45192 3124997 45191->45192 45196 3124a80 45191->45196 45201 31244a0 45192->45201 45194 31249b2 45197 3124aa5 45196->45197 45205 3124f98 45197->45205 45209 3124f87 45197->45209 45202 31244ab 45201->45202 45217 3125e4c 45202->45217 45204 31276f2 45204->45194 45207 3124fbf 45205->45207 45206 312509c 45207->45206 45213 312450c 45207->45213 45211 3124f8b 45209->45211 45210 312509c 45210->45210 45211->45210 45212 312450c CreateActCtxA 45211->45212 45212->45210 45214 3126028 CreateActCtxA 45213->45214 45216 31260eb 45214->45216 45218 3125e57 45217->45218 45221 312665c 45218->45221 45220 3127b9d 45220->45204 45222 3126667 45221->45222 45225 312668c 45222->45225 45224 3127c7a 45224->45220 45226 3126697 45225->45226 45227 31266bc 2 API calls 45226->45227 45228 3127d6d 45227->45228 45228->45224 45229 312b638 45230 312b680 GetModuleHandleW 45229->45230 45231 312b67a 45229->45231 45232 312b6ad 45230->45232 45231->45230 45257 312d7d8 45258 312d81e 45257->45258 45262 312d9b8 45258->45262 45265 312d9a8 45258->45265 45259 312d90b 45268 312ba90 45262->45268 45266 312d9e6 45265->45266 45267 312ba90 DuplicateHandle 45265->45267 45266->45259 45267->45266 45269 312da20 DuplicateHandle 45268->45269 45270 312d9e6 45269->45270 45270->45259 45233 65b8460 45234 65b846a 45233->45234 45235 65b7c58 2 API calls 45234->45235 45236 65b84af 45235->45236 45271 2ffd1b4 45273 2ffd1cc 45271->45273 45272 2ffd226 45273->45272 45278 65b2378 45273->45278 45282 65b01bc 45273->45282 45291 65b30d8 45273->45291 45301 65b2388 45273->45301 45279 65b23ae 45278->45279 45280 65b01bc CallWindowProcW 45279->45280 45281 65b23cf 45280->45281 45281->45272 45283 65b01c7 45282->45283 45284 65b3149 45283->45284 45286 65b3139 45283->45286 45318 65b02e4 45284->45318 45305 65b333c 45286->45305 45310 65b3270 45286->45310 45314 65b3261 45286->45314 45287 65b3147 45292 65b30ba 45291->45292 45294 65b30e6 45291->45294 45292->45272 45293 65b3149 45295 65b02e4 CallWindowProcW 45293->45295 45294->45293 45296 65b3139 45294->45296 45297 65b3147 45295->45297 45298 65b333c CallWindowProcW 45296->45298 45299 65b3261 CallWindowProcW 45296->45299 45300 65b3270 CallWindowProcW 45296->45300 45298->45297 45299->45297 45300->45297 45302 65b23ae 45301->45302 45303 65b01bc CallWindowProcW 45302->45303 45304 65b23cf 45303->45304 45304->45272 45306 65b32fa 45305->45306 45307 65b334a 45305->45307 45322 65b3328 45306->45322 45308 65b3310 45308->45287 45311 65b3284 45310->45311 45313 65b3328 CallWindowProcW 45311->45313 45312 65b3310 45312->45287 45313->45312 45316 65b326a 45314->45316 45315 65b3310 45315->45287 45317 65b3328 CallWindowProcW 45316->45317 45317->45315 45319 65b02ef 45318->45319 45320 65b482a CallWindowProcW 45319->45320 45321 65b47d9 45319->45321 45320->45321 45321->45287 45323 65b3339 45322->45323 45325 65b4761 45322->45325 45323->45308 45326 65b02e4 CallWindowProcW 45325->45326 45327 65b477a 45326->45327 45327->45323 45328 65bc4b0 45329 65bc4d2 45328->45329 45330 3128da8 2 API calls 45328->45330 45331 31266bc 2 API calls 45328->45331 45330->45329 45331->45329 45496 65bc4a0 45497 65bc4aa 45496->45497 45498 65bc477 45496->45498 45499 65bc4d2 45497->45499 45500 3128da8 2 API calls 45497->45500 45501 31266bc 2 API calls 45497->45501 45500->45499 45501->45499 45332 80dade0 45333 80daf6b 45332->45333 45335 80dae06 45332->45335 45335->45333 45336 80d7e10 45335->45336 45337 80db060 PostMessageW 45336->45337 45338 80db0cc 45337->45338 45338->45335

                                              Executed Functions

                                              Function 08033B68 Relevance: 7.0, Strings: 5, Instructions: 739COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 779 8033b68-8033b9a 781 8033ba0-8033c34 779->781 782 80340c8-80340e6 779->782 807 8033c40-8033c97 781->807 808 8033c36-8033c3a 781->808 785 80344e1-80344ed 782->785 787 80344f3 785->787 788 80340f4-8034100 785->788 791 8034505-803450c 787->791 789 8034106-8034186 788->789 790 80344f5-80344fa 788->790 809 8034188-803418e 789->809 810 803419e-80341b7 789->810 790->791 834 8034012-8034036 807->834 835 8033c9d-8033ca5 807->835 808->807 811 8034192-8034194 809->811 812 8034190 809->812 816 80341e7-8034225 810->816 817 80341b9-80341e2 810->817 811->810 812->810 830 8034227-8034248 816->830 831 803424a-8034257 816->831 827 80344de 817->827 827->785 840 803425e-8034264 830->840 831->840 844 80340ba-80340c5 834->844 837 8033ca7-8033cab 835->837 838 8033cac-8033cb4 835->838 837->838 841 8033cb6 838->841 842 8033cb9-8033cdb 838->842 845 8034283-80342d5 840->845 846 8034266-8034281 840->846 841->842 850 8033ce0-8033ce6 842->850 851 8033cdd 842->851 844->782 879 80343f0-803442f 845->879 880 80342db-80342e0 845->880 846->845 854 8033f95-8033fa0 850->854 855 8033cec-8033d06 850->855 851->850 857 8033fa2 854->857 858 8033fa5-8033fdc 854->858 859 8033d4b-8033d54 855->859 860 8033d08-8033d0c 855->860 857->858 893 803400a 858->893 894 8033fde-8034008 858->894 862 80340b5 859->862 863 8033d5a-8033d6a 859->863 860->859 864 8033d0e-8033d19 860->864 862->844 863->862 869 8033d70-8033d81 863->869 865 8033da7-8033e54 864->865 866 8033d1f 864->866 881 8033e56 865->881 882 8033e64-8033f2c 865->882 870 8033d22-8033d24 866->870 869->862 871 8033d87-8033d97 869->871 872 8033d26 870->872 873 8033d2a-8033d35 870->873 871->862 876 8033d9d-8033da4 871->876 872->873 873->862 878 8033d3b-8033d47 873->878 876->865 878->870 883 8033d49 878->883 903 8034431-8034449 879->903 904 803444b-803445a 879->904 887 80342ea-80342ed 880->887 881->882 885 8033e58-8033e5e 881->885 900 8033f32-8033f36 882->900 901 803403b-803404d 882->901 883->865 885->882 890 80342f3 887->890 891 80343b8-80343e0 887->891 895 803432b-8034357 890->895 896 80342fa-8034326 890->896 897 803438a-80343b6 890->897 898 803435c-8034388 890->898 902 80343e6-80343ea 891->902 893->834 894->893 895->902 896->902 897->902 898->902 900->901 908 8033f3c-8033f4b 900->908 901->862 907 803404f-803406c 901->907 902->879 902->887 912 8034463-80344c5 903->912 904->912 907->862 913 803406e-803408a 907->913 914 8033f8b-8033f8f 908->914 915 8033f4d 908->915 926 80344d0-80344d7 912->926 913->862 917 803408c-80340aa 913->917 914->854 914->855 918 8033f53-8033f55 915->918 917->862 920 80340ac 917->920 921 8033f57-8033f5b 918->921 922 8033f5f-8033f7b 918->922 920->862 921->922 922->862 924 8033f81-8033f89 922->924 924->914 924->918 926->827
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$TJbq$Te]q$paq$xb`q
                                              • API String ID: 0-1123639052
                                              • Opcode ID: 4b54d25e6f23f0a4b3731cc0db84d3fcd2b5a770cd68b4f8b6a62e716b63c345
                                              • Instruction ID: c56e3b718d2a17394f39f40c4da5cd19d9dc20d14fb0ff02b7c19b7048a93ed1
                                              • Opcode Fuzzy Hash: 4b54d25e6f23f0a4b3731cc0db84d3fcd2b5a770cd68b4f8b6a62e716b63c345
                                              • Instruction Fuzzy Hash: B9623875A00628DFDB55CFA8C984A69BBB6FF48305F1681A8E509AB365CB31EC51CF40
                                              Function 05E0A5D8 Relevance: 16.5, Strings: 13, Instructions: 264COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 528 5e0a5d8 529 5e0a5dd-5e0a5e0 528->529 530 5e0a5f2-5e0a5f3 529->530 531 5e0a5e2 529->531 544 5e0a5f5-5e0a5f6 530->544 545 5e0a5a9-5e0a5d5 530->545 531->530 532 5e0a965-5e0a96e 531->532 533 5e0a7e6-5e0a7f9 531->533 534 5e0a827-5e0a82b 531->534 535 5e0a6e8-5e0a6ec 531->535 536 5e0a8cb-5e0a8cf 531->536 537 5e0a670-5e0a673 531->537 538 5e0a5f1 531->538 539 5e0a933-5e0a937 531->539 540 5e0a737-5e0a74a 531->540 541 5e0a7d9-5e0a7e1 531->541 542 5e0a81d-5e0a822 531->542 543 5e0a6de-5e0a6e3 531->543 579 5e0a816-5e0a81b 533->579 580 5e0a7fb-5e0a802 533->580 552 5e0a82d-5e0a836 534->552 553 5e0a84e 534->553 550 5e0a6ee-5e0a6f7 535->550 551 5e0a70f 535->551 554 5e0a8d1-5e0a8da 536->554 555 5e0a8f2 536->555 556 5e0a677 537->556 538->530 546 5e0a958 539->546 547 5e0a939-5e0a942 539->547 587 5e0a750-5e0a758 540->587 588 5e0a971 540->588 541->529 542->529 543->529 548 5e0a5f8-5e0a600 544->548 549 5e0a619 544->549 545->529 559 5e0a95b-5e0a962 546->559 561 5e0a944-5e0a947 547->561 562 5e0a949-5e0a94c 547->562 548->556 581 5e0a601 548->581 571 5e0a61c-5e0a61e 549->571 564 5e0a6f9-5e0a6fc 550->564 565 5e0a6fe-5e0a70b 550->565 570 5e0a712-5e0a71c 551->570 566 5e0a838-5e0a83b 552->566 567 5e0a83d-5e0a84a 552->567 558 5e0a851-5e0a858 553->558 572 5e0a8e1-5e0a8ee 554->572 573 5e0a8dc-5e0a8df 554->573 569 5e0a8f5-5e0a910 555->569 574 5e0a661-5e0a66b 556->574 575 5e0a678-5e0a683 556->575 584 5e0a85a-5e0a86c 558->584 585 5e0a86e 558->585 578 5e0a956 561->578 562->578 582 5e0a70d 564->582 565->582 583 5e0a84c 566->583 567->583 625 5e0a912-5e0a919 569->625 626 5e0a92c-5e0a931 569->626 598 5e0a727-5e0a732 570->598 599 5e0a620-5e0a625 571->599 600 5e0a636-5e0a65b 571->600 589 5e0a8f0 572->589 573->589 574->529 627 5e0a685-5e0a697 575->627 628 5e0a699 575->628 578->559 579->542 605 5e0a811 579->605 580->588 595 5e0a808-5e0a80c 580->595 596 5e0a602-5e0a606 581->596 597 5e0a608-5e0a615 581->597 582->570 583->558 594 5e0a871-5e0a87e 584->594 585->594 603 5e0a75a-5e0a763 587->603 604 5e0a77b 587->604 588->588 589->569 634 5e0a880-5e0a886 594->634 635 5e0a896-5e0a8a0 594->635 595->605 607 5e0a617 596->607 597->607 598->529 608 5e0a626 599->608 609 5e0a69c-5e0a6a0 599->609 600->574 610 5e0a765-5e0a768 603->610 611 5e0a76a-5e0a777 603->611 606 5e0a77e-5e0a780 604->606 605->529 623 5e0a782-5e0a788 606->623 624 5e0a79e 606->624 607->571 618 5e0a627-5e0a628 608->618 619 5e0a62a-5e0a634 608->619 615 5e0a6c1 609->615 616 5e0a6a2-5e0a6ab 609->616 621 5e0a779 610->621 611->621 633 5e0a6c4-5e0a6d6 615->633 630 5e0a6b2-5e0a6b5 616->630 631 5e0a6ad-5e0a6b0 616->631 618->600 619->600 621->606 636 5e0a78a-5e0a78c 623->636 637 5e0a78e-5e0a79a 623->637 632 5e0a7a0-5e0a7a2 624->632 625->588 638 5e0a91b-5e0a922 625->638 626->539 644 5e0a927 626->644 627->609 628->609 639 5e0a6bf 630->639 631->639 646 5e0a7b0-5e0a7c5 632->646 647 5e0a7a4-5e0a7aa 632->647 633->543 640 5e0a888 634->640 641 5e0a88a-5e0a88c 634->641 635->588 642 5e0a8a6-5e0a8b7 635->642 643 5e0a79c 636->643 637->643 638->644 639->633 640->635 641->635 642->588 651 5e0a8bd-5e0a8c6 642->651 643->632 644->529 646->588 653 5e0a7cb-5e0a7d4 646->653 648 5e0a7ac 647->648 649 5e0a7ae 647->649 648->646 649->646 651->529 653->529
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fbq$ fbq$ fbq$ fbq$Te]q$Te]q$XX]q$XX]q$$]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-2051120878
                                              • Opcode ID: 6f4aa60b8ad355ee6e577a42b7f296e42a3f6bb52a6fd83c65f061d2902fc3f7
                                              • Instruction ID: 49ad6725a23126ecf1209031d5e7b7aeef4aff07b1647bd8c6320267e6eab195
                                              • Opcode Fuzzy Hash: 6f4aa60b8ad355ee6e577a42b7f296e42a3f6bb52a6fd83c65f061d2902fc3f7
                                              • Instruction Fuzzy Hash: 50B12831E0421CCFDB28CA98D584ABDB7B7BF84704F69A565D8826B2D4DB309CC2CB51
                                              Function 05E0A5F1 Relevance: 11.5, Strings: 9, Instructions: 252COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 654 5e0a5f1 655 5e0a5f2-5e0a5f3 654->655 656 5e0a5f5-5e0a5f6 655->656 657 5e0a5a9-5e0a5d5 655->657 658 5e0a5f8-5e0a600 656->658 659 5e0a619 656->659 678 5e0a5dd-5e0a5e0 657->678 666 5e0a601 658->666 667 5e0a677 658->667 662 5e0a61c-5e0a61e 659->662 669 5e0a620-5e0a625 662->669 670 5e0a636-5e0a65b 662->670 671 5e0a602-5e0a606 666->671 672 5e0a608-5e0a615 666->672 673 5e0a661-5e0a66b 667->673 674 5e0a678-5e0a683 667->674 675 5e0a626 669->675 676 5e0a69c-5e0a6a0 669->676 670->673 677 5e0a617 671->677 672->677 673->678 714 5e0a685-5e0a697 674->714 715 5e0a699 674->715 681 5e0a627-5e0a628 675->681 682 5e0a62a-5e0a634 675->682 684 5e0a6c1 676->684 685 5e0a6a2-5e0a6ab 676->685 677->662 678->655 683 5e0a5e2 678->683 681->670 682->670 683->654 683->655 688 5e0a965-5e0a96e 683->688 689 5e0a7e6-5e0a7f9 683->689 690 5e0a827-5e0a82b 683->690 691 5e0a6e8-5e0a6ec 683->691 692 5e0a8cb-5e0a8cf 683->692 693 5e0a670-5e0a673 683->693 694 5e0a933-5e0a937 683->694 695 5e0a737-5e0a74a 683->695 696 5e0a7d9-5e0a7e1 683->696 697 5e0a81d-5e0a822 683->697 698 5e0a6de-5e0a6e3 683->698 701 5e0a6c4-5e0a6d6 684->701 699 5e0a6b2-5e0a6b5 685->699 700 5e0a6ad-5e0a6b0 685->700 730 5e0a816-5e0a81b 689->730 731 5e0a7fb-5e0a802 689->731 708 5e0a82d-5e0a836 690->708 709 5e0a84e 690->709 706 5e0a6ee-5e0a6f7 691->706 707 5e0a70f 691->707 710 5e0a8d1-5e0a8da 692->710 711 5e0a8f2 692->711 693->667 703 5e0a958 694->703 704 5e0a939-5e0a942 694->704 736 5e0a750-5e0a758 695->736 737 5e0a971 695->737 696->678 697->678 698->678 705 5e0a6bf 699->705 700->705 701->698 716 5e0a95b-5e0a962 703->716 718 5e0a944-5e0a947 704->718 719 5e0a949-5e0a94c 704->719 705->701 720 5e0a6f9-5e0a6fc 706->720 721 5e0a6fe-5e0a70b 706->721 726 5e0a712-5e0a71c 707->726 722 5e0a838-5e0a83b 708->722 723 5e0a83d-5e0a84a 708->723 713 5e0a851-5e0a858 709->713 727 5e0a8e1-5e0a8ee 710->727 728 5e0a8dc-5e0a8df 710->728 725 5e0a8f5-5e0a910 711->725 734 5e0a85a-5e0a86c 713->734 735 5e0a86e 713->735 714->676 715->676 729 5e0a956 718->729 719->729 732 5e0a70d 720->732 721->732 733 5e0a84c 722->733 723->733 757 5e0a912-5e0a919 725->757 758 5e0a92c-5e0a931 725->758 743 5e0a727-5e0a732 726->743 738 5e0a8f0 727->738 728->738 729->716 730->697 748 5e0a811 730->748 731->737 742 5e0a808-5e0a80c 731->742 732->726 733->713 741 5e0a871-5e0a87e 734->741 735->741 746 5e0a75a-5e0a763 736->746 747 5e0a77b 736->747 737->737 738->725 761 5e0a880-5e0a886 741->761 762 5e0a896-5e0a8a0 741->762 742->748 743->678 750 5e0a765-5e0a768 746->750 751 5e0a76a-5e0a777 746->751 749 5e0a77e-5e0a780 747->749 748->678 755 5e0a782-5e0a788 749->755 756 5e0a79e 749->756 754 5e0a779 750->754 751->754 754->749 763 5e0a78a-5e0a78c 755->763 764 5e0a78e-5e0a79a 755->764 760 5e0a7a0-5e0a7a2 756->760 757->737 765 5e0a91b-5e0a922 757->765 758->694 770 5e0a927 758->770 771 5e0a7b0-5e0a7c5 760->771 772 5e0a7a4-5e0a7aa 760->772 766 5e0a888 761->766 767 5e0a88a-5e0a88c 761->767 762->737 768 5e0a8a6-5e0a8b7 762->768 769 5e0a79c 763->769 764->769 765->770 766->762 767->762 768->737 776 5e0a8bd-5e0a8c6 768->776 769->760 770->678 771->737 778 5e0a7cb-5e0a7d4 771->778 773 5e0a7ac 772->773 774 5e0a7ae 772->774 773->771 774->771 776->678 778->678
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: fbq$ fbq$Te]q$XX]q$XX]q$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3284584015
                                              • Opcode ID: b9b64890b139d8daaeaa64e9b8e0c78795fa288caeaf983a2a821c010e1d3524
                                              • Instruction ID: b9285d5a0f5e7a34bc35b0e98470eaa645e5a3033512149130ce0bcb0b02a9fe
                                              • Opcode Fuzzy Hash: b9b64890b139d8daaeaa64e9b8e0c78795fa288caeaf983a2a821c010e1d3524
                                              • Instruction Fuzzy Hash: 61A15A71A0431CCFEB29CA98D484ABDB7B2BB40715F69B576E4C26B2D1D73098C2CB51
                                              Function 0803508E Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 927 803508e-8035124 937 8035126-803512c 927->937 938 803513c-8035195 927->938 939 8035130-8035132 937->939 940 803512e 937->940 946 8035197-803519d 938->946 947 80351ad-8035278 938->947 939->938 940->938 948 80351a1-80351a3 946->948 949 803519f 946->949 961 803527e-80352ec 947->961 948->947 949->947
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $]q$$]q$$]q$$]q
                                              • API String ID: 0-858218434
                                              • Opcode ID: 6be87531aebc17aba3c89babd5c8004448e1cd077c90116776e70fa533102edf
                                              • Instruction ID: 3a8f3065fe58f49c1b96886e0e416f72ea446b20cc402ef3db1903f4944eccb9
                                              • Opcode Fuzzy Hash: 6be87531aebc17aba3c89babd5c8004448e1cd077c90116776e70fa533102edf
                                              • Instruction Fuzzy Hash: 665191347001189FD719EF78D968BBE77EBEF88740F218068D90697394CE399C018B95
                                              Function 05E0D7F0 Relevance: 2.7, Strings: 2, Instructions: 155COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1074 5e0d7f0-5e0ee53 1077 5e0ee55-5e0ee58 1074->1077 1078 5e0ee5a 1074->1078 1079 5e0ee5c-5e0ee63 call 5e0d828 1077->1079 1078->1079 1081 5e0ee68-5e0ee6a 1079->1081 1082 5e0ee7b-5e0ee87 1081->1082 1083 5e0ee6c-5e0ee70 1081->1083 1084 5e0ee72-5e0ee78 1083->1084 1085 5e0ee8a-5e0ee8d 1083->1085 1084->1082 1086 5e0eee1-5e0eee4 1085->1086 1087 5e0ee8f-5e0eeda 1085->1087 1089 5e0eee6-5e0ef31 1086->1089 1090 5e0ef38-5e0ef9b 1086->1090 1087->1086 1089->1090 1099 5e0efa3-5e0efd6 1090->1099 1100 5e0ef9d-5e0efa0 1090->1100 1106 5e0efd8-5e0efde 1099->1106 1107 5e0efdf-5e0effc 1099->1107 1100->1099 1106->1107
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq
                                              • API String ID: 0-4016896955
                                              • Opcode ID: 7aab2dcfb567f68de1792e20ff9d4b01cd9aace6cf219fb0bd0297b332c80086
                                              • Instruction ID: 17fe3693d1092871b7b07dce336dbd291aade4a7ace0cfdac8a7fb9021f29210
                                              • Opcode Fuzzy Hash: 7aab2dcfb567f68de1792e20ff9d4b01cd9aace6cf219fb0bd0297b332c80086
                                              • Instruction Fuzzy Hash: F151B471E002088FDB14DFA9C4546AEBBF6FF85300F14986ED546E7380DB349945CBA1
                                              Function 065B2071 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1113 65b2071-65b2130 1114 65b2142-65b2184 1113->1114 1115 65b2132-65b213e 1113->1115 1117 65b21be-65b2236 1114->1117 1118 65b2186-65b21b0 call 65b0190 1114->1118 1115->1114 1120 65b2238-65b223e 1117->1120 1121 65b2241-65b2248 1117->1121 1122 65b21b5-65b21b6 1118->1122 1120->1121 1123 65b224a-65b2250 1121->1123 1124 65b2253-65b22f2 CreateWindowExW 1121->1124 1123->1124 1126 65b22fb-65b2333 1124->1126 1127 65b22f4-65b22fa 1124->1127 1131 65b2340 1126->1131 1132 65b2335-65b2338 1126->1132 1127->1126 1133 65b2341 1131->1133 1132->1131 1133->1133
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040889904.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_65b0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18b7319e27aedc24ecd08dfb14dca811713ea405a5e68731135105fb989dba0d
                                              • Instruction ID: ef22c236e388eeb8e9692203f75fe67329847d2dd3b35f05c02ce6651e8ebdb1
                                              • Opcode Fuzzy Hash: 18b7319e27aedc24ecd08dfb14dca811713ea405a5e68731135105fb989dba0d
                                              • Instruction Fuzzy Hash: B4916F71809398AFCB02CFA5D8509DDBFB5FF0A314F0A809BE444AB162C7359955CF61
                                              Function 080D69BC Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1134 80d69bc-80d6a5d 1137 80d6a5f-80d6a69 1134->1137 1138 80d6a96-80d6ab6 1134->1138 1137->1138 1139 80d6a6b-80d6a6d 1137->1139 1145 80d6aef-80d6b1e 1138->1145 1146 80d6ab8-80d6ac2 1138->1146 1140 80d6a6f-80d6a79 1139->1140 1141 80d6a90-80d6a93 1139->1141 1143 80d6a7d-80d6a8c 1140->1143 1144 80d6a7b 1140->1144 1141->1138 1143->1143 1147 80d6a8e 1143->1147 1144->1143 1152 80d6b57-80d6c11 CreateProcessA 1145->1152 1153 80d6b20-80d6b2a 1145->1153 1146->1145 1148 80d6ac4-80d6ac6 1146->1148 1147->1141 1150 80d6ae9-80d6aec 1148->1150 1151 80d6ac8-80d6ad2 1148->1151 1150->1145 1154 80d6ad4 1151->1154 1155 80d6ad6-80d6ae5 1151->1155 1166 80d6c1a-80d6ca0 1152->1166 1167 80d6c13-80d6c19 1152->1167 1153->1152 1156 80d6b2c-80d6b2e 1153->1156 1154->1155 1155->1155 1157 80d6ae7 1155->1157 1158 80d6b51-80d6b54 1156->1158 1159 80d6b30-80d6b3a 1156->1159 1157->1150 1158->1152 1161 80d6b3c 1159->1161 1162 80d6b3e-80d6b4d 1159->1162 1161->1162 1162->1162 1163 80d6b4f 1162->1163 1163->1158 1177 80d6cb0-80d6cb4 1166->1177 1178 80d6ca2-80d6ca6 1166->1178 1167->1166 1180 80d6cc4-80d6cc8 1177->1180 1181 80d6cb6-80d6cba 1177->1181 1178->1177 1179 80d6ca8 1178->1179 1179->1177 1183 80d6cd8-80d6cdc 1180->1183 1184 80d6cca-80d6cce 1180->1184 1181->1180 1182 80d6cbc 1181->1182 1182->1180 1185 80d6cee-80d6cf5 1183->1185 1186 80d6cde-80d6ce4 1183->1186 1184->1183 1187 80d6cd0 1184->1187 1188 80d6d0c 1185->1188 1189 80d6cf7-80d6d06 1185->1189 1186->1185 1187->1183 1191 80d6d0d 1188->1191 1189->1188 1191->1191
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 080D6BFE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: b64b9e60f5547a7a5b8b816835f12b0c2bfcea29f3a4d8d6c5ff72d961c67678
                                              • Instruction ID: 4818fca2a8bdf38629b3acf72092a1bbc434609f758127d2df455c28f2790c62
                                              • Opcode Fuzzy Hash: b64b9e60f5547a7a5b8b816835f12b0c2bfcea29f3a4d8d6c5ff72d961c67678
                                              • Instruction Fuzzy Hash: 70A14A71D003198FEB14CF68C8417EEBBB2FF54311F1481AAD859A7250DB759986CF91
                                              Function 080D69C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1192 80d69c8-80d6a5d 1194 80d6a5f-80d6a69 1192->1194 1195 80d6a96-80d6ab6 1192->1195 1194->1195 1196 80d6a6b-80d6a6d 1194->1196 1202 80d6aef-80d6b1e 1195->1202 1203 80d6ab8-80d6ac2 1195->1203 1197 80d6a6f-80d6a79 1196->1197 1198 80d6a90-80d6a93 1196->1198 1200 80d6a7d-80d6a8c 1197->1200 1201 80d6a7b 1197->1201 1198->1195 1200->1200 1204 80d6a8e 1200->1204 1201->1200 1209 80d6b57-80d6c11 CreateProcessA 1202->1209 1210 80d6b20-80d6b2a 1202->1210 1203->1202 1205 80d6ac4-80d6ac6 1203->1205 1204->1198 1207 80d6ae9-80d6aec 1205->1207 1208 80d6ac8-80d6ad2 1205->1208 1207->1202 1211 80d6ad4 1208->1211 1212 80d6ad6-80d6ae5 1208->1212 1223 80d6c1a-80d6ca0 1209->1223 1224 80d6c13-80d6c19 1209->1224 1210->1209 1213 80d6b2c-80d6b2e 1210->1213 1211->1212 1212->1212 1214 80d6ae7 1212->1214 1215 80d6b51-80d6b54 1213->1215 1216 80d6b30-80d6b3a 1213->1216 1214->1207 1215->1209 1218 80d6b3c 1216->1218 1219 80d6b3e-80d6b4d 1216->1219 1218->1219 1219->1219 1220 80d6b4f 1219->1220 1220->1215 1234 80d6cb0-80d6cb4 1223->1234 1235 80d6ca2-80d6ca6 1223->1235 1224->1223 1237 80d6cc4-80d6cc8 1234->1237 1238 80d6cb6-80d6cba 1234->1238 1235->1234 1236 80d6ca8 1235->1236 1236->1234 1240 80d6cd8-80d6cdc 1237->1240 1241 80d6cca-80d6cce 1237->1241 1238->1237 1239 80d6cbc 1238->1239 1239->1237 1242 80d6cee-80d6cf5 1240->1242 1243 80d6cde-80d6ce4 1240->1243 1241->1240 1244 80d6cd0 1241->1244 1245 80d6d0c 1242->1245 1246 80d6cf7-80d6d06 1242->1246 1243->1242 1244->1240 1248 80d6d0d 1245->1248 1246->1245 1248->1248
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 080D6BFE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: c2eed5ef7877ea5852c17dd46b6e90d9159f5f93c9115280deb82292ff6b14d4
                                              • Instruction ID: c6b9f9b69dcbf500328cbd05b262fb0e026928df6eb06cf1b3016a95dc3d38f6
                                              • Opcode Fuzzy Hash: c2eed5ef7877ea5852c17dd46b6e90d9159f5f93c9115280deb82292ff6b14d4
                                              • Instruction Fuzzy Hash: 37913971D003198FEB24CF68C8417AEBBB2EF58315F1481AAD859A7240DB759986CF91
                                              Function 065B0190 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1249 65b0190-65b2236 1251 65b2238-65b223e 1249->1251 1252 65b2241-65b2248 1249->1252 1251->1252 1253 65b224a-65b2250 1252->1253 1254 65b2253-65b22f2 CreateWindowExW 1252->1254 1253->1254 1256 65b22fb-65b2333 1254->1256 1257 65b22f4-65b22fa 1254->1257 1261 65b2340 1256->1261 1262 65b2335-65b2338 1256->1262 1257->1256 1263 65b2341 1261->1263 1262->1261 1263->1263
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 065B22E2
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040889904.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_65b0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 063989120c730692d533b9b6b178a6e2c094273592662ad47573f8bc1ce68f77
                                              • Instruction ID: d002753285e88d3bd523eb9ce632261cd38e1e068568ef4cfa9a4e9e05b4b933
                                              • Opcode Fuzzy Hash: 063989120c730692d533b9b6b178a6e2c094273592662ad47573f8bc1ce68f77
                                              • Instruction Fuzzy Hash: C451B0B1D103499FDB14CF99C884ADEBBB5FF88310F24812AE918AB210D775A985CF90
                                              Function 065B02E4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1264 65b02e4-65b47cc 1267 65b487c-65b489c call 65b01bc 1264->1267 1268 65b47d2-65b47d7 1264->1268 1275 65b489f-65b48ac 1267->1275 1269 65b482a-65b4862 CallWindowProcW 1268->1269 1270 65b47d9-65b4810 1268->1270 1273 65b486b-65b487a 1269->1273 1274 65b4864-65b486a 1269->1274 1277 65b4819-65b4828 1270->1277 1278 65b4812-65b4818 1270->1278 1273->1275 1274->1273 1277->1275 1278->1277
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 065B4851
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040889904.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_65b0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: a2510d02394d2cc7f627cb4f090e2e26742a4100bf48d579ff786e851aba107c
                                              • Instruction ID: c453d2df9d6a659597c4ccad1a999e90a91fd085ccd6f33a4972cddef065166a
                                              • Opcode Fuzzy Hash: a2510d02394d2cc7f627cb4f090e2e26742a4100bf48d579ff786e851aba107c
                                              • Instruction Fuzzy Hash: 024147B4D003458FCB54CF89C888AAABBF5FF88314F24C859E519AB325C374A840CFA0
                                              Function 0312601C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 031260D9
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 6b3fb431c26dae8cee470c96df953aa69d6cd52bef7010da2d40773a18d64bb6
                                              • Instruction ID: eaf9fa482b730ebf53ea04dc58dd529e167d8f492545e56b2b5208f90d60bd8d
                                              • Opcode Fuzzy Hash: 6b3fb431c26dae8cee470c96df953aa69d6cd52bef7010da2d40773a18d64bb6
                                              • Instruction Fuzzy Hash: D241E3B1C00629CFDB25CFA9C94479DBBF2BF88304F24816AD418BB255DB796946CF90
                                              Function 0312450C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 031260D9
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 1be92209c4002b4d3496b7436a6ee6c918dd8f305f3f61e3c0372ad3b5b86a85
                                              • Instruction ID: b6420d0926da20f1782357e6cd5f945c8ea167d47bb87d5395e628659855a43b
                                              • Opcode Fuzzy Hash: 1be92209c4002b4d3496b7436a6ee6c918dd8f305f3f61e3c0372ad3b5b86a85
                                              • Instruction Fuzzy Hash: 2B41F2B0C00619CFDB28CFA9C844B9EBBF5BF48304F20806AD418BB255DBB56949CF90
                                              Function 080D6739 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 080D67D0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: c9a211bd0d70b46adaa98b01dc4ed50f3cd333e6926553b0b9bec44200c32a88
                                              • Instruction ID: f709e74c4e9d45c559bbe10adcb48ef2753cbaca5cf8d3c7d475af5babff6e98
                                              • Opcode Fuzzy Hash: c9a211bd0d70b46adaa98b01dc4ed50f3cd333e6926553b0b9bec44200c32a88
                                              • Instruction Fuzzy Hash: D82124B59003499FCB10DFA9C885BEEBBF5FF48310F10882AE919A7240C7799954CBA0
                                              Function 080D6740 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 080D67D0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 49f41b0797dc2813c4400bfaa1086d57b9f57e7f9e06ca3b0c9b2d844ec1bb02
                                              • Instruction ID: 3fe54db5e905ea151f230d8b05a9bac6ab9c06d73885a80f25436c62a5b42beb
                                              • Opcode Fuzzy Hash: 49f41b0797dc2813c4400bfaa1086d57b9f57e7f9e06ca3b0c9b2d844ec1bb02
                                              • Instruction Fuzzy Hash: DC2107B59003599FCB10DFA9C985BEEBBF5FF48310F10842AE919A7250C7799954CBA0
                                              Function 080D65A1 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 080D6626
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: ea06b1ccf228bfbc39ae4b388a952256b9fdbffa587f5f34fb808d1e75955c34
                                              • Instruction ID: 165c564525646fbc7dc5d9d42e4b7ba742003fab97bebb372bd1a21e35b609a8
                                              • Opcode Fuzzy Hash: ea06b1ccf228bfbc39ae4b388a952256b9fdbffa587f5f34fb808d1e75955c34
                                              • Instruction Fuzzy Hash: 0B2145B1D003098ECB10DFAAC4847EEBFF5AF98310F14842DD419A7240CB789945CFA0
                                              Function 080D6828 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 080D68B0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 110448265a7dffda2f26fe6d8f1dd1c6514945f66c2594067b894ad1ce57d677
                                              • Instruction ID: b87af64cc55c49ccbf96d32e1fcc5d486768468ac410a5f11eed781687e89b2d
                                              • Opcode Fuzzy Hash: 110448265a7dffda2f26fe6d8f1dd1c6514945f66c2594067b894ad1ce57d677
                                              • Instruction Fuzzy Hash: D32139B1D003499FDB10DFAAC881AEEFBF5FF48310F10842AE519A7250D7799945CBA1
                                              Function 0312BA90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0312D9E6,?,?,?,?,?), ref: 0312DAA7
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 848b4879d8fe5eb5f957c75f1eaa3ce2a5b24a5351c4636979ad81e98f51869f
                                              • Instruction ID: 883bf9195640fe91154a3d49e319ee06ea4940e3ba2b0d0b786df2fef17dad47
                                              • Opcode Fuzzy Hash: 848b4879d8fe5eb5f957c75f1eaa3ce2a5b24a5351c4636979ad81e98f51869f
                                              • Instruction Fuzzy Hash: B521E4B59042589FDB10CF9AD984AEEFFF8FB48310F14841AE919A3310D378A954CFA5
                                              Function 080D6830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 080D68B0
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 886eebf256023ec2fe86538bda035f90a69fe87580c80f4119ac56c2c3f57f57
                                              • Instruction ID: f20a325eb452d7205a0dbbc4406e6d2a95fd5b897f07c9082b45b54cf8721af6
                                              • Opcode Fuzzy Hash: 886eebf256023ec2fe86538bda035f90a69fe87580c80f4119ac56c2c3f57f57
                                              • Instruction Fuzzy Hash: FA2118B1C003499FDB10DFAAC985AEEFBF5FF48310F50842AE919A7250D7799944CBA1
                                              Function 080D65A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 080D6626
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 4b5011525625e1dd693f4b60d25e12603794b5ac37bc7c3ef0c151b5fefe340a
                                              • Instruction ID: 7913e4cd8d7a86d54dd2522769a89ffd0ec07eafb4176d0a3b9ccd927d0a799d
                                              • Opcode Fuzzy Hash: 4b5011525625e1dd693f4b60d25e12603794b5ac37bc7c3ef0c151b5fefe340a
                                              • Instruction Fuzzy Hash: 842135B1D003098FDB10DFAAC4857EEBBF5EF98310F14842AD519A7240CB78A984CFA4
                                              Function 0312A818 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0312BB19,00000800,00000000,00000000), ref: 0312BD0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1bd2e47f078923263e32c3e1bf7d4278df103069e5e74a891576a69be83d5660
                                              • Instruction ID: 71e9c2c6702596bf3fbded24078c7fc00d24ffe20de5029e415e8f3b7555beee
                                              • Opcode Fuzzy Hash: 1bd2e47f078923263e32c3e1bf7d4278df103069e5e74a891576a69be83d5660
                                              • Instruction Fuzzy Hash: 012132B28082588FCB10CFAAC944ADEBFF4EF89314F04846AD559A7211C779A554CFA5
                                              Function 0312DA18 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0312D9E6,?,?,?,?,?), ref: 0312DAA7
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 7bfbcc53d0d28a81965f0f84dc5822f6e19730c3c1398bc05c3bab8b4f151570
                                              • Instruction ID: 356b1b588604a568b4a4202d027d17d2c44e79482613f2fcf5af08e9f6f5b4cb
                                              • Opcode Fuzzy Hash: 7bfbcc53d0d28a81965f0f84dc5822f6e19730c3c1398bc05c3bab8b4f151570
                                              • Instruction Fuzzy Hash: 1221E4B5D002189FDB10CF99D584AEEBBF4FF48310F14841AE918A3350D378A954CFA1
                                              Function 080D6678 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080D66EE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 570fd8d00711cb5ddad1237b2a0c37a8d3687b5b221a0ac0231181af7f18658f
                                              • Instruction ID: 3ef8fec3869a92c2cc1550032ee21267ecf096a4380216f47baad1e1ce730249
                                              • Opcode Fuzzy Hash: 570fd8d00711cb5ddad1237b2a0c37a8d3687b5b221a0ac0231181af7f18658f
                                              • Instruction Fuzzy Hash: AA2117719002499FCB10DFAAC845AEEFFF5EF89320F208419E519A7250CB79A541DFA1
                                              Function 0312A830 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0312BB19,00000800,00000000,00000000), ref: 0312BD0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: db3446cc24dc90c1380e33df9fb116070c055c7ca7d03a052b7094dfb46a3a2a
                                              • Instruction ID: 5b666ea47484b89ee4a498756b54d6d47dad467d357a8521c6237ab98c2754f5
                                              • Opcode Fuzzy Hash: db3446cc24dc90c1380e33df9fb116070c055c7ca7d03a052b7094dfb46a3a2a
                                              • Instruction Fuzzy Hash: F81126B6C043488FCB10CF9AD544ADEFFF4EB88310F14842AD919A7210C779A954CFA4
                                              Function 0312BC98 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0312BB19,00000800,00000000,00000000), ref: 0312BD0A
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 2390cae656b21503ef8088964d0123c14b403da05c81fa85d1453c5874c41215
                                              • Instruction ID: 9b8040bc8a6c534f58861b36297b67bbba333ddbaa64c644142a8e2a2c2abac3
                                              • Opcode Fuzzy Hash: 2390cae656b21503ef8088964d0123c14b403da05c81fa85d1453c5874c41215
                                              • Instruction Fuzzy Hash: B31112B68002098FCB10CF9AD544ADEFBF4FB88320F14842AD519A7610C779A545CFA4
                                              Function 080D64F1 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: bb8f7bf10117972beba3fb1fbb5bd68be5fccca9a9f8d3750216511b74e238c1
                                              • Instruction ID: 52a0ad254c213d847f5e60d1696f334b666eb7a56052ae54f00842333e99e05f
                                              • Opcode Fuzzy Hash: bb8f7bf10117972beba3fb1fbb5bd68be5fccca9a9f8d3750216511b74e238c1
                                              • Instruction Fuzzy Hash: C01137B1D003488ECB20DFAAC4457EEFBF5AF89314F208419C519A7254C7799584CFA5
                                              Function 080D6680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 080D66EE
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: b128d790a629bfc345abf39f43ebebad6b60c49eee334ce662b6516b205b3c94
                                              • Instruction ID: 30dcc1200d022049815c94f3d575c10e7d304ccf171f31c3b062424118de5f1e
                                              • Opcode Fuzzy Hash: b128d790a629bfc345abf39f43ebebad6b60c49eee334ce662b6516b205b3c94
                                              • Instruction Fuzzy Hash: E91137719003499FCB10DFAAC844AEEBFF5FF88320F108419E519A7250CB79A940CFA0
                                              Function 080D64F8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b523d3f727446a54ee1439a81410bae8393ebb785365eb3c1358e7e313f94034
                                              • Instruction ID: b76c043e33c5f14f2f2d5f31a8b5a9ad2d70e24e70dcae39bf7346f644a3237e
                                              • Opcode Fuzzy Hash: b523d3f727446a54ee1439a81410bae8393ebb785365eb3c1358e7e313f94034
                                              • Instruction Fuzzy Hash: A31125B1D003488FCB20DFAAC4457AEFBF5EF88324F208419D519A7244CB79A984CBA4
                                              Function 0312B632 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0312B69E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: c9a43addbb8cd025b49ff5a37e427a616f48cd9de00eb0d5eba3b24d67d920e3
                                              • Instruction ID: 7416a9eacdb73fca3c8b3e49f5948b6aec14f8caf71c0b4a1d6b080e13e4177e
                                              • Opcode Fuzzy Hash: c9a43addbb8cd025b49ff5a37e427a616f48cd9de00eb0d5eba3b24d67d920e3
                                              • Instruction Fuzzy Hash: 51110CB6C002598FCB10CF9AC544ADEFBF4EF89320F14852AC928A7610C379A645CFA1
                                              Function 080D7E10 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 080DB0BD
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 21d1fda2f8ba5ebc2ff221206d377682d0b980993c428e7e917c03f7ae920afb
                                              • Instruction ID: cd8613b40f4a68d557558784ba0437d1eaf050e5567a124ed5935706b2995da2
                                              • Opcode Fuzzy Hash: 21d1fda2f8ba5ebc2ff221206d377682d0b980993c428e7e917c03f7ae920afb
                                              • Instruction Fuzzy Hash: E71103B58003499FCB20DF9AC484BDEBFF8EB48320F108459E918B7610C379A984CFA5
                                              Function 0312B638 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0312B69E
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023415870.0000000003120000.00000040.00000800.00020000.00000000.sdmp, Offset: 03120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_3120000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 19250abbdf078156e7d188442527a6ed72bcc51f8f1bb86e96e39f1ad8451d67
                                              • Instruction ID: 97f52ef33b9fd5a3ea11cb5f35e6d7f314f2e5865c36897374dc0cb5a983a7b6
                                              • Opcode Fuzzy Hash: 19250abbdf078156e7d188442527a6ed72bcc51f8f1bb86e96e39f1ad8451d67
                                              • Instruction Fuzzy Hash: 79111DB6C002498FCB10CF9AC444ADEFBF8EF88320F14842AD928B7610C379A545CFA1
                                              Function 080DB059 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 080DB0BD
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3044006923.00000000080D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_80d0000_InstallUtil.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 8711d659162ade4db34bedf50f83f6258b5ef3713e951ed46551deb8bb95edc7
                                              • Instruction ID: e1ffa57a5e8e8da8d98b1c478818b2bfe63aed5275d9e03a66e101c8fbca496a
                                              • Opcode Fuzzy Hash: 8711d659162ade4db34bedf50f83f6258b5ef3713e951ed46551deb8bb95edc7
                                              • Instruction Fuzzy Hash: D61103B58003499FCB20DF9AD484BDEBFF8EB48320F20845AD558B7611C379A984CFA1
                                              Function 08034D88 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q
                                              • API String ID: 0-52440209
                                              • Opcode ID: c2de9bd8ae3aed27087a65d4cc8e92d87427ce8ac53d7944aa67250398fd2b5d
                                              • Instruction ID: ca5669b6474a5d4753ad679a4fa59986746c4fceb1306ef5a2b8a23fbea2e0bc
                                              • Opcode Fuzzy Hash: c2de9bd8ae3aed27087a65d4cc8e92d87427ce8ac53d7944aa67250398fd2b5d
                                              • Instruction Fuzzy Hash: 8D510230B002568FCB15DB79C8988AFBBFBEFC5320B15856AE455DB361DB309C068791
                                              Function 08039459 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq
                                              • API String ID: 0-725504367
                                              • Opcode ID: 32f08b0afa209fdad38e89f4396ff1ef543cbed2759e5bd50270f86a5003231e
                                              • Instruction ID: 0f93f63f8ab658a3c8e4aa22265b819a01899af51398408e9056aaaf2dfdd647
                                              • Opcode Fuzzy Hash: 32f08b0afa209fdad38e89f4396ff1ef543cbed2759e5bd50270f86a5003231e
                                              • Instruction Fuzzy Hash: C8316C74D09228DFDB04CFAAD441AEEBFBAEF4B301F00946AD81AA7391D7B44941CB50
                                              Function 05E0FB5F Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q
                                              • API String ID: 0-52440209
                                              • Opcode ID: 04f6e7a25d24ad3da9c6f653e184732d2864607bf6036bf312ff666eb35b6e02
                                              • Instruction ID: 0890ea640b365e62eb6cd7677cf3f223f1652833a716cba3942412d356d42b3d
                                              • Opcode Fuzzy Hash: 04f6e7a25d24ad3da9c6f653e184732d2864607bf6036bf312ff666eb35b6e02
                                              • Instruction Fuzzy Hash: 0E31D274E01209CFCB14DFA8D8949EDFBB6FF48310F10A129E919A7255D730A951CF50
                                              Function 05E0FA90 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q
                                              • API String ID: 0-52440209
                                              • Opcode ID: e19cc239a560eda14122b955a9b75d7b1e68588ad338e104ac80ed1812de56b3
                                              • Instruction ID: 0fe76e4e961613bb2fd22e4312bb05b8675efce9647e64ffbeb20b620f0a1ab1
                                              • Opcode Fuzzy Hash: e19cc239a560eda14122b955a9b75d7b1e68588ad338e104ac80ed1812de56b3
                                              • Instruction Fuzzy Hash: C331F471D082888FDB15CFAAC4447DEBFF6EF85310F04D06AD454AB296DB745845CB91
                                              Function 0803AAE8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Te]q
                                              • API String ID: 0-52440209
                                              • Opcode ID: 7ae8320135495aba44f04a663e89c8d897fd66c4a57661d4465bc0438bb79274
                                              • Instruction ID: ffbfbb1b3ee09bb03569e576ef7948b225cb3f9c9d573c11d71cf3180119d075
                                              • Opcode Fuzzy Hash: 7ae8320135495aba44f04a663e89c8d897fd66c4a57661d4465bc0438bb79274
                                              • Instruction Fuzzy Hash: B5118C31B0062A8BCB44EFA899105EFB7FBAFC9211B10006DC549E7340EB358D02CB91
                                              Function 0803A8E0 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8aq
                                              • API String ID: 0-538729646
                                              • Opcode ID: 7b4d6d841dd8f8c58b8795be6b69e80df25954fa5eb7f717fe29ce6aa90703e2
                                              • Instruction ID: 4dcfcf88fe6040a2b92cda7ae872e9ac860300babf3363fd4de90c24a1136cf5
                                              • Opcode Fuzzy Hash: 7b4d6d841dd8f8c58b8795be6b69e80df25954fa5eb7f717fe29ce6aa90703e2
                                              • Instruction Fuzzy Hash: 5F0168713041649FC716AA7CE82467B7BDFDFCA752F0900A9D50AD7384CC284C028FA2
                                              Function 0803A8F0 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 8aq
                                              • API String ID: 0-538729646
                                              • Opcode ID: 42c8977712894bd1cb7f1e417e867b0f3ef3a1530eedace0d72d14eae7f0fbab
                                              • Instruction ID: 52beb9ace24dfe177c0141f324c598628a5643099ad00c8f071d0cd67adf5574
                                              • Opcode Fuzzy Hash: 42c8977712894bd1cb7f1e417e867b0f3ef3a1530eedace0d72d14eae7f0fbab
                                              • Instruction Fuzzy Hash: EF01D4703004249BC659EA6DE92463F72DFDFC8756F154169960AD7384CD298C018FA6
                                              Function 080325B8 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 2cf3c3710fbc7f4268c58ff6c39f386662b7294d34ff5af547fd75c8f5f424b0
                                              • Instruction ID: abc6cbaec841d10035b81fef1e790d07f927ef6b28c6d6ca76d5c69a1e75fb77
                                              • Opcode Fuzzy Hash: 2cf3c3710fbc7f4268c58ff6c39f386662b7294d34ff5af547fd75c8f5f424b0
                                              • Instruction Fuzzy Hash: F7017130A052099FCB04EFB8E6459AC7FB6FF45205F2040A9C40597350EA395E48CF52
                                              Function 080325C8 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q
                                              • API String ID: 0-1259897404
                                              • Opcode ID: 2e0fceb707ecc172f635656991a55e6f4958e1633183d1115c80b51395b3a8a0
                                              • Instruction ID: 667cc79074f4c6a2a3865b32e73f8e6b9e3a5b8a9b74d8e73e88ad7f9a07882b
                                              • Opcode Fuzzy Hash: 2e0fceb707ecc172f635656991a55e6f4958e1633183d1115c80b51395b3a8a0
                                              • Instruction Fuzzy Hash: F7F06D30A002099FCB44EFB8E64546C7BB6FF48305F2044A8C80593310EB395E08CF52
                                              Function 08030040 Relevance: .8, Instructions: 753COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2f3e718a8b987420a8181b23eed072cc507042634e7c880e1cce84390e84c14b
                                              • Instruction ID: 95cc99796911dec637cfb3895b71df1f8edc945f4b0cf5902af94f987e33df33
                                              • Opcode Fuzzy Hash: 2f3e718a8b987420a8181b23eed072cc507042634e7c880e1cce84390e84c14b
                                              • Instruction Fuzzy Hash: BC6223B4E01F519EDBB05FB485883AE76D6AB45315F704A6EC0FACA790DB349482CF09
                                              Function 08030006 Relevance: .5, Instructions: 474COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f61c28da0cf7581de1f2dea73095c9a27a8a5f7b630066b89ac0cfed6d88aceb
                                              • Instruction ID: 3cc7628ff5477a27ed6065e90ffea0ae50d59dc5ccbdb26b3a8e8987d16e8733
                                              • Opcode Fuzzy Hash: f61c28da0cf7581de1f2dea73095c9a27a8a5f7b630066b89ac0cfed6d88aceb
                                              • Instruction Fuzzy Hash: 68227EB8E06F529AD7B45FA4848439EBAD5AB06305F704A9FC0FACA355C7349087CF49
                                              Function 08032FC8 Relevance: .2, Instructions: 230COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96dd0033e0476e21dbf4803c1ab15158bf3781df2ce4d85670273dfe31ca1795
                                              • Instruction ID: acfc8bde22c614c4186c47ff250328242ce4905b506da393eac30199f269641a
                                              • Opcode Fuzzy Hash: 96dd0033e0476e21dbf4803c1ab15158bf3781df2ce4d85670273dfe31ca1795
                                              • Instruction Fuzzy Hash: C8915C743006048FC74AEF78D9586BEB7ABEFC9300F15856CD50A9B344DE38AD468B92
                                              Function 05E0DAD8 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c410589862912a5537689ba420bd03a213406c02b9e3eaa228964d86c8b9c4f4
                                              • Instruction ID: 1f6e175703fb510590d40c29479a0986a5c73563251d6bf75783c88792489840
                                              • Opcode Fuzzy Hash: c410589862912a5537689ba420bd03a213406c02b9e3eaa228964d86c8b9c4f4
                                              • Instruction Fuzzy Hash: 7181C930A10209DFCB04EFA4D9849EDBBB5FF49300F159559E542AB3A4EB70E985CF90
                                              Function 05E0CC12 Relevance: .2, Instructions: 194COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83cd2eec15d839b3afded7573a4750feda0a0682ac529abb9f65b87935e12046
                                              • Instruction ID: 03f7053379c056d6979f700786e36c829c8aab0e1447cc2fa1c3e26cf0974ad8
                                              • Opcode Fuzzy Hash: 83cd2eec15d839b3afded7573a4750feda0a0682ac529abb9f65b87935e12046
                                              • Instruction Fuzzy Hash: FB712776A007059FDB20DF7CD984AAEF7F1FB48214B149A2AE45AD3740DB34E8868B51
                                              Function 05E0BF0C Relevance: .2, Instructions: 164COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c0c91e201ea70eee0d031fe5806d7095b18f8380d5b72d68368cfcf71db76334
                                              • Instruction ID: 495df9972dc8f2c859bdea844e7e1eb4eb6e01d220c34f757901d9cf8b4834ee
                                              • Opcode Fuzzy Hash: c0c91e201ea70eee0d031fe5806d7095b18f8380d5b72d68368cfcf71db76334
                                              • Instruction Fuzzy Hash: CD51BD70A0451ACADB14CF69C8406FEF7BABF44315F14E227E5A6862D2E339D992CB50
                                              Function 08038D88 Relevance: .2, Instructions: 154COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed5cdc553ab2772dc6a014197688a8eff6b704ae1a1625471e4bf1c20996af88
                                              • Instruction ID: 78015be8128608357484b55d72b87c3bd6403e559b87f0c25ae97b32bc6f3e47
                                              • Opcode Fuzzy Hash: ed5cdc553ab2772dc6a014197688a8eff6b704ae1a1625471e4bf1c20996af88
                                              • Instruction Fuzzy Hash: 7C51D974E19229DFCB50CFADD4848EDBBFAFB0E242F0194A6E856A7311D7349811CB50
                                              Function 08038D98 Relevance: .1, Instructions: 148COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf76b9a1be55006777ef1590af95c3c3dcaaca64fad037d65d786aad3de7d697
                                              • Instruction ID: dbb213f9e04a5881cf8f37e59cfce92a5cbedd537432549d5224d4d8b6ddd022
                                              • Opcode Fuzzy Hash: cf76b9a1be55006777ef1590af95c3c3dcaaca64fad037d65d786aad3de7d697
                                              • Instruction Fuzzy Hash: 5051C674E19129DFCB50CFADD4848AEBBBAFB0E342F0194A5E816A7305D7349811CB50
                                              Function 08039911 Relevance: .1, Instructions: 131COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c76665aef603e2aa3b2a3c7911074f246212ab706e4d6191b0691a92b3670126
                                              • Instruction ID: 342e6c4f432f8d4880942aa9ef919224c9e264ebe8794883b649376dc55fe0c0
                                              • Opcode Fuzzy Hash: c76665aef603e2aa3b2a3c7911074f246212ab706e4d6191b0691a92b3670126
                                              • Instruction Fuzzy Hash: 0541C274D0A328CFCB10CFADD884AEDBBFABF4A312F146516E80AA7251D7749941CB00
                                              Function 05E0D2BA Relevance: .1, Instructions: 115COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6f56f4450dda4d61dbfbc37fd32692d4d5ce92c615e1af62c5b89eceb54f3a5
                                              • Instruction ID: e4e7774e2b8ad7fd544f7686404807c14981bbc0034edb1f0ca91a47905301f4
                                              • Opcode Fuzzy Hash: d6f56f4450dda4d61dbfbc37fd32692d4d5ce92c615e1af62c5b89eceb54f3a5
                                              • Instruction Fuzzy Hash: A2414531910609DFCB04EFA8DA559DCBBB1FF49305F109569E845B7250EB34EA98CF90
                                              Function 08038C58 Relevance: .1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3f185e4b7a73149da85021185832a13ed8f2039bb4cfd45475dabec0024dda52
                                              • Instruction ID: 2432860d0fd9b12cbecdc451cc8db9b9cc62469ec255a1fda3aa6524c259757b
                                              • Opcode Fuzzy Hash: 3f185e4b7a73149da85021185832a13ed8f2039bb4cfd45475dabec0024dda52
                                              • Instruction Fuzzy Hash: F5410774A19528CFD704CF6AD4849BEBBFABF8D302B42D8E5E4599B226D73494118B00
                                              Function 08038C5C Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06c5ece06eef8d5ab447342e8d1cdc9f0c7bc0db0f247b61ef7151a643656b66
                                              • Instruction ID: faaaf0048b77c049594de4afb8e9ff4fe0fd8e382e756af28e0dae2f2983ef61
                                              • Opcode Fuzzy Hash: 06c5ece06eef8d5ab447342e8d1cdc9f0c7bc0db0f247b61ef7151a643656b66
                                              • Instruction Fuzzy Hash: C641F974A19529CFD704CF6ED4849BDBBFABF8E302B42D4E5E4699B226D7349411CB00
                                              Function 0803CE90 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4977cdb3cb991a263bb193c143be46e42d4fbd9478721cac27535551801081c6
                                              • Instruction ID: 533cb8a3186453c5cbff5472671ed475cc3083c76628941f7b84ae8e7f8f83a6
                                              • Opcode Fuzzy Hash: 4977cdb3cb991a263bb193c143be46e42d4fbd9478721cac27535551801081c6
                                              • Instruction Fuzzy Hash: E8318DB5A001199FDB55EFA8C9546FF7BBBFB88300F208169D616F7344CA355C028BA1
                                              Function 05E0C740 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: da4a443726e42c0b2006a9916e9bb6deba8137f7c91f0e6cb7f8cc66f1c0aa83
                                              • Instruction ID: 22737395b254ffe77be6d73e245ea210ae3243f238fe5499149e9bc53160f0d7
                                              • Opcode Fuzzy Hash: da4a443726e42c0b2006a9916e9bb6deba8137f7c91f0e6cb7f8cc66f1c0aa83
                                              • Instruction Fuzzy Hash: FB31C231304200CFDB19EB78E550A7AB3EAEF84715B28E66EC48E87294CB35DC86C755
                                              Function 05E0DAB8 Relevance: .1, Instructions: 101COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8b4eff8688e005d48875bb994204eb110f1211b413fc8fd32d550b77cf6d641
                                              • Instruction ID: a4afff28f12de9a9b9397308660b07db6db87db0256a799ec31ef5b84b1cf7ab
                                              • Opcode Fuzzy Hash: f8b4eff8688e005d48875bb994204eb110f1211b413fc8fd32d550b77cf6d641
                                              • Instruction Fuzzy Hash: E8310871A04205DFDB05EF64C9549ED7FB2FF89304F08A15AD4419B3A0EB74A985CF90
                                              Function 0803AF6C Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b25aad5b8d550d71eb2ef02422b6c54c700523368771e5b8a91d4df46f45285
                                              • Instruction ID: bd2dc1020d2f029997f24b8ee4c6f9cdd52c9a6c278efcbde5f688c0740a1948
                                              • Opcode Fuzzy Hash: 6b25aad5b8d550d71eb2ef02422b6c54c700523368771e5b8a91d4df46f45285
                                              • Instruction Fuzzy Hash: FC3159B5900258AFCB14DFA9D845A9EBFF9EF49310F14846AE909E7210D735A944CFA0
                                              Function 0803CEA0 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 14f4bbb0915acbba29db3d029b06b5d2c6b0b0398550f3807ec0d21e24441652
                                              • Instruction ID: 5b93cad250129c2c2607cd8657b8ee5aeceeb903bab47e38cc991a92a190bd20
                                              • Opcode Fuzzy Hash: 14f4bbb0915acbba29db3d029b06b5d2c6b0b0398550f3807ec0d21e24441652
                                              • Instruction Fuzzy Hash: BE316CB5A001199FDB55EFA8C9546FFB7BBFB88340F208168D61AB7344CA355D028BA0
                                              Function 05E0C610 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 23d30bccc999e3b443f7a19483d39b3480075360a7584f560a6f405a5582a829
                                              • Instruction ID: 7a05f6cecb26121d3e0a324f61874fda8455d0536167bc8da680e9143f321b8f
                                              • Opcode Fuzzy Hash: 23d30bccc999e3b443f7a19483d39b3480075360a7584f560a6f405a5582a829
                                              • Instruction Fuzzy Hash: 69314D75E0020A9FCB45DFA9C8448FEFBF5FF88200B10826BE558E7250E7749A56CB90
                                              Function 05E0CA88 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af1f4c13c96e3d744d4db91c11a27f9a599bd5e75d2b45d44787d655f527a5ef
                                              • Instruction ID: 54dbe756660e238bf3b100d328bec5fe72197c5dc1654db403b171c29351c289
                                              • Opcode Fuzzy Hash: af1f4c13c96e3d744d4db91c11a27f9a599bd5e75d2b45d44787d655f527a5ef
                                              • Instruction Fuzzy Hash: 813147353105108FC715DF2CD488D68BBB6FF89A1572511AAE90ACB3B2DB32EC42CB40
                                              Function 08031068 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 232cae7536174d1e0ecc2bdc76e89759f814a2dca30c456695c2c3b23fcd91f2
                                              • Instruction ID: 7d535919b1907749512ca2d885754692e1ca55879f18adcffe28b5d08f91e0f0
                                              • Opcode Fuzzy Hash: 232cae7536174d1e0ecc2bdc76e89759f814a2dca30c456695c2c3b23fcd91f2
                                              • Instruction Fuzzy Hash: DD218E357106218FCB59DB6DD4149AE77EEEF88622B1540AEE505CB361DF71DC02CBA0
                                              Function 05E0BE60 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 76bdc5effec47ea31d70f17ca9ca857b3de31a3a4dfe75a5fe06b8aed4c0f7ed
                                              • Instruction ID: a23cd7ab23215ac07a71544b735abbad90750bf45be3ecc825cb7304903f177b
                                              • Opcode Fuzzy Hash: 76bdc5effec47ea31d70f17ca9ca857b3de31a3a4dfe75a5fe06b8aed4c0f7ed
                                              • Instruction Fuzzy Hash: 7131D3B0A0491ACADB20CB69C8506FEF7BBBF40715F04E227E5F6852D2D33895D2CA51
                                              Function 02FED630 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0dbc99598cddbd23736adda925a38bca5151e1ff04dfd58052704cf052447085
                                              • Instruction ID: 89b039e1404cbd6d3fb4cb1da501b8e7291005832186a3b35ab2226195a79ad4
                                              • Opcode Fuzzy Hash: 0dbc99598cddbd23736adda925a38bca5151e1ff04dfd58052704cf052447085
                                              • Instruction Fuzzy Hash: B72125B6604244DFDF06DF14D9C0F26BF69FB88354F208569EA0A0B656C33AD456CBA2
                                              Function 02FED544 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bc3fa7e88482012f116edabf58b1ba9134a7969ffdfca7ebf55d8078f971d51
                                              • Instruction ID: 16ab4f230310ed51d60872c3a0a37eb04aef7fb1c145f9903c601714af852006
                                              • Opcode Fuzzy Hash: 5bc3fa7e88482012f116edabf58b1ba9134a7969ffdfca7ebf55d8078f971d51
                                              • Instruction Fuzzy Hash: AB2138B2500304DFDF16DF14D9C0F26BF69FB88358F208569DA0A0B756C33AD406CAA1
                                              Function 0803B174 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7fa07002149a0884e4233c27f1dc8d65fbc82dba66844e73f6abfe30eb769ee2
                                              • Instruction ID: bceb45198d5503811279bdb59c3850e0ca39e2476c3dd8fa6bba7b2e0b93c28b
                                              • Opcode Fuzzy Hash: 7fa07002149a0884e4233c27f1dc8d65fbc82dba66844e73f6abfe30eb769ee2
                                              • Instruction Fuzzy Hash: 6531F1B0C01218DFDB20CF9AC598BDEBFF9AB49324F64811AE404BB250C7B55885CBA4
                                              Function 05E0D6D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7b7396323ba7907e6ee4eadf0104d26581d4dceb8ea1d2e3e1031b8d2f56a58
                                              • Instruction ID: ac8052ba76c7aade05b8343891eb6f6967eb65083404118ea40f01762034c98f
                                              • Opcode Fuzzy Hash: b7b7396323ba7907e6ee4eadf0104d26581d4dceb8ea1d2e3e1031b8d2f56a58
                                              • Instruction Fuzzy Hash: A7210431A00305DBDB14EF69C8446BAB7B6FF84315F04E839D9899B390DB35E984CB90
                                              Function 05E0E848 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1097da5ce97d3c4ae07e619773d2383d1834601fa190f892d26a2efa5b7c7a17
                                              • Instruction ID: 617ff5270e170b7423b88b2c201a7886fa8e5820d41b835d680f43edf929b2ae
                                              • Opcode Fuzzy Hash: 1097da5ce97d3c4ae07e619773d2383d1834601fa190f892d26a2efa5b7c7a17
                                              • Instruction Fuzzy Hash: 6A215E303002108FDB58DB39C854A2A73EAEF89714B5494BDD546CB3B5DB76EC42CB60
                                              Function 02FFD36C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023087709.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2ffd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aaa5092e834fbb5794ae6b925a104b8286400b886bdef9ce4eb0d7876ad68845
                                              • Instruction ID: 273a0758e1a9035bbc0921e7d6ed1c4e7564368af0421a4d56d2690f227d4448
                                              • Opcode Fuzzy Hash: aaa5092e834fbb5794ae6b925a104b8286400b886bdef9ce4eb0d7876ad68845
                                              • Instruction Fuzzy Hash: 36210771604204DFDB45DF14D5C4B16BB65FF84314F24C56DDB094B366C37AD446CA61
                                              Function 02FFD1B4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023087709.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2ffd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77471756f1c36a7992b072a6d472efb1ff349ffea5056f7f649d3862bafdc86b
                                              • Instruction ID: efcf5e529e1ef128de34d3ca78310bab83f3fa6ba3c0172f08d085414bd0b0b8
                                              • Opcode Fuzzy Hash: 77471756f1c36a7992b072a6d472efb1ff349ffea5056f7f649d3862bafdc86b
                                              • Instruction Fuzzy Hash: D321F272A043049FDB45DF24C9C0B26BB65FF88354F20C5A9EB094B266C33AD406CAA1
                                              Function 05E0E839 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 803602e10295c93b60989036d11521057f613e5813b497f0f9b5192448e93f05
                                              • Instruction ID: a088b42e9c52a8c50d3e80f1960d0d5acfc2f8a60db6f33c425ce69d23c33967
                                              • Opcode Fuzzy Hash: 803602e10295c93b60989036d11521057f613e5813b497f0f9b5192448e93f05
                                              • Instruction Fuzzy Hash: 38214C30300610CFDB19DB38C458A6977AAEF8A718B58A4BDD546CB3B1DB76DC42CB50
                                              Function 0803AFAB Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1eea6b51c630018413ae788c02a6ba4f8a5605663174e3b01b19e86fb8853f02
                                              • Instruction ID: dfb0abff81050958961c2087bb7bffe4926c12d6e12af8d05bc99de95a6dcacd
                                              • Opcode Fuzzy Hash: 1eea6b51c630018413ae788c02a6ba4f8a5605663174e3b01b19e86fb8853f02
                                              • Instruction Fuzzy Hash: 0111E275A007668FCB12DB7888505BF7BFBEFC9220715456AD469DB341DF308D068760
                                              Function 05E0FB76 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6fd4fdfc361fc11c0e4baba77b860c23a308734f0396421cdcf31944eabace41
                                              • Instruction ID: ce7a52c7d2716c07454fa992b33eca21c449581bcfbc3921946a61d8bf38e672
                                              • Opcode Fuzzy Hash: 6fd4fdfc361fc11c0e4baba77b860c23a308734f0396421cdcf31944eabace41
                                              • Instruction Fuzzy Hash: B721B774D19208CFCB14DFA4C9946EDBBB6BF49311F10B019D45AAB3A5DB349891CF14
                                              Function 08034E6C Relevance: .1, Instructions: 67COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 544aa392f15ccb015b6a7064b3d8488981566ef327dc1962489c6b9f2300cf1f
                                              • Instruction ID: 28abca7073959f52e79c9aa3692706d52b4f62ecb0ec831095bbd0c800a4778b
                                              • Opcode Fuzzy Hash: 544aa392f15ccb015b6a7064b3d8488981566ef327dc1962489c6b9f2300cf1f
                                              • Instruction Fuzzy Hash: 5C3100B0C012189FDB20DF9AC588B8EBBF9AB49324F60811AE408BB250C7B45844CBA0
                                              Function 0803D670 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 685ccba4006f096c77962d059e906aff5bd86946327686977ee1353109e93e9a
                                              • Instruction ID: 1f4640089204ac7838a60055c8fc454c5eead3e532a0d3d9b031268782aef703
                                              • Opcode Fuzzy Hash: 685ccba4006f096c77962d059e906aff5bd86946327686977ee1353109e93e9a
                                              • Instruction Fuzzy Hash: CB21D830A096949FC706DF289D14BAA3BABEF86301F1581EED5058B2A2DA359D05CB81
                                              Function 05E0E288 Relevance: .1, Instructions: 66COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df05900a940baac556094d1ac8ec99d7041a4f11f9c11a955858e4de1d3a6e39
                                              • Instruction ID: 654ac7cdfab917b7ee2697daaa95c2d6cc7426ef4c211d38b6b3f8c79a015060
                                              • Opcode Fuzzy Hash: df05900a940baac556094d1ac8ec99d7041a4f11f9c11a955858e4de1d3a6e39
                                              • Instruction Fuzzy Hash: E221F0B59013099FDB10CF9AD984AEEFBF8FB48314F10942EE559A7240C774A944CBA5
                                              Function 0803C2C0 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af87cfbc90f900ef5a047307e8b16b81c526b96b7b8e11cb66962ef309dd64ed
                                              • Instruction ID: 83f939e0d61433c69228d16b0ebc2d8615b239ead1f1ec9c1f94711ee9113a07
                                              • Opcode Fuzzy Hash: af87cfbc90f900ef5a047307e8b16b81c526b96b7b8e11cb66962ef309dd64ed
                                              • Instruction Fuzzy Hash: B211B6746093C49FCB06D7B489164597FF99F0710072984EFD884CB253D9358D06D322
                                              Function 05E085FC Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48c5f958626dc2d6b95a2808459be87f826d087004cad76b8ea8d1478951b0ca
                                              • Instruction ID: cbd3599f0e35e9a6480d010f112097f2fb09d9a630f38d255c3d16749daf8e52
                                              • Opcode Fuzzy Hash: 48c5f958626dc2d6b95a2808459be87f826d087004cad76b8ea8d1478951b0ca
                                              • Instruction Fuzzy Hash: 4421DE71E1020A9F8B44DFADC9448AFFBF9FF98310B10855AE514E7214E770A955CB90
                                              Function 05E0E290 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 94f90eea1b424a36ebc9ddab7ad0e5b9f614b9f0160cad605cbc1eb2477f9294
                                              • Instruction ID: 56658270eb3d2a4ddf18035c721a84f4aa2ba6d9dd829abcaee71126f421d64d
                                              • Opcode Fuzzy Hash: 94f90eea1b424a36ebc9ddab7ad0e5b9f614b9f0160cad605cbc1eb2477f9294
                                              • Instruction Fuzzy Hash: 5A2100B1D013099FDB10CF9AD984A9EFBF8FB48314F10942EE959A7340C374A944CBA4
                                              Function 080311C8 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8b60c3e334a74014501a201831e713182939686f54d0d7833c101dcc44290356
                                              • Instruction ID: ee9ff967eddcb214e74924c5b0d448979b56bd74e90f5665e4bd8bf7f3cf0fb3
                                              • Opcode Fuzzy Hash: 8b60c3e334a74014501a201831e713182939686f54d0d7833c101dcc44290356
                                              • Instruction Fuzzy Hash: E421EB35A10218CFCB15EBA8C858AAD77F6FF4C315F115499E402BB3A0DB399C11CB64
                                              Function 080311D8 Relevance: .1, Instructions: 61COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5539d331b3bfc86aee9603951f8de44bd84451fa8d8d13e7e3679847b8d3fcc5
                                              • Instruction ID: 709c78899136c499abdf2d82dc91cb093a00f51ac01ca0808fe84c35795fdf93
                                              • Opcode Fuzzy Hash: 5539d331b3bfc86aee9603951f8de44bd84451fa8d8d13e7e3679847b8d3fcc5
                                              • Instruction Fuzzy Hash: F421D835A10218CFCB54EBA8C858AAD77B6FF8D311F115469E402BB3A0DB3A9C51CB60
                                              Function 0803AF7C Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d224e48cecca7dd96a045cc12eb2fccaa471389e0cd1feb207354a6e16875f70
                                              • Instruction ID: 9e2dbf33e7ac6eaf0ccc97951afcf6980b8f976df449f13ed4fa38dfe80e3d56
                                              • Opcode Fuzzy Hash: d224e48cecca7dd96a045cc12eb2fccaa471389e0cd1feb207354a6e16875f70
                                              • Instruction Fuzzy Hash: A32114B68003499FCB10CF9AD984ADEBBF9FB49310F108419E919B7210C378A954CFA5
                                              Function 02FED53F Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction ID: 4e8eba07512b46b3ec7ae96d7599db2704135f0a4936426c9a04f539e94e3f05
                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction Fuzzy Hash: 5A11D376904280CFCF16CF10D9C4B16BF72FB88314F24C5A9D9494B656C336D45ACBA2
                                              Function 02FED62B Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction ID: ac874a142dc28cdb9367840984547c213dcacf5e59134d999b79d1ca35ef80fe
                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction Fuzzy Hash: FC11AFB6904284CFCF16CF10D9C4B16BF62FB88314F24C5A9D9094B656C336D45ACBA2
                                              Function 05E0CF58 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 747c80d66013d522939e89b34ad8cb82d7c936e446d4e1e38e459210f0607c33
                                              • Instruction ID: 7271818d6bf25be40e94599edbc1943c71275cfcb82167cfcfc4aea4671cce53
                                              • Opcode Fuzzy Hash: 747c80d66013d522939e89b34ad8cb82d7c936e446d4e1e38e459210f0607c33
                                              • Instruction Fuzzy Hash: 10116032E042258BCB00DF58C4506ADFBF0BF49710B1596AAD959E7340E770AD80CBC0
                                              Function 02FFD1AF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023087709.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2ffd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 513be5d647a792c5de7f0eb8497ce1972fb1eb7c4dbe503930c3434a086d0600
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: 3011DD75904280CFCB02CF10C9C4B15BFA1FF84318F24C6AADA494B266C33AD40ACBA2
                                              Function 02FFD367 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023087709.0000000002FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FFD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2ffd000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: e678432a75579527578e48ef7a851f5321c337955510f9320b39cfebc11e90e0
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: 60118B75904280DFDB06CF14D6C4B15BBA1FF88218F24C6A9DA494B666C33AE44ACB62
                                              Function 05E0E7A1 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6b0c83653e627858f406c5f117ba7768d94af6413a07318300968026d1e10182
                                              • Instruction ID: 08e79eb8e4a9c4fd28fa12dc2eb00e08c6fb8a1e894ba16efbe3e97c6310c90a
                                              • Opcode Fuzzy Hash: 6b0c83653e627858f406c5f117ba7768d94af6413a07318300968026d1e10182
                                              • Instruction Fuzzy Hash: 7511AC75A0020A8FDF10CF68C984AAE77F9FF48600F04947AEA69D7351E730D920CB60
                                              Function 05E0CF68 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9fcea2103bb48e6af6000214d177fa542e51e857d8fa6dd1084a1bb0143e2d92
                                              • Instruction ID: 6e56e66e88ab6620fea68119be52b20b2e1095f19dc760d7f8a0b294bfce14b5
                                              • Opcode Fuzzy Hash: 9fcea2103bb48e6af6000214d177fa542e51e857d8fa6dd1084a1bb0143e2d92
                                              • Instruction Fuzzy Hash: 33111872F002268BCB04DF99C5505AEFBF1BF48710B1596AAE959E7340EB70AD80CBC0
                                              Function 05E0E7B0 Relevance: .0, Instructions: 50COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 018d6cc9b1925eee366280fb1e961026222ff5a0d58a4d621759cf28328e48a5
                                              • Instruction ID: 62d28ff4af451701c484c18b391dcb5d1d6661b9b5f1f34e39c28a5d02d1434c
                                              • Opcode Fuzzy Hash: 018d6cc9b1925eee366280fb1e961026222ff5a0d58a4d621759cf28328e48a5
                                              • Instruction Fuzzy Hash: 32115E75A002099FDF11DF69C884AAE77F9FF48610F049469E965D7350E730D950CB61
                                              Function 08032F18 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 672ad423e33bb3c4aa1fb06c856c5c553f9342919f537d294e3205abf270ff02
                                              • Instruction ID: 288cb2c893d69a199811cae70402de3e8ef7ed71ca7f6d5f3895f5520d1125e3
                                              • Opcode Fuzzy Hash: 672ad423e33bb3c4aa1fb06c856c5c553f9342919f537d294e3205abf270ff02
                                              • Instruction Fuzzy Hash: 75012470704324DFD7258E2AD844726BBAFEB89312F04C47AE9198774AC63AD891C7A0
                                              Function 05E0F940 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 51d5cdd4bfefee53bad12b7f6d91018cb2743f66562d430cd5822fef85018525
                                              • Instruction ID: 52787eae17ca8537746a869f09e0c3103fb221eb8c1b7b99b724b704013f353a
                                              • Opcode Fuzzy Hash: 51d5cdd4bfefee53bad12b7f6d91018cb2743f66562d430cd5822fef85018525
                                              • Instruction Fuzzy Hash: 6A01B5307042109FDB28DBA9D980E7973A6EFC1318B54A46EC49687291DF75D852CB91
                                              Function 05E0F950 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79298a3de2039eb6438c1003ee820bdbe1dcdb74f5c216f36e40375369787a57
                                              • Instruction ID: 990e1e71ff4369a5f394d2bdf6ad3365c1c6c869c01361cc4cd7462b351a92c6
                                              • Opcode Fuzzy Hash: 79298a3de2039eb6438c1003ee820bdbe1dcdb74f5c216f36e40375369787a57
                                              • Instruction Fuzzy Hash: FA01D4303042005FCB28A6A9D940A3A739AEFC4314B94E47DC49687390EF75DC42C791
                                              Function 05E0F8B8 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b76051a5562dea25fcb382df285d6217977e3affcb23b19cbfef668860b305b
                                              • Instruction ID: a98ed711d2afde70a532b26a98fbd9a535b78d406736c1868084f01efc3e5c03
                                              • Opcode Fuzzy Hash: 7b76051a5562dea25fcb382df285d6217977e3affcb23b19cbfef668860b305b
                                              • Instruction Fuzzy Hash: 4B019A307042009FCB24DBA8D584E79B7FAEF85314B55A0AAD49AC72A1DB76EC02CB40
                                              Function 02FED781 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8da99f73dad4c9063fa8f637fdca8894e4f03e9bd3f60821952c644671ff1a7b
                                              • Instruction ID: df4b61571d6b2b3fda900a4d0ee181107a96c8bf8da8308b82e0eefe5a32572e
                                              • Opcode Fuzzy Hash: 8da99f73dad4c9063fa8f637fdca8894e4f03e9bd3f60821952c644671ff1a7b
                                              • Instruction Fuzzy Hash: E7014E315083489EEB218F19CD84B67FF9CEF463B4F18C429EE0A0A686C33C9840C671
                                              Function 0803C341 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a684133c3e7df58c55a23505563fdf3777d9d8c860ecfe5fa9676c42b0e1c6f8
                                              • Instruction ID: f92399fe068c29ba2eb1a144b44a4fdacdc474eb83b475b1854dc895ba493d44
                                              • Opcode Fuzzy Hash: a684133c3e7df58c55a23505563fdf3777d9d8c860ecfe5fa9676c42b0e1c6f8
                                              • Instruction Fuzzy Hash: A9F0F6722081597FDF15CBE8EC529EA7FFEDF4B220B1480EAE444D7222D631A842D790
                                              Function 08039468 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ea47b825dfa01f404a94039e8ed16d41496941bad4b69cc62ef6e368b8dca0b
                                              • Instruction ID: 6b5d1a4792a0411ef9185ccdb6cbdd3efeecf5de1140d9349ab379be1bfabe81
                                              • Opcode Fuzzy Hash: 9ea47b825dfa01f404a94039e8ed16d41496941bad4b69cc62ef6e368b8dca0b
                                              • Instruction Fuzzy Hash: 73012C75D052188BDB08CF6AC504BEEBFBEAB8A301F00D46AC81967352DBB55544CF80
                                              Function 0803D661 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1c440734c150ce6745a4f07fae89befe7cfb71bd4e4901ada7aae82db7ad243
                                              • Instruction ID: fc6a97b4f93d149f232648e83d5d5fb337529000542b5cce37b42d5010d1db7b
                                              • Opcode Fuzzy Hash: d1c440734c150ce6745a4f07fae89befe7cfb71bd4e4901ada7aae82db7ad243
                                              • Instruction Fuzzy Hash: 94019230704A90DFD71A9F18D924BAA3BABEF86311F1980DDE5168F2A2C7359C418B81
                                              Function 05E0C6B8 Relevance: .0, Instructions: 43COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a8b2e3c2b2c7979ecf4e3d5064fdaf421fd15bc12cdcec92fd4ad3b9b0edde37
                                              • Instruction ID: 270c1011d75ac9b62953d65d00494ba51da26a340f0d8087502efed8cab231cc
                                              • Opcode Fuzzy Hash: a8b2e3c2b2c7979ecf4e3d5064fdaf421fd15bc12cdcec92fd4ad3b9b0edde37
                                              • Instruction Fuzzy Hash: A8017135304600CFD714DB68D584E75B3EAEF85354B68E56DD44A8B3A1CB75EC42CB50
                                              Function 0803B5D0 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8c0b1a20c66f84aefa152f12bd4018b23427aa898c3a3991974c3674b1137ba0
                                              • Instruction ID: c744c6b159412ac86922a16575c14e8325c74186df1924b8407e7ba77fafd403
                                              • Opcode Fuzzy Hash: 8c0b1a20c66f84aefa152f12bd4018b23427aa898c3a3991974c3674b1137ba0
                                              • Instruction Fuzzy Hash: 96F0B4727042541FD3048B7EACA4DA7BFEEEFCA67035540EAE548CB311D9209C02C7A0
                                              Function 05E0C6C8 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e66dfc1b54d1f8bca823017943b0f264bb2d9c344ae420bda4c6854d3c3db96e
                                              • Instruction ID: 328581e3f724992e94ce2a9b168177151a6ee59761365d5db6943c54bdabb935
                                              • Opcode Fuzzy Hash: e66dfc1b54d1f8bca823017943b0f264bb2d9c344ae420bda4c6854d3c3db96e
                                              • Instruction Fuzzy Hash: 27016D31310200CFC728DB69D544D3AB3EAEF85724B68E579D54A873A1DBB5EC42CB50
                                              Function 05E0F8C8 Relevance: .0, Instructions: 41COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a33129bcd6642f01a3956456c8991564f44db703efae2a36678da44c9ba3bb8
                                              • Instruction ID: 3186f181876a7b751d06d5627ff6d18f6c0b3c93fdc9b6e4dfdecd1f5c570154
                                              • Opcode Fuzzy Hash: 6a33129bcd6642f01a3956456c8991564f44db703efae2a36678da44c9ba3bb8
                                              • Instruction Fuzzy Hash: 4A016D313042009FDB24DBADD944E3AB3EAEF89314B94E479D55A87361EB75EC42CB50
                                              Function 05E0EDB9 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eca9d87aedaf7ba4a732e17af7e28f17a88e243dc7f81c5cd9c561d2a02ab213
                                              • Instruction ID: 4c3490c283d8fdafba0e1e5d6a45b9354b7595ade228cedee8e5be5180fec4b3
                                              • Opcode Fuzzy Hash: eca9d87aedaf7ba4a732e17af7e28f17a88e243dc7f81c5cd9c561d2a02ab213
                                              • Instruction Fuzzy Hash: B301813020D2559FD715D76CD8007197BA8AF4630DF18D4AAE04CCB683D226E897C796
                                              Function 05E0EE29 Relevance: .0, Instructions: 39COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c93b0a668553751ab5296ec1d3bcc00a333dfcd31e9d0f5c54013b84b1fa466e
                                              • Instruction ID: 19a2c994324899dddd69faa228d743fd909d0260f3537f2936a833c7bb128309
                                              • Opcode Fuzzy Hash: c93b0a668553751ab5296ec1d3bcc00a333dfcd31e9d0f5c54013b84b1fa466e
                                              • Instruction Fuzzy Hash: 73F0D675E04209ABD714CB5DD404A9EBBF9EF84310F04D57AE85AC3240D6309581CF90
                                              Function 0803B535 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c63f17c75590e71b4d377689ea0d8aaf9e32b2843caeb6d4364e9304053bba2e
                                              • Instruction ID: acc679276844f36a1b55bd099de5c5573f99a32112431b18148bf9c024fd06be
                                              • Opcode Fuzzy Hash: c63f17c75590e71b4d377689ea0d8aaf9e32b2843caeb6d4364e9304053bba2e
                                              • Instruction Fuzzy Hash: 15011A70800269DFDB11CFA9C4243EE7FF6AF49325F248669E864AB2A0D3744A41CF90
                                              Function 0803C368 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c914a25ba4f0180a5078ae2b5f6401951edaf05489d16fc2187cb0a2fb31b8e6
                                              • Instruction ID: ed7a7bc857b6039f2d0bc346df6edbfc39b0c07bd2dc6a495fe649e5b61f6aeb
                                              • Opcode Fuzzy Hash: c914a25ba4f0180a5078ae2b5f6401951edaf05489d16fc2187cb0a2fb31b8e6
                                              • Instruction Fuzzy Hash: 37F0F632208258AFCB15CBA8D8429DE7FBEDF06220B14C0EFE044CB262D6329812D790
                                              Function 080327A9 Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1686dd90d8e0e26db7335b50d09df439d40840059057e10ff64ec2eaae90a409
                                              • Instruction ID: 499ffaae8b7be2c3cc7ce8ee71cb1eeb3b7796d563e51bf339199f458de7a844
                                              • Opcode Fuzzy Hash: 1686dd90d8e0e26db7335b50d09df439d40840059057e10ff64ec2eaae90a409
                                              • Instruction Fuzzy Hash: 54F090353012559FC715DB38D9408AA3BBAEF8A35171540AAE504CF221DB369D02CBE1
                                              Function 05E0CA3A Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffd1af2c6e16ebb3f933546d41a038e47c0b8c6ae969ca78998c0b752f6ca3a3
                                              • Instruction ID: 18e7a0bd35e67d917048e17c42898bae09adadaba20c27a28efb45aef061903d
                                              • Opcode Fuzzy Hash: ffd1af2c6e16ebb3f933546d41a038e47c0b8c6ae969ca78998c0b752f6ca3a3
                                              • Instruction Fuzzy Hash: 9CF0A7367111208BDF24966CF40467C735AAFC9625B2C61B7E00DCBB59DD25CC824750
                                              Function 02FED780 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3023019829.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_2fed000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87b7367b5fea18ab7c8768222db2f1663a135fc472852b1307e6f07d530d2f49
                                              • Instruction ID: cfccc99b1d5eadd6f442e5700671b9e4d98419751c436f152d0bfba6d3a6e5cd
                                              • Opcode Fuzzy Hash: 87b7367b5fea18ab7c8768222db2f1663a135fc472852b1307e6f07d530d2f49
                                              • Instruction Fuzzy Hash: 65F0FC714043449EEB118B19CC84762FF9CEF41374F18C45AEE094F686C3795844CA70
                                              Function 05E0D8D0 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 576343bb36c9b32cfb38754a029f2afa28efea31af370b485224947742355411
                                              • Instruction ID: 2a25cd559a60accaa3b314c6636d40db7c119cfd303dca303cf5e3eb08f381a0
                                              • Opcode Fuzzy Hash: 576343bb36c9b32cfb38754a029f2afa28efea31af370b485224947742355411
                                              • Instruction Fuzzy Hash: ACF06772D5010A8FDBA0DFA8D8427BDBBF0FB04300F4489B6E418D3295EA38DA15CB80
                                              Function 0803B540 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6efc087e49647643676c24a19b528156390dfd563bb51c7eb17ac7958518028f
                                              • Instruction ID: db7d8694197a3c3397c1ee6d90b0b2c7376ee6cfa7566fbbd058a4d616690c07
                                              • Opcode Fuzzy Hash: 6efc087e49647643676c24a19b528156390dfd563bb51c7eb17ac7958518028f
                                              • Instruction Fuzzy Hash: 9901FB70800229DFDB15DFAAC4143AEBBF6BF48365F108629E824AA2A0D7744A40CF90
                                              Function 0803B5E0 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 441cec00bd05ddad3753e33458a558172d6869c4f46f8125d09ddab4f71db535
                                              • Instruction ID: 40b6c4ea3788618a60a9c20d107166b3a52ffc5e8b68514ea834ef4be3e30887
                                              • Opcode Fuzzy Hash: 441cec00bd05ddad3753e33458a558172d6869c4f46f8125d09ddab4f71db535
                                              • Instruction Fuzzy Hash: 42E039727001286F93049AAEDC84C6BBBEEEBCC660361807AE508C7310DA319C0186A0
                                              Function 05E0F9D0 Relevance: .0, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6dcd7113e472e862de6d6a1966772bb4fcf64d65c5937f966d8338a2e81aad85
                                              • Instruction ID: 3af19f0941ca0521e4dedd8d1fe34aa8996fad2afa888009f4ea11ec48ed354c
                                              • Opcode Fuzzy Hash: 6dcd7113e472e862de6d6a1966772bb4fcf64d65c5937f966d8338a2e81aad85
                                              • Instruction Fuzzy Hash: 2BF04972D111198FDB60CF68C882BECBBB1FF04305F1485AAE018D3656E638A615CB41
                                              Function 080312F4 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84c42ade0a9937c08c284f85fa46220577b835707015da5695bf5cc73a5ccc26
                                              • Instruction ID: f58c3f3abd18b175b363aeb9de16822b8aa64a93d46677c021bc02278a1f0acc
                                              • Opcode Fuzzy Hash: 84c42ade0a9937c08c284f85fa46220577b835707015da5695bf5cc73a5ccc26
                                              • Instruction Fuzzy Hash: 02F03031611125CFDB44DBADD4497AC33F6BB09357F400069F00AE7290E77489E9CB61
                                              Function 05E0ECB0 Relevance: .0, Instructions: 30COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfa6adf45d5f160fcc7e10c081282ef589f70e5a323128a9da79731e59d42964
                                              • Instruction ID: fe01a5e5472e9e1b7f4edfe76adde0735a78e6fed0864ab4c163904cc8cd92c9
                                              • Opcode Fuzzy Hash: bfa6adf45d5f160fcc7e10c081282ef589f70e5a323128a9da79731e59d42964
                                              • Instruction Fuzzy Hash: BBF08232204144ABCB119F59EC00EAB7FEEEF89310F08445AF988C7551C676A821E7A5
                                              Function 080327B8 Relevance: .0, Instructions: 29COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee0a231dda9ba4b6f29dc4ca2dc7ecce4effe19a41fcb00557cf267fdf2b3488
                                              • Instruction ID: 357f28245188c6c377080950639f781780cdb0e98903ed243bc40537d2415464
                                              • Opcode Fuzzy Hash: ee0a231dda9ba4b6f29dc4ca2dc7ecce4effe19a41fcb00557cf267fdf2b3488
                                              • Instruction Fuzzy Hash: 1DF030353012169BD714EF39D540CAA7BAEFF893517154469E504CF224DB76DC02CBD0
                                              Function 05E0FA48 Relevance: .0, Instructions: 27COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6529739d79b5a7e116fd4a8f54b4324b13b34ed2435a72f860c71807b20792e
                                              • Instruction ID: 359905b5eca42b3244d8c6f180169594f2053c73ae3e88940cafbfad90d44022
                                              • Opcode Fuzzy Hash: f6529739d79b5a7e116fd4a8f54b4324b13b34ed2435a72f860c71807b20792e
                                              • Instruction Fuzzy Hash: 2EE09B336025348BC714EB5CF491476B3B9EB495693189056E40CCF614D333D8A3C390
                                              Function 08032760 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa03bdceb4b2afa2217e7c2e3137f4f270cd154b32877d008fb4fb88edb0e0f7
                                              • Instruction ID: 0260c02102899e9d5ffef0d91fe39e559b987e45d8fab6c065a8f5c507c64647
                                              • Opcode Fuzzy Hash: aa03bdceb4b2afa2217e7c2e3137f4f270cd154b32877d008fb4fb88edb0e0f7
                                              • Instruction Fuzzy Hash: A7F0A579D0420CEFCB01DFA4D5458DDBBB6EF48210F1181AAD815E3250EB346A558F81
                                              Function 05E0ECC0 Relevance: .0, Instructions: 25COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d6617419124451e4a93bd9a1030a283973c7c60242b442b9eea860b52794d491
                                              • Instruction ID: 468ce814a70e5e305e28c26bce77c04685f45d94ce1b5e609844253b2e2286c0
                                              • Opcode Fuzzy Hash: d6617419124451e4a93bd9a1030a283973c7c60242b442b9eea860b52794d491
                                              • Instruction Fuzzy Hash: D1E092323001486BCB159E89EC00EAF7BEEEFC8311F08801AFA49C3151CA76D911E7A5
                                              Function 05E0CA48 Relevance: .0, Instructions: 24COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60c276376b68de2f3e9090f70a72aa4dbb0f833b0835a59b57d5e56d18a21b2d
                                              • Instruction ID: 4f1bc10b46a8d27b283e921f52384c058c0384d6cd143022ab5a6c7bd1471352
                                              • Opcode Fuzzy Hash: 60c276376b68de2f3e9090f70a72aa4dbb0f833b0835a59b57d5e56d18a21b2d
                                              • Instruction Fuzzy Hash: 2AE07D313205104BC728A50DD80492D339FEFCD62171840F6E006C7755DD20CC410790
                                              Function 0803C130 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c003457ea493c11a2d99ce4cf51471386c5b7e651162ea405184b831c1e4666d
                                              • Instruction ID: 2d8c6b13c6172425f8b192ae4758ccbddedb7f112b6bbc9c389cc53de845b3a7
                                              • Opcode Fuzzy Hash: c003457ea493c11a2d99ce4cf51471386c5b7e651162ea405184b831c1e4666d
                                              • Instruction Fuzzy Hash: 63E0E63510D3D05FE305D66C98618E37FA5DF8717471945CBE8D08B292CA529C46C7A1
                                              Function 080334B7 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f91b70b992751e9b56992cc71ac63f3d60eb811dcac0920321f89fa4704a144b
                                              • Instruction ID: a6abf19ae2371cd2cb038ba55a9b0066a1d1e46e136ba69a747d029c7107c695
                                              • Opcode Fuzzy Hash: f91b70b992751e9b56992cc71ac63f3d60eb811dcac0920321f89fa4704a144b
                                              • Instruction Fuzzy Hash: FAE04FB2859248DFC742CF7498004A93BB9DA46201F0542E7D806C7211E5790A05DBA1
                                              Function 08038640 Relevance: .0, Instructions: 21COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 145132a49593b1789400f06e450a4d9e23bad20cb0743434f99931208bb6c885
                                              • Instruction ID: 8c6c36c8c08d09769d1edcb84430a6ca846c8208e6950023854f941e333ba1df
                                              • Opcode Fuzzy Hash: 145132a49593b1789400f06e450a4d9e23bad20cb0743434f99931208bb6c885
                                              • Instruction Fuzzy Hash: 52E04F7510C2805FD302CB64D9618A6BFF1DF9B61071888CBE88097252C5119C07C762
                                              Function 0803C258 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c02c3bc63df937b21a47d9872c3dcd4c02ff9dd534cedb849a093d53a9df3ea1
                                              • Instruction ID: 7e4a211084a320a834e35b2f6c20b0fd0dbf2a2ad2f2c0672ef262c48d0fec63
                                              • Opcode Fuzzy Hash: c02c3bc63df937b21a47d9872c3dcd4c02ff9dd534cedb849a093d53a9df3ea1
                                              • Instruction Fuzzy Hash: 41E0C271D0920CFFCB01DBE4A85189DBFED9B06201F1000EAC901D7662E8750E0497A2
                                              Function 080312B8 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7e352effc39387576a111cafb3fcf461d65faf9812d98327cdb6018b859a554b
                                              • Instruction ID: 52dd206d2bea37aae82ed161d5b098d12baf9f875115fface8f74a83c32acb5c
                                              • Opcode Fuzzy Hash: 7e352effc39387576a111cafb3fcf461d65faf9812d98327cdb6018b859a554b
                                              • Instruction Fuzzy Hash: 3DE01A31600018CFCF44DEA9E8497E833F5BB48266F4540A9E019EB2A0DB349995CB20
                                              Function 05E0D272 Relevance: .0, Instructions: 20COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a2050b9544280f7b4ebb250b4226f26f600b3cd8264f82915e082ec6348d3cea
                                              • Instruction ID: 49f164bcf0d78f8f1779de7acec4314cf2ae1e472eaa3f4d66bf5290350bd945
                                              • Opcode Fuzzy Hash: a2050b9544280f7b4ebb250b4226f26f600b3cd8264f82915e082ec6348d3cea
                                              • Instruction Fuzzy Hash: 95E01A31915608DFCB40EF79D9485A97BF4BF06215F01E56AE849DA410E731D2A8CF91
                                              Function 0803A8B8 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ee9cdafb798dc506da1fc608381a7471db3e28c6b2efaec45f7438d61222bec
                                              • Instruction ID: c206081c440e2932f2aaa76e833ad920320bd193a7681cb76bfd9e449cf9832c
                                              • Opcode Fuzzy Hash: 2ee9cdafb798dc506da1fc608381a7471db3e28c6b2efaec45f7438d61222bec
                                              • Instruction Fuzzy Hash: 25D05E716092C05FC342E324C8618A2BFF1DF9B2A0318C8DAD8C8CB263E922AD03D751
                                              Function 08034A47 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1bccf912c51aae0471d4f22a84aa3dbf8e48fce3bf6e2d176a393f3e9232efd
                                              • Instruction ID: 432f43d67e9ca623ec5df92d277006fe5d3eb83763dc20c83a41b8a7c5be1405
                                              • Opcode Fuzzy Hash: c1bccf912c51aae0471d4f22a84aa3dbf8e48fce3bf6e2d176a393f3e9232efd
                                              • Instruction Fuzzy Hash: 9AD0173A2082509FD340CF88E854AA2BBA5FF88210F00881AE84083701CB62AC138BA1
                                              Function 080396CC Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 42f64e8ca41bd83bdf1b26a9173d6a86b6145845f5994661da65605c938093dd
                                              • Instruction ID: 3fc40b0a550ea958a7c527b2e230f39db7189e1fddf8b879223414291b8fba7a
                                              • Opcode Fuzzy Hash: 42f64e8ca41bd83bdf1b26a9173d6a86b6145845f5994661da65605c938093dd
                                              • Instruction Fuzzy Hash: 31E0EC3484E354CFCB048F69C0089ECBFBDBF0B302F016481D4199B223D2B89944CB14
                                              Function 08034768 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 96001d5eafd1c9be9a7c80587112fda4f30fe7a5fc9e2ac3d6aaeae756bff204
                                              • Instruction ID: de2d0bf66d5882132a864e090dfe78345f8dbd4613bde56d878af81931fc3a1c
                                              • Opcode Fuzzy Hash: 96001d5eafd1c9be9a7c80587112fda4f30fe7a5fc9e2ac3d6aaeae756bff204
                                              • Instruction Fuzzy Hash: 1BD05B31508544CFC341EB28DD519C9F7B0AF91204F05C99FD44597212DB31D956D792
                                              Function 05E0E250 Relevance: .0, Instructions: 18COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c434062fd756c2f87795b2a45dea4cfcab264a1b204a59139a44e4c03dec6521
                                              • Instruction ID: 85a07d81ce35498734117d467f10fa9acbd6c96cee1f05172402bb6f9de1c560
                                              • Opcode Fuzzy Hash: c434062fd756c2f87795b2a45dea4cfcab264a1b204a59139a44e4c03dec6521
                                              • Instruction Fuzzy Hash: E7D05E36600069BFC6019B98E810EC6BFADEF5A224B04C096F10C8B521C627E853CFE5
                                              Function 080396EA Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                                              • Instruction ID: e971a3f084709ff160f11dda25b6761ab3ffba3ab342d9c01584112585eff7ce
                                              • Opcode Fuzzy Hash: f64d22e3a3abd6cce0daabefc88d85a7c05dec8770ebf356ebfea0e1b5e95c4d
                                              • Instruction Fuzzy Hash: DAD0677994E228DFCB04DB5AC0449EDBF6EBB1B302F00A945D42A5B212D6B49645CE40
                                              Function 05E0D280 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49a160884cd113a93acd1c6dbeb947736c6329035f865e6cdd57b6a55ea7789c
                                              • Instruction ID: 61a66735e02ee25342755e70e531ec6f80f85d57fde9d8748695a247568cd6fd
                                              • Opcode Fuzzy Hash: 49a160884cd113a93acd1c6dbeb947736c6329035f865e6cdd57b6a55ea7789c
                                              • Instruction Fuzzy Hash: B7E0EC7181161CDECB40EFB5D9044A97BF8BB05215F00E52AE8499A500EA31D2E4CF90
                                              Function 05E059B8 Relevance: .0, Instructions: 16COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 001441abdfd73a80dd8ed4ec93a8cfc349ba0366b0f86fbf6e91b49454aafe5c
                                              • Instruction ID: 09978e2d7aee1ffe764ed18ef30996d6c9f1f6d3c8e287d44a352a10c736cd6f
                                              • Opcode Fuzzy Hash: 001441abdfd73a80dd8ed4ec93a8cfc349ba0366b0f86fbf6e91b49454aafe5c
                                              • Instruction Fuzzy Hash: 82D05E30560604CFC300EB6CDA85874B7A8EF8A704B002695E105A7221EB25F8448741
                                              Function 0803C268 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b7dc5d4865443b8b0f0f72fcef9d3b41084f661e56cc970fe2ca4f0b781e3b41
                                              • Instruction ID: ffe9abef05f45d089e1904a0fdb680b9fe6ce5121fcab48ccad2892477a02e65
                                              • Opcode Fuzzy Hash: b7dc5d4865443b8b0f0f72fcef9d3b41084f661e56cc970fe2ca4f0b781e3b41
                                              • Instruction Fuzzy Hash: 17D0A9B1D0510CFF8B00DFE8890089EBBEEDB0A201F0005E68505E7221E9354A00ABA1
                                              Function 0803AAB1 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c8dfcc08366e92233eceaac4d98922c87c110a4f254d48b823d4a7fa9ae6a343
                                              • Instruction ID: 28845cd895d62a0bae7ad3f718a9ef030f292b6cdc6321d4ebfb42fe4bc62eea
                                              • Opcode Fuzzy Hash: c8dfcc08366e92233eceaac4d98922c87c110a4f254d48b823d4a7fa9ae6a343
                                              • Instruction Fuzzy Hash: 8CD0C93A0092C46FD303676489218C27FF9AE5BA2030A84D6E0C48F072D269881AD721
                                              Function 08035340 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67a69f90490f2b79cd5caf3d7d1044f1cff1092120b0bcd8c7f7715e913ae4b3
                                              • Instruction ID: 0603908f9231f85bed61484114faf1f5f47a6fe2dd88904c1c6e47d38cf0b577
                                              • Opcode Fuzzy Hash: 67a69f90490f2b79cd5caf3d7d1044f1cff1092120b0bcd8c7f7715e913ae4b3
                                              • Instruction Fuzzy Hash: 81D0C75030A6804BC346D25C9866486FFF18A86214719C0DE904DC7293D915DD0B9755
                                              Function 080334C8 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c2b792f5210a86c7a21ca121af56fccb580c4f44484e594706f32534981f34f
                                              • Instruction ID: bfe8311bfec72b429dce5e5b1b3cf7ddd86955b6a02c78fcdefc6a928a784571
                                              • Opcode Fuzzy Hash: 7c2b792f5210a86c7a21ca121af56fccb580c4f44484e594706f32534981f34f
                                              • Instruction Fuzzy Hash: 64D05EB1D0510CEF8700CFA4990045E7BADDB08200F0085E5D40693210E9715A00ABA1
                                              Function 08035630 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ee1bf082aaf35b875dcbb4010cda1727bd52bccc564940c3748eaf57c86735b
                                              • Instruction ID: 6ce5b3a7f6542d9db34e7a15bae48051c5e5e32fb7d55b549a0ccad5e220e5b3
                                              • Opcode Fuzzy Hash: 2ee1bf082aaf35b875dcbb4010cda1727bd52bccc564940c3748eaf57c86735b
                                              • Instruction Fuzzy Hash: E0D0C9243091801FD70A93288860195ABE14F8E11931884DBA888CB2A3CA269D078245
                                              Function 05E0D238 Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cf3f1eaf6cbfc88f357bfbff72c011a64e448b6104bd8eb06598ee4c51e89b71
                                              • Instruction ID: 026357ab32de26f9d75340174dcf963d7b92afba83af0d4d55177c736b75b3ce
                                              • Opcode Fuzzy Hash: cf3f1eaf6cbfc88f357bfbff72c011a64e448b6104bd8eb06598ee4c51e89b71
                                              • Instruction Fuzzy Hash: E0E012314186448BD301EB38D5557547BA8EF46708F1841E8E1485B663EB66E50A8745
                                              Function 05E0E94A Relevance: .0, Instructions: 15COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f5c0fbe79c572386103428ddb9f5ba26ad7610bd22efdee8f41bcfe7b423cb4
                                              • Instruction ID: a7e973ea771d3a7653920a5b0839dd2da05fdd14e758bf93b2228415227cb54f
                                              • Opcode Fuzzy Hash: 9f5c0fbe79c572386103428ddb9f5ba26ad7610bd22efdee8f41bcfe7b423cb4
                                              • Instruction Fuzzy Hash: 0BD09EB56192408FC345FF3CE84969ABFE6EB94201F45883AE489C3205E6349528DB56
                                              Function 0803D642 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ff4f7a212e94aec3bbe812f02aa33fed1df645c8265e29ea4054fb179c2bc8c
                                              • Instruction ID: 082aac521b862e46eecdd26c17fe7d8ee16352ac23697b725669caac7f133c48
                                              • Opcode Fuzzy Hash: 1ff4f7a212e94aec3bbe812f02aa33fed1df645c8265e29ea4054fb179c2bc8c
                                              • Instruction Fuzzy Hash: 50D0122110E5C00FD30343B494321D17FB19E8712075884DBD8C8CF963C6115C47DB81
                                              Function 0803D0B0 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 958692270e2ac538cf84aba551e0f6b0b83b5a7ae3f11308887fba8a262876ce
                                              • Instruction ID: 2c6febf0a5e5d065578d13b14fda91a4edf8d72ee9f8b3219463774cacd96310
                                              • Opcode Fuzzy Hash: 958692270e2ac538cf84aba551e0f6b0b83b5a7ae3f11308887fba8a262876ce
                                              • Instruction Fuzzy Hash: B7D0C9707096819FC70AC729C862811FFF1AF8A200719C1DED45ACB2A7DB21AC1AC792
                                              Function 0803CE6F Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0186eb8ef6acd7179f9eefd210927ca7c2dc4d162127e4e31ccc5448283eb47
                                              • Instruction ID: b798c61a5b2680e1e34cd8b06e2c6829959e71f123ba708e882d31d75f36ab76
                                              • Opcode Fuzzy Hash: b0186eb8ef6acd7179f9eefd210927ca7c2dc4d162127e4e31ccc5448283eb47
                                              • Instruction Fuzzy Hash: 54D0C92010F3C05FC307C72498A244ABFB14DC3120B18C8EFE0C8CB1A3C626880AD347
                                              Function 0803D741 Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7688508a1f9eca9636031623e41e43b630be084a49f04152b1079bdec0c850be
                                              • Instruction ID: fe28a07ec5fcd9cdf6f741337c2208ace312cfa0ec9af3acc72ae1724510eeb3
                                              • Opcode Fuzzy Hash: 7688508a1f9eca9636031623e41e43b630be084a49f04152b1079bdec0c850be
                                              • Instruction Fuzzy Hash: 06C04C5410B3C1AECF13877484966917F70AD5326430950DAD4E8DF057CB05591FDB56
                                              Function 0803F3E0 Relevance: .0, Instructions: 10COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2affcaeab3dcbea1e0a620efb9433ad301abb60032b3b58107b00b36ee40d15f
                                              • Instruction ID: 8738a23f12e2b7c259e57ac1a2a784d608948af437dbf071d5c633ef59f0ef3d
                                              • Opcode Fuzzy Hash: 2affcaeab3dcbea1e0a620efb9433ad301abb60032b3b58107b00b36ee40d15f
                                              • Instruction Fuzzy Hash: 1EC04C31465609CBC31567A5BC0D3E97AA8D705227F540018B50D41463DBB994E4C6A5
                                              Function 0803909F Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 77d34b9f60b0053f163905d9896da9bb5b8b00ad7250336bfb8ac46a6e469b81
                                              • Instruction ID: 48f1dc6d981b00616a4f52293a4ee74fbc71351f459bb868871479652072ff84
                                              • Opcode Fuzzy Hash: 77d34b9f60b0053f163905d9896da9bb5b8b00ad7250336bfb8ac46a6e469b81
                                              • Instruction Fuzzy Hash: 49C0023490C268CFDB219F79D4584ACBF7AAB0F252B25545AD4A6A7252C6611940CF11
                                              Function 08034D68 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3eb281dd85116e833d3f431033c9e95cef8d4b76083ba1c915f2c9f840521a0a
                                              • Instruction ID: 4fe74ccc0cdab3608cd9ca45ed38fbed4633404b819c6e39fe1ff379bc689c7e
                                              • Opcode Fuzzy Hash: 3eb281dd85116e833d3f431033c9e95cef8d4b76083ba1c915f2c9f840521a0a
                                              • Instruction Fuzzy Hash: CFC02B3A100814EEC300BB04C640C1DBFEEFF50300B84C851F1408A030C720C41CE701
                                              Function 05E0D7E0 Relevance: .0, Instructions: 9COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 89d1905f66c7bcf00a1db83bbcf81b08c26a9cce47e93ce6d5e9e4cdce4ea516
                                              • Instruction ID: 133f7044f9e1d5e21d8a718ad1c22d2b6ba552fa945a7601549dd213378c6c18
                                              • Opcode Fuzzy Hash: 89d1905f66c7bcf00a1db83bbcf81b08c26a9cce47e93ce6d5e9e4cdce4ea516
                                              • Instruction Fuzzy Hash: 52C02B3028810047C040D3584980B3796C0EFA0301F08FC95A2C446282C410C8B7C727
                                              Function 0803AE40 Relevance: .0, Instructions: 8COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e1bc61348da8ccca84c6608ecfdef3db1dcfde7d1032f34322f6e0aeb6a707e
                                              • Instruction ID: 48dcbb310ed67d0721cc2ed44346149e939367d986e7207cd96665e0d904b9d5
                                              • Opcode Fuzzy Hash: 6e1bc61348da8ccca84c6608ecfdef3db1dcfde7d1032f34322f6e0aeb6a707e
                                              • Instruction Fuzzy Hash: 04B012FB395524B6910062A84945E7EA55AFFA2B01F848C11B384B046085258429E21B
                                              Function 0803902E Relevance: .0, Instructions: 7COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ac03a86ec4c4048718b2a31579648ac5be648a37041509c11f262137eb7152eb
                                              • Instruction ID: 1a71803c9347c426edd6a8327181495c542aca79574005b4122d87f9be18d4ce
                                              • Opcode Fuzzy Hash: ac03a86ec4c4048718b2a31579648ac5be648a37041509c11f262137eb7152eb
                                              • Instruction Fuzzy Hash: B0C04834D08218CFDB209FBAD4884ADBB7AAB0E252F204019E466A3202C6601840CF00
                                              Function 08038780 Relevance: .0, Instructions: 5COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3043445685.0000000008030000.00000040.00000800.00020000.00000000.sdmp, Offset: 08030000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_8030000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                              • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                              • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                              • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44

                                              Non-executed Functions

                                              Function 05E06A00 Relevance: 11.4, Strings: 9, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                              • API String ID: 0-3263873237
                                              • Opcode ID: ae35cbe6d54bdeb62eafb282e913c1c491b92f837e6b6e096807ae449c3d6bc4
                                              • Instruction ID: fea58cbb50ed97094ccd27648b7f1af12e3b5de1da2bd4b67bcb0fe095378602
                                              • Opcode Fuzzy Hash: ae35cbe6d54bdeb62eafb282e913c1c491b92f837e6b6e096807ae449c3d6bc4
                                              • Instruction Fuzzy Hash: E8415170E0120A8FCF0CEFB8E9905ED7BB6FF49704F105968C145AB254DB39A945CBA2
                                              Function 05E06A10 Relevance: 11.4, Strings: 9, Instructions: 100COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                              • API String ID: 0-3263873237
                                              • Opcode ID: e4060fa9e631e8fdf9761cf4bacc7c884c46199e3248b48c6e801ac9ea91a4e4
                                              • Instruction ID: 19503cf6fcdbcd801da19addc3dcc0bd1bf03011a519db78781b7b3e5c48ccc5
                                              • Opcode Fuzzy Hash: e4060fa9e631e8fdf9761cf4bacc7c884c46199e3248b48c6e801ac9ea91a4e4
                                              • Instruction Fuzzy Hash: 79414170E0120A8FCF0CEFB8E9904ED7BB6FF49704B105968C155AB254DF39A905CB92
                                              Function 05E02D60 Relevance: 7.6, Strings: 6, Instructions: 106COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                              • API String ID: 0-471056614
                                              • Opcode ID: 63616f6974a123829cd48ff25e1259434dd45131466fb7274bbbc675d0e45970
                                              • Instruction ID: d5cf9c0c761c8ccd5f5ae28e3847c3d52b3a50b74fc661b98fb338e5038e9c78
                                              • Opcode Fuzzy Hash: 63616f6974a123829cd48ff25e1259434dd45131466fb7274bbbc675d0e45970
                                              • Instruction Fuzzy Hash: 49412070A032058FCB0CEF69E8515AE7BB7FF4A704B405469D0159F268EB386955CFA2
                                              Function 05E02D70 Relevance: 7.6, Strings: 6, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000005.00000002.3040773270.0000000005E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_5_2_5e00000_InstallUtil.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                              • API String ID: 0-471056614
                                              • Opcode ID: f9ee401d11e7fe62036d1b824a290bae02832c2d671cb4acc3621c8a3ff02955
                                              • Instruction ID: 2bd3a586758ba6084c328816abf1560f36798834aee60ab1da58341a13097725
                                              • Opcode Fuzzy Hash: f9ee401d11e7fe62036d1b824a290bae02832c2d671cb4acc3621c8a3ff02955
                                              • Instruction Fuzzy Hash: 49412170A032058FCB0CEF64E95156E7BB7FF4A704B505469C0059F268EB386955CFA2

                                              Execution Graph

                                              Execution Coverage:4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:5.2%
                                              Total number of Nodes:1303
                                              Total number of Limit Nodes:48
                                              execution_graph 47262 434887 47263 434893 ___DestructExceptionObject 47262->47263 47289 434596 47263->47289 47265 43489a 47267 4348c3 47265->47267 47587 4349f9 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 47265->47587 47275 434902 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 47267->47275 47588 444251 5 API calls CatchGuardHandler 47267->47588 47269 4348dc 47271 4348e2 ___DestructExceptionObject 47269->47271 47589 4441f5 5 API calls CatchGuardHandler 47269->47589 47272 434962 47300 434b14 47272->47300 47275->47272 47590 4433e7 36 API calls 6 library calls 47275->47590 47282 434984 47283 43498e 47282->47283 47592 44341f 28 API calls _Atexit 47282->47592 47285 434997 47283->47285 47593 4433c2 28 API calls _Atexit 47283->47593 47594 43470d 13 API calls 2 library calls 47285->47594 47288 43499f 47288->47271 47290 43459f 47289->47290 47595 434c52 IsProcessorFeaturePresent 47290->47595 47292 4345ab 47596 438f31 10 API calls 4 library calls 47292->47596 47294 4345b0 47299 4345b4 47294->47299 47597 4440bf 47294->47597 47297 4345cb 47297->47265 47299->47265 47613 436e90 47300->47613 47303 434968 47304 4441a2 47303->47304 47615 44f059 47304->47615 47306 434971 47309 40e9c5 47306->47309 47307 4441ab 47307->47306 47619 446815 36 API calls 47307->47619 47621 41cb50 LoadLibraryA GetProcAddress 47309->47621 47311 40e9e1 GetModuleFileNameW 47626 40f3c3 47311->47626 47313 40e9fd 47641 4020f6 47313->47641 47316 4020f6 28 API calls 47317 40ea1b 47316->47317 47647 41be1b 47317->47647 47321 40ea2d 47673 401e8d 47321->47673 47323 40ea36 47324 40ea93 47323->47324 47325 40ea49 47323->47325 47679 401e65 47324->47679 47936 40fbb3 118 API calls 47325->47936 47328 40ea5b 47330 401e65 22 API calls 47328->47330 47329 40eaa3 47332 401e65 22 API calls 47329->47332 47331 40ea67 47330->47331 47937 410f37 36 API calls __EH_prolog 47331->47937 47333 40eac2 47332->47333 47684 40531e 47333->47684 47336 40ead1 47689 406383 47336->47689 47337 40ea79 47938 40fb64 78 API calls 47337->47938 47341 40ea82 47939 40f3b0 71 API calls 47341->47939 47347 401fd8 11 API calls 47349 40eefb 47347->47349 47348 401fd8 11 API calls 47350 40eafb 47348->47350 47591 4432f6 GetModuleHandleW 47349->47591 47351 401e65 22 API calls 47350->47351 47352 40eb04 47351->47352 47706 401fc0 47352->47706 47354 40eb0f 47355 401e65 22 API calls 47354->47355 47356 40eb28 47355->47356 47357 401e65 22 API calls 47356->47357 47358 40eb43 47357->47358 47359 40ebae 47358->47359 47940 406c1e 47358->47940 47360 401e65 22 API calls 47359->47360 47366 40ebbb 47360->47366 47362 40eb70 47363 401fe2 28 API calls 47362->47363 47364 40eb7c 47363->47364 47367 401fd8 11 API calls 47364->47367 47365 40ec02 47710 40d069 47365->47710 47366->47365 47372 413549 3 API calls 47366->47372 47368 40eb85 47367->47368 47945 413549 RegOpenKeyExA 47368->47945 47370 40ec08 47371 40ea8b 47370->47371 47713 41b2c3 47370->47713 47371->47347 47378 40ebe6 47372->47378 47376 40f34f 48028 4139a9 30 API calls 47376->48028 47377 40ec23 47380 40ec76 47377->47380 47730 407716 47377->47730 47378->47365 47948 4139a9 30 API calls 47378->47948 47381 401e65 22 API calls 47380->47381 47384 40ec7f 47381->47384 47393 40ec90 47384->47393 47394 40ec8b 47384->47394 47386 40f365 48029 412475 65 API calls ___scrt_get_show_window_mode 47386->48029 47387 40ec42 47949 407738 30 API calls 47387->47949 47388 40ec4c 47391 401e65 22 API calls 47388->47391 47403 40ec55 47391->47403 47392 40f36f 47396 41bc5e 28 API calls 47392->47396 47399 401e65 22 API calls 47393->47399 47952 407755 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 47394->47952 47395 40ec47 47950 407260 98 API calls 47395->47950 47400 40f37f 47396->47400 47401 40ec99 47399->47401 47839 413a23 RegOpenKeyExW 47400->47839 47734 41bc5e 47401->47734 47403->47380 47406 40ec71 47403->47406 47405 40eca4 47738 401f13 47405->47738 47951 407260 98 API calls 47406->47951 47410 401f09 11 API calls 47413 40f39c 47410->47413 47415 401f09 11 API calls 47413->47415 47417 40f3a5 47415->47417 47416 401e65 22 API calls 47418 40ecc1 47416->47418 47842 40dd42 47417->47842 47422 401e65 22 API calls 47418->47422 47424 40ecdb 47422->47424 47423 40f3af 47425 401e65 22 API calls 47424->47425 47426 40ecf5 47425->47426 47427 401e65 22 API calls 47426->47427 47428 40ed0e 47427->47428 47429 401e65 22 API calls 47428->47429 47460 40ed7b 47428->47460 47435 40ed23 _wcslen 47429->47435 47430 40ed8a 47431 40ed93 47430->47431 47457 40ee0f ___scrt_get_show_window_mode 47430->47457 47432 401e65 22 API calls 47431->47432 47434 40ed9c 47432->47434 47433 40ef06 ___scrt_get_show_window_mode 48013 4136f8 RegOpenKeyExA 47433->48013 47436 401e65 22 API calls 47434->47436 47438 401e65 22 API calls 47435->47438 47435->47460 47437 40edae 47436->47437 47441 401e65 22 API calls 47437->47441 47439 40ed3e 47438->47439 47443 401e65 22 API calls 47439->47443 47442 40edc0 47441->47442 47446 401e65 22 API calls 47442->47446 47444 40ed53 47443->47444 47953 40da34 47444->47953 47445 40ef51 47447 401e65 22 API calls 47445->47447 47449 40ede9 47446->47449 47450 40ef76 47447->47450 47454 401e65 22 API calls 47449->47454 47760 402093 47450->47760 47452 401f13 28 API calls 47453 40ed72 47452->47453 47458 401f09 11 API calls 47453->47458 47459 40edfa 47454->47459 47456 40ef88 47766 41376f RegCreateKeyA 47456->47766 47750 413947 47457->47750 47458->47460 48011 40cdf9 45 API calls _wcslen 47459->48011 47460->47430 47460->47433 47464 40ee0a 47464->47457 47466 40eea3 ctype 47469 401e65 22 API calls 47466->47469 47467 401e65 22 API calls 47468 40efaa 47467->47468 47772 43baac 47468->47772 47470 40eeba 47469->47470 47470->47445 47473 40eece 47470->47473 47476 401e65 22 API calls 47473->47476 47474 40efc1 48016 41cd9b 87 API calls ___scrt_get_show_window_mode 47474->48016 47475 40efe4 47479 402093 28 API calls 47475->47479 47477 40eed7 47476->47477 47480 41bc5e 28 API calls 47477->47480 47482 40eff9 47479->47482 47483 40eee3 47480->47483 47481 40efc8 CreateThread 47481->47475 48898 41d45d 10 API calls 47481->48898 47484 402093 28 API calls 47482->47484 48012 40f474 104 API calls 47483->48012 47486 40f008 47484->47486 47776 41b4ef 47486->47776 47487 40eee8 47487->47445 47489 40eeef 47487->47489 47489->47371 47491 401e65 22 API calls 47492 40f019 47491->47492 47493 401e65 22 API calls 47492->47493 47494 40f02b 47493->47494 47495 401e65 22 API calls 47494->47495 47496 40f04b 47495->47496 47497 43baac _strftime 40 API calls 47496->47497 47498 40f058 47497->47498 47499 401e65 22 API calls 47498->47499 47500 40f063 47499->47500 47501 401e65 22 API calls 47500->47501 47502 40f074 47501->47502 47503 401e65 22 API calls 47502->47503 47504 40f089 47503->47504 47505 401e65 22 API calls 47504->47505 47506 40f09a 47505->47506 47507 40f0a1 StrToIntA 47506->47507 47800 409de4 47507->47800 47510 401e65 22 API calls 47511 40f0bc 47510->47511 47512 40f101 47511->47512 47513 40f0c8 47511->47513 47515 401e65 22 API calls 47512->47515 48017 4344ea 47513->48017 47518 40f111 47515->47518 47517 401e65 22 API calls 47519 40f0e4 47517->47519 47521 40f159 47518->47521 47522 40f11d 47518->47522 47520 40f0eb CreateThread 47519->47520 47520->47512 48895 419fb4 103 API calls 2 library calls 47520->48895 47523 401e65 22 API calls 47521->47523 47524 4344ea new 22 API calls 47522->47524 47525 40f162 47523->47525 47526 40f126 47524->47526 47529 40f1cc 47525->47529 47530 40f16e 47525->47530 47527 401e65 22 API calls 47526->47527 47528 40f138 47527->47528 47531 40f13f CreateThread 47528->47531 47532 401e65 22 API calls 47529->47532 47533 401e65 22 API calls 47530->47533 47531->47521 48900 419fb4 103 API calls 2 library calls 47531->48900 47534 40f1d5 47532->47534 47535 40f17e 47533->47535 47536 40f1e1 47534->47536 47537 40f21a 47534->47537 47538 401e65 22 API calls 47535->47538 47540 401e65 22 API calls 47536->47540 47825 41b60d GetComputerNameExW GetUserNameW 47537->47825 47541 40f193 47538->47541 47543 40f1ea 47540->47543 48024 40d9e8 31 API calls 47541->48024 47549 401e65 22 API calls 47543->47549 47544 401f13 28 API calls 47545 40f22e 47544->47545 47548 401f09 11 API calls 47545->47548 47547 40f1a6 47551 401f13 28 API calls 47547->47551 47552 40f237 47548->47552 47550 40f1ff 47549->47550 47561 43baac _strftime 40 API calls 47550->47561 47553 40f1b2 47551->47553 47554 40f240 SetProcessDEPPolicy 47552->47554 47555 40f243 CreateThread 47552->47555 47556 401f09 11 API calls 47553->47556 47554->47555 47557 40f264 47555->47557 47558 40f258 CreateThread 47555->47558 48868 40f7a7 47555->48868 47562 40f1bb CreateThread 47556->47562 47559 40f279 47557->47559 47560 40f26d CreateThread 47557->47560 47558->47557 48896 4120f7 138 API calls 47558->48896 47564 40f2cc 47559->47564 47566 402093 28 API calls 47559->47566 47560->47559 48897 4126db 38 API calls ___scrt_get_show_window_mode 47560->48897 47563 40f20c 47561->47563 47562->47529 48899 401be9 50 API calls _strftime 47562->48899 48025 40c162 7 API calls 47563->48025 47836 4134ff RegOpenKeyExA 47564->47836 47567 40f29c 47566->47567 48026 4052fd 28 API calls 47567->48026 47572 40f2ed 47574 41bc5e 28 API calls 47572->47574 47576 40f2fd 47574->47576 48027 41361b 31 API calls 47576->48027 47581 40f313 47582 401f09 11 API calls 47581->47582 47585 40f31e 47582->47585 47583 40f346 DeleteFileW 47584 40f34d 47583->47584 47583->47585 47584->47392 47585->47392 47585->47583 47586 40f334 Sleep 47585->47586 47586->47585 47587->47265 47588->47269 47589->47275 47590->47272 47591->47282 47592->47283 47593->47285 47594->47288 47595->47292 47596->47294 47601 44fb68 47597->47601 47600 438f5a 8 API calls 3 library calls 47600->47299 47602 44fb81 47601->47602 47605 434fcb 47602->47605 47604 4345bd 47604->47297 47604->47600 47606 434fd6 IsProcessorFeaturePresent 47605->47606 47607 434fd4 47605->47607 47609 435018 47606->47609 47607->47604 47612 434fdc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47609->47612 47611 4350fb 47611->47604 47612->47611 47614 434b27 GetStartupInfoW 47613->47614 47614->47303 47616 44f06b 47615->47616 47617 44f062 47615->47617 47616->47307 47620 44ef58 49 API calls 5 library calls 47617->47620 47619->47307 47620->47616 47622 41cb8f LoadLibraryA GetProcAddress 47621->47622 47623 41cb7f GetModuleHandleA GetProcAddress 47621->47623 47624 41cbb8 44 API calls 47622->47624 47625 41cba8 LoadLibraryA GetProcAddress 47622->47625 47623->47622 47624->47311 47625->47624 48030 41b4a8 FindResourceA 47626->48030 47630 40f3ed ctype 48040 4020b7 47630->48040 47633 401fe2 28 API calls 47634 40f413 47633->47634 47635 401fd8 11 API calls 47634->47635 47636 40f41c 47635->47636 47637 43bd51 new 21 API calls 47636->47637 47638 40f42d ctype 47637->47638 48046 406dd8 47638->48046 47640 40f460 47640->47313 47642 40210c 47641->47642 47643 4023ce 11 API calls 47642->47643 47644 402126 47643->47644 47645 402569 28 API calls 47644->47645 47646 402134 47645->47646 47646->47316 48100 4020df 47647->48100 47649 41be2e 47652 41bea0 47649->47652 47660 401fe2 28 API calls 47649->47660 47664 401fd8 11 API calls 47649->47664 47668 41be9e 47649->47668 48104 4041a2 28 API calls 47649->48104 48105 41ce34 47649->48105 47650 401fd8 11 API calls 47651 41bed0 47650->47651 47653 401fd8 11 API calls 47651->47653 48116 4041a2 28 API calls 47652->48116 47656 41bed8 47653->47656 47658 401fd8 11 API calls 47656->47658 47657 41beac 47659 401fe2 28 API calls 47657->47659 47661 40ea24 47658->47661 47662 41beb5 47659->47662 47660->47649 47669 40fb17 47661->47669 47663 401fd8 11 API calls 47662->47663 47665 41bebd 47663->47665 47664->47649 47666 41ce34 28 API calls 47665->47666 47666->47668 47668->47650 47670 40fb23 47669->47670 47672 40fb2a 47669->47672 48142 402163 11 API calls 47670->48142 47672->47321 47674 402163 47673->47674 47678 40219f 47674->47678 48143 402730 11 API calls 47674->48143 47676 402184 48144 402712 11 API calls std::_Deallocate 47676->48144 47678->47323 47680 401e6d 47679->47680 47681 401e75 47680->47681 48145 402158 22 API calls 47680->48145 47681->47329 47685 4020df 11 API calls 47684->47685 47686 40532a 47685->47686 48146 4032a0 47686->48146 47688 405346 47688->47336 48150 4051ef 47689->48150 47691 406391 48154 402055 47691->48154 47694 401fe2 47695 401ff1 47694->47695 47702 402039 47694->47702 47696 4023ce 11 API calls 47695->47696 47697 401ffa 47696->47697 47698 40203c 47697->47698 47700 402015 47697->47700 47699 40267a 11 API calls 47698->47699 47699->47702 48186 403098 28 API calls 47700->48186 47703 401fd8 47702->47703 47704 4023ce 11 API calls 47703->47704 47705 401fe1 47704->47705 47705->47348 47707 401fd2 47706->47707 47708 401fc9 47706->47708 47707->47354 48187 4025e0 28 API calls 47708->48187 48188 401fab 47710->48188 47712 40d073 CreateMutexA GetLastError 47712->47370 48189 41bfb7 47713->48189 47718 401fe2 28 API calls 47719 41b2ff 47718->47719 47720 401fd8 11 API calls 47719->47720 47721 41b307 47720->47721 47722 4135a6 31 API calls 47721->47722 47724 41b35d 47721->47724 47723 41b330 47722->47723 47725 41b33b StrToIntA 47723->47725 47724->47377 47726 41b349 47725->47726 47729 41b352 47725->47729 48197 41cf69 22 API calls 47726->48197 47728 401fd8 11 API calls 47728->47724 47729->47728 47731 40772a 47730->47731 47732 413549 3 API calls 47731->47732 47733 407731 47732->47733 47733->47387 47733->47388 47735 41bc72 47734->47735 48198 40b904 47735->48198 47737 41bc7a 47737->47405 47739 401f22 47738->47739 47740 401f6a 47738->47740 47741 402252 11 API calls 47739->47741 47747 401f09 47740->47747 47742 401f2b 47741->47742 47743 401f6d 47742->47743 47744 401f46 47742->47744 48231 402336 47743->48231 48230 40305c 28 API calls 47744->48230 47748 402252 11 API calls 47747->47748 47749 401f12 47748->47749 47749->47416 47751 413965 47750->47751 47752 406dd8 28 API calls 47751->47752 47753 41397a 47752->47753 47754 4020f6 28 API calls 47753->47754 47755 41398a 47754->47755 47756 41376f 14 API calls 47755->47756 47757 413994 47756->47757 47758 401fd8 11 API calls 47757->47758 47759 4139a1 47758->47759 47759->47466 47761 40209b 47760->47761 47762 4023ce 11 API calls 47761->47762 47763 4020a6 47762->47763 48235 4024ed 47763->48235 47767 4137bf 47766->47767 47770 413788 47766->47770 47768 401fd8 11 API calls 47767->47768 47769 40ef9e 47768->47769 47769->47467 47771 41379a RegSetValueExA RegCloseKey 47770->47771 47771->47767 47773 43bac5 _strftime 47772->47773 48239 43ae03 47773->48239 47775 40efb7 47775->47474 47775->47475 47777 41b5a0 47776->47777 47778 41b505 GetLocalTime 47776->47778 47780 401fd8 11 API calls 47777->47780 47779 40531e 28 API calls 47778->47779 47781 41b547 47779->47781 47782 41b5a8 47780->47782 47784 406383 28 API calls 47781->47784 47783 401fd8 11 API calls 47782->47783 47785 40f00d 47783->47785 47786 41b553 47784->47786 47785->47491 48267 402f10 47786->48267 47789 406383 28 API calls 47790 41b56b 47789->47790 48272 407200 77 API calls 47790->48272 47792 41b579 47793 401fd8 11 API calls 47792->47793 47794 41b585 47793->47794 47795 401fd8 11 API calls 47794->47795 47796 41b58e 47795->47796 47797 401fd8 11 API calls 47796->47797 47798 41b597 47797->47798 47799 401fd8 11 API calls 47798->47799 47799->47777 47801 409e02 _wcslen 47800->47801 47802 409e24 47801->47802 47803 409e0d 47801->47803 47805 40da34 31 API calls 47802->47805 47804 40da34 31 API calls 47803->47804 47807 409e15 47804->47807 47806 409e2c 47805->47806 47808 401f13 28 API calls 47806->47808 47809 401f13 28 API calls 47807->47809 47810 409e3a 47808->47810 47824 409e1f 47809->47824 47811 401f09 11 API calls 47810->47811 47812 409e42 47811->47812 48291 40915b 28 API calls 47812->48291 47813 401f09 11 API calls 47815 409e79 47813->47815 48276 40a109 47815->48276 47817 409e54 48292 403014 47817->48292 47821 401f13 28 API calls 47822 409e69 47821->47822 47823 401f09 11 API calls 47822->47823 47823->47824 47824->47813 48496 40417e 47825->48496 47830 403014 28 API calls 47831 41b672 47830->47831 47832 401f09 11 API calls 47831->47832 47833 41b67b 47832->47833 47834 401f09 11 API calls 47833->47834 47835 40f223 47834->47835 47835->47544 47837 413520 RegQueryValueExA RegCloseKey 47836->47837 47838 40f2e4 47836->47838 47837->47838 47838->47417 47838->47572 47840 40f392 47839->47840 47841 413a3f RegDeleteValueW 47839->47841 47840->47410 47841->47840 47843 40dd5b 47842->47843 47844 4134ff 3 API calls 47843->47844 47845 40dd62 47844->47845 47849 40dd81 47845->47849 48588 401707 47845->48588 47847 40dd6f 48591 413877 RegCreateKeyA 47847->48591 47850 414f2a 47849->47850 47851 4020df 11 API calls 47850->47851 47852 414f3e 47851->47852 48605 41b8b3 47852->48605 47855 4020df 11 API calls 47856 414f54 47855->47856 47857 401e65 22 API calls 47856->47857 47858 414f62 47857->47858 47859 43baac _strftime 40 API calls 47858->47859 47860 414f6f 47859->47860 47861 414f81 47860->47861 47862 414f74 Sleep 47860->47862 47863 402093 28 API calls 47861->47863 47862->47861 47864 414f90 47863->47864 47865 401e65 22 API calls 47864->47865 47866 414f99 47865->47866 47867 4020f6 28 API calls 47866->47867 47868 414fa4 47867->47868 47869 41be1b 28 API calls 47868->47869 47870 414fac 47869->47870 48609 40489e WSAStartup 47870->48609 47872 414fb6 47873 401e65 22 API calls 47872->47873 47874 414fbf 47873->47874 47876 401e65 22 API calls 47874->47876 47901 41503e 47874->47901 47875 402093 28 API calls 47875->47901 47877 414fd8 47876->47877 47879 401e65 22 API calls 47877->47879 47878 4020f6 28 API calls 47878->47901 47880 414fe9 47879->47880 47882 401e65 22 API calls 47880->47882 47881 41be1b 28 API calls 47881->47901 47884 414ffa 47882->47884 47883 401e65 22 API calls 47883->47901 47886 401e65 22 API calls 47884->47886 47885 406c1e 28 API calls 47885->47901 47887 41500b 47886->47887 47889 401e65 22 API calls 47887->47889 47888 401fe2 28 API calls 47888->47901 47890 41501c 47889->47890 47891 401e65 22 API calls 47890->47891 47892 41502e 47891->47892 48774 40473d 89 API calls 47892->48774 47894 41b4ef 80 API calls 47894->47901 47896 41518c WSAGetLastError 48775 41cae1 30 API calls 47896->48775 47901->47875 47901->47878 47901->47881 47901->47883 47901->47885 47901->47888 47901->47894 47901->47896 47904 40531e 28 API calls 47901->47904 47905 401e8d 11 API calls 47901->47905 47906 43baac _strftime 40 API calls 47901->47906 47907 406383 28 API calls 47901->47907 47911 40905c 28 API calls 47901->47911 47912 441e81 20 API calls 47901->47912 47913 4136f8 3 API calls 47901->47913 47914 4135a6 31 API calls 47901->47914 47915 40417e 28 API calls 47901->47915 47918 401e65 22 API calls 47901->47918 47922 41bb8e 28 API calls 47901->47922 47924 41bd1e 28 API calls 47901->47924 47927 402f10 28 API calls 47901->47927 47928 402ea1 28 API calls 47901->47928 47930 401fd8 11 API calls 47901->47930 47931 401f09 11 API calls 47901->47931 47933 415a33 47901->47933 47935 415a71 CreateThread 47901->47935 48610 414ee9 47901->48610 48615 40482d 47901->48615 48622 404f51 47901->48622 48637 4048c8 connect 47901->48637 48697 41b7e0 47901->48697 48700 4145bd 47901->48700 48703 40dd89 47901->48703 48709 41bc42 47901->48709 48712 41bae6 47901->48712 48714 41ba96 47901->48714 48719 40f8d1 GetLocaleInfoA 47901->48719 48722 402f31 47901->48722 48727 404aa1 47901->48727 48742 404c10 47901->48742 48761 404e26 WaitForSingleObject 47901->48761 48776 4052fd 28 API calls 47901->48776 47904->47901 47905->47901 47908 415acf Sleep 47906->47908 47907->47901 47908->47901 47911->47901 47912->47901 47913->47901 47914->47901 47915->47901 47919 415439 GetTickCount 47918->47919 47920 41bb8e 28 API calls 47919->47920 47920->47901 47922->47901 47924->47901 47927->47901 47928->47901 47930->47901 47931->47901 48777 40b051 85 API calls 47933->48777 47935->47901 48858 41ad17 105 API calls 47935->48858 47936->47328 47937->47337 47938->47341 47941 4020df 11 API calls 47940->47941 47942 406c2a 47941->47942 47943 4032a0 28 API calls 47942->47943 47944 406c47 47943->47944 47944->47362 47946 40eba4 47945->47946 47947 413573 RegQueryValueExA RegCloseKey 47945->47947 47946->47359 47946->47376 47947->47946 47948->47365 47949->47395 47950->47388 47951->47380 47952->47393 47954 401f86 11 API calls 47953->47954 47955 40da50 47954->47955 47956 40da70 47955->47956 47957 40daa5 47955->47957 47958 40da66 47955->47958 48859 41b5b4 29 API calls 47956->48859 47961 41bfb7 GetCurrentProcess 47957->47961 47960 40db99 GetLongPathNameW 47958->47960 47963 40417e 28 API calls 47960->47963 47964 40daaa 47961->47964 47962 40da79 47965 401f13 28 API calls 47962->47965 47966 40dbae 47963->47966 47967 40db00 47964->47967 47968 40daae 47964->47968 47969 40da83 47965->47969 47970 40417e 28 API calls 47966->47970 47971 40417e 28 API calls 47967->47971 47972 40417e 28 API calls 47968->47972 47976 401f09 11 API calls 47969->47976 47973 40dbbd 47970->47973 47974 40db0e 47971->47974 47975 40dabc 47972->47975 48862 40ddd1 28 API calls 47973->48862 47979 40417e 28 API calls 47974->47979 47980 40417e 28 API calls 47975->47980 47976->47958 47978 40dbd0 48863 402fa5 28 API calls 47978->48863 47983 40db24 47979->47983 47984 40dad2 47980->47984 47982 40dbdb 48864 402fa5 28 API calls 47982->48864 48861 402fa5 28 API calls 47983->48861 48860 402fa5 28 API calls 47984->48860 47988 40dbe5 47991 401f09 11 API calls 47988->47991 47989 40db2f 47992 401f13 28 API calls 47989->47992 47990 40dadd 47993 401f13 28 API calls 47990->47993 47994 40dbef 47991->47994 47995 40db3a 47992->47995 47996 40dae8 47993->47996 47997 401f09 11 API calls 47994->47997 47998 401f09 11 API calls 47995->47998 47999 401f09 11 API calls 47996->47999 48000 40dbf8 47997->48000 48001 40db43 47998->48001 48002 40daf1 47999->48002 48003 401f09 11 API calls 48000->48003 48004 401f09 11 API calls 48001->48004 48005 401f09 11 API calls 48002->48005 48006 40dc01 48003->48006 48004->47969 48005->47969 48007 401f09 11 API calls 48006->48007 48008 40dc0a 48007->48008 48009 401f09 11 API calls 48008->48009 48010 40dc13 48009->48010 48010->47452 48011->47464 48012->47487 48014 41371e RegQueryValueExA RegCloseKey 48013->48014 48015 413742 48013->48015 48014->48015 48015->47445 48016->47481 48021 4344ef 48017->48021 48018 43bd51 new 21 API calls 48018->48021 48019 40f0d1 48019->47517 48021->48018 48021->48019 48865 442f80 7 API calls 2 library calls 48021->48865 48866 434c35 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48021->48866 48867 43526e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 48021->48867 48024->47547 48025->47537 48027->47581 48028->47386 48031 41b4c5 LoadResource LockResource SizeofResource 48030->48031 48032 40f3de 48030->48032 48031->48032 48033 43bd51 48032->48033 48038 446137 ___crtLCMapStringA 48033->48038 48034 446175 48050 4405dd 20 API calls __dosmaperr 48034->48050 48035 446160 RtlAllocateHeap 48037 446173 48035->48037 48035->48038 48037->47630 48038->48034 48038->48035 48049 442f80 7 API calls 2 library calls 48038->48049 48041 4020bf 48040->48041 48051 4023ce 48041->48051 48043 4020ca 48055 40250a 48043->48055 48045 4020d9 48045->47633 48047 4020b7 28 API calls 48046->48047 48048 406dec 48047->48048 48048->47640 48049->48038 48050->48037 48052 402428 48051->48052 48053 4023d8 48051->48053 48052->48043 48053->48052 48062 4027a7 11 API calls std::_Deallocate 48053->48062 48056 40251a 48055->48056 48057 402520 48056->48057 48058 402535 48056->48058 48063 402569 48057->48063 48073 4028e8 48058->48073 48061 402533 48061->48045 48062->48052 48084 402888 48063->48084 48065 40257d 48066 402592 48065->48066 48067 4025a7 48065->48067 48089 402a34 22 API calls 48066->48089 48069 4028e8 28 API calls 48067->48069 48072 4025a5 48069->48072 48070 40259b 48090 4029da 22 API calls 48070->48090 48072->48061 48074 4028f1 48073->48074 48075 402953 48074->48075 48076 4028fb 48074->48076 48098 4028a4 22 API calls 48075->48098 48079 402917 48076->48079 48081 402904 48076->48081 48080 402915 48079->48080 48083 4023ce 11 API calls 48079->48083 48080->48061 48092 402cae 48081->48092 48083->48080 48085 402890 48084->48085 48086 402898 48085->48086 48091 402ca3 22 API calls 48085->48091 48086->48065 48089->48070 48090->48072 48093 402cb8 __EH_prolog 48092->48093 48099 402e54 22 API calls 48093->48099 48095 4023ce 11 API calls 48097 402d92 48095->48097 48096 402d24 48096->48095 48097->48080 48099->48096 48101 4020e7 48100->48101 48102 4023ce 11 API calls 48101->48102 48103 4020f2 48102->48103 48103->47649 48104->47649 48106 41ce41 48105->48106 48107 41cea0 48106->48107 48111 41ce51 48106->48111 48108 41ceba 48107->48108 48109 41cfe0 28 API calls 48107->48109 48126 41d146 28 API calls 48108->48126 48109->48108 48112 41ce89 48111->48112 48117 41cfe0 48111->48117 48125 41d146 28 API calls 48112->48125 48113 41ce9c 48113->47649 48116->47657 48119 41cfe8 48117->48119 48118 41d01a 48118->48112 48119->48118 48120 41d01e 48119->48120 48123 41d002 48119->48123 48137 402725 22 API calls 48120->48137 48127 41d051 48123->48127 48125->48113 48126->48113 48128 41d05b __EH_prolog 48127->48128 48138 402717 22 API calls 48128->48138 48130 41d06e 48139 41d15d 11 API calls 48130->48139 48132 41d094 48133 41d0cc 48132->48133 48140 402730 11 API calls 48132->48140 48133->48118 48135 41d0b3 48141 402712 11 API calls std::_Deallocate 48135->48141 48138->48130 48139->48132 48140->48135 48141->48133 48142->47672 48143->47676 48144->47678 48148 4032aa 48146->48148 48147 4032c9 48147->47688 48148->48147 48149 4028e8 28 API calls 48148->48149 48149->48147 48151 4051fb 48150->48151 48160 405274 48151->48160 48153 405208 48153->47691 48155 402061 48154->48155 48156 4023ce 11 API calls 48155->48156 48157 40207b 48156->48157 48182 40267a 48157->48182 48161 405282 48160->48161 48162 405288 48161->48162 48163 40529e 48161->48163 48171 4025f0 48162->48171 48165 4052f5 48163->48165 48166 4052b6 48163->48166 48180 4028a4 22 API calls 48165->48180 48169 4028e8 28 API calls 48166->48169 48170 40529c 48166->48170 48169->48170 48170->48153 48172 402888 22 API calls 48171->48172 48173 402602 48172->48173 48174 402672 48173->48174 48176 402629 48173->48176 48181 4028a4 22 API calls 48174->48181 48178 4028e8 28 API calls 48176->48178 48179 40263b 48176->48179 48178->48179 48179->48170 48183 40268b 48182->48183 48184 4023ce 11 API calls 48183->48184 48185 40208d 48184->48185 48185->47694 48186->47702 48187->47707 48190 41bfc4 GetCurrentProcess 48189->48190 48191 41b2d1 48189->48191 48190->48191 48192 4135a6 RegOpenKeyExA 48191->48192 48193 4135d4 RegQueryValueExA RegCloseKey 48192->48193 48194 4135fe 48192->48194 48193->48194 48195 402093 28 API calls 48194->48195 48196 413613 48195->48196 48196->47718 48197->47729 48199 40b90c 48198->48199 48204 402252 48199->48204 48201 40b917 48208 40b92c 48201->48208 48203 40b926 48203->47737 48205 40225c 48204->48205 48206 4022ac 48204->48206 48205->48206 48215 402779 11 API calls std::_Deallocate 48205->48215 48206->48201 48209 40b966 48208->48209 48210 40b938 48208->48210 48227 4028a4 22 API calls 48209->48227 48216 4027e6 48210->48216 48214 40b942 48214->48203 48215->48206 48217 4027ef 48216->48217 48218 402851 48217->48218 48219 4027f9 48217->48219 48229 4028a4 22 API calls 48218->48229 48222 402802 48219->48222 48225 402815 48219->48225 48228 402aea 28 API calls __EH_prolog 48222->48228 48223 402813 48223->48214 48225->48223 48226 402252 11 API calls 48225->48226 48226->48223 48228->48223 48230->47740 48232 402347 48231->48232 48233 402252 11 API calls 48232->48233 48234 4023c7 48233->48234 48234->47740 48236 4024f9 48235->48236 48237 40250a 28 API calls 48236->48237 48238 4020b1 48237->48238 48238->47456 48255 43ba0a 48239->48255 48241 43ae50 48261 43a7b7 36 API calls 2 library calls 48241->48261 48243 43ae15 48243->48241 48244 43ae2a 48243->48244 48254 43ae2f __cftof 48243->48254 48260 4405dd 20 API calls __dosmaperr 48244->48260 48247 43ae5c 48248 43ae8b 48247->48248 48262 43ba4f 40 API calls __Tolower 48247->48262 48251 43aef7 48248->48251 48263 43b9b6 20 API calls 2 library calls 48248->48263 48264 43b9b6 20 API calls 2 library calls 48251->48264 48252 43afbe _strftime 48252->48254 48265 4405dd 20 API calls __dosmaperr 48252->48265 48254->47775 48256 43ba22 48255->48256 48257 43ba0f 48255->48257 48256->48243 48266 4405dd 20 API calls __dosmaperr 48257->48266 48259 43ba14 __cftof 48259->48243 48260->48254 48261->48247 48262->48247 48263->48251 48264->48252 48265->48254 48266->48259 48273 401fb0 48267->48273 48269 402f1e 48270 402055 11 API calls 48269->48270 48271 402f2d 48270->48271 48271->47789 48272->47792 48274 4025f0 28 API calls 48273->48274 48275 401fbd 48274->48275 48275->48269 48277 40a127 48276->48277 48278 413549 3 API calls 48277->48278 48279 40a12e 48278->48279 48280 40a142 48279->48280 48281 40a15c 48279->48281 48282 409e9b 48280->48282 48283 40a147 48280->48283 48297 40905c 48281->48297 48282->47510 48285 40905c 28 API calls 48283->48285 48287 40a155 48285->48287 48325 40a22d 29 API calls 48287->48325 48290 40a15a 48290->48282 48291->47817 48473 403222 48292->48473 48294 403022 48477 403262 48294->48477 48298 409072 48297->48298 48299 402252 11 API calls 48298->48299 48300 40908c 48299->48300 48326 404267 48300->48326 48302 40909a 48303 40a179 48302->48303 48338 40b8ec 48303->48338 48306 40a1a2 48309 402093 28 API calls 48306->48309 48307 40a1ca 48308 402093 28 API calls 48307->48308 48311 40a1d5 48308->48311 48310 40a1ac 48309->48310 48312 41bc5e 28 API calls 48310->48312 48313 402093 28 API calls 48311->48313 48314 40a1ba 48312->48314 48315 40a1e4 48313->48315 48342 40b164 31 API calls new 48314->48342 48317 41b4ef 80 API calls 48315->48317 48319 40a1e9 CreateThread 48317->48319 48318 40a1c1 48320 401fd8 11 API calls 48318->48320 48321 40a210 CreateThread 48319->48321 48322 40a204 CreateThread 48319->48322 48344 40a27d 48319->48344 48320->48307 48323 401f09 11 API calls 48321->48323 48350 40a289 48321->48350 48322->48321 48347 40a267 48322->48347 48324 40a224 48323->48324 48324->48282 48325->48290 48472 40a273 163 API calls 48325->48472 48327 402888 22 API calls 48326->48327 48328 40427b 48327->48328 48329 404290 48328->48329 48330 4042a5 48328->48330 48336 4042df 22 API calls 48329->48336 48331 4027e6 28 API calls 48330->48331 48333 4042a3 48331->48333 48333->48302 48334 404299 48337 402c48 22 API calls 48334->48337 48336->48334 48337->48333 48339 40b8f5 48338->48339 48340 40a197 48338->48340 48343 40b96c 28 API calls 48339->48343 48340->48306 48340->48307 48342->48318 48343->48340 48353 40a726 48344->48353 48400 40a2b8 48347->48400 48430 40acd6 48350->48430 48354 40a73b Sleep 48353->48354 48374 40a675 48354->48374 48356 40a286 48357 40a78c GetFileAttributesW 48361 40a74d 48357->48361 48358 40a77b CreateDirectoryW 48358->48361 48359 40a7a3 SetFileAttributesW 48359->48361 48361->48354 48361->48356 48361->48357 48361->48358 48361->48359 48363 401e65 22 API calls 48361->48363 48370 40a7ee 48361->48370 48387 41c3f1 48361->48387 48362 40a81d PathFileExistsW 48362->48370 48363->48361 48364 4020df 11 API calls 48364->48370 48366 4020b7 28 API calls 48366->48370 48367 40a926 SetFileAttributesW 48367->48361 48368 406dd8 28 API calls 48368->48370 48369 401fe2 28 API calls 48369->48370 48370->48362 48370->48364 48370->48366 48370->48367 48370->48368 48370->48369 48372 401fd8 11 API calls 48370->48372 48373 401fd8 11 API calls 48370->48373 48397 41c485 32 API calls 48370->48397 48398 41c4f2 CreateFileW SetFilePointer CloseHandle WriteFile FindCloseChangeNotification 48370->48398 48372->48370 48373->48361 48375 40a722 48374->48375 48377 40a68b 48374->48377 48375->48361 48376 40a6aa CreateFileW 48376->48377 48378 40a6b8 GetFileSize 48376->48378 48377->48376 48379 40a6ed FindCloseChangeNotification 48377->48379 48380 40a6ff 48377->48380 48381 40a6e2 Sleep 48377->48381 48382 40a6db 48377->48382 48378->48377 48378->48379 48379->48377 48380->48375 48384 40905c 28 API calls 48380->48384 48381->48379 48399 40b0dc 84 API calls 48382->48399 48385 40a71b 48384->48385 48386 40a179 124 API calls 48385->48386 48386->48375 48388 41c404 CreateFileW 48387->48388 48390 41c441 48388->48390 48391 41c43d 48388->48391 48392 41c461 WriteFile 48390->48392 48393 41c448 SetFilePointer 48390->48393 48391->48361 48394 41c474 48392->48394 48395 41c476 FindCloseChangeNotification 48392->48395 48393->48392 48396 41c458 CloseHandle 48393->48396 48394->48395 48395->48391 48396->48391 48397->48370 48398->48370 48399->48381 48401 40a2d1 GetModuleHandleA SetWindowsHookExA 48400->48401 48402 40a333 GetMessageA 48400->48402 48401->48402 48404 40a2ed GetLastError 48401->48404 48403 40a345 TranslateMessage DispatchMessageA 48402->48403 48414 40a270 48402->48414 48403->48402 48403->48414 48415 41bb8e 48404->48415 48421 441e81 48415->48421 48418 402093 28 API calls 48419 40a2fe 48418->48419 48420 4052fd 28 API calls 48419->48420 48422 441e8d 48421->48422 48425 441c7d 48422->48425 48424 41bbb2 48424->48418 48426 441c94 48425->48426 48428 441ccb __cftof 48426->48428 48429 4405dd 20 API calls __dosmaperr 48426->48429 48428->48424 48429->48428 48437 40ace4 48430->48437 48431 40a292 48432 40ad3e Sleep GetForegroundWindow GetWindowTextLengthW 48434 40b904 28 API calls 48432->48434 48434->48437 48437->48431 48437->48432 48439 41bae6 GetTickCount 48437->48439 48440 40ad84 GetWindowTextW 48437->48440 48442 401f09 11 API calls 48437->48442 48443 40aedc 48437->48443 48444 40b8ec 28 API calls 48437->48444 48446 40ae49 Sleep 48437->48446 48447 441e81 20 API calls 48437->48447 48449 402093 28 API calls 48437->48449 48450 40add1 48437->48450 48455 403014 28 API calls 48437->48455 48456 406383 28 API calls 48437->48456 48457 41bc5e 28 API calls 48437->48457 48458 40a636 12 API calls 48437->48458 48459 401fd8 11 API calls 48437->48459 48460 4343e6 EnterCriticalSection LeaveCriticalSection WaitForSingleObjectEx __Init_thread_wait __Init_thread_footer 48437->48460 48461 401f86 48437->48461 48465 434770 23 API calls __onexit 48437->48465 48466 4343a7 SetEvent ResetEvent EnterCriticalSection LeaveCriticalSection __Init_thread_footer 48437->48466 48467 409044 28 API calls 48437->48467 48469 40b97c 28 API calls 48437->48469 48470 40b748 40 API calls 2 library calls 48437->48470 48471 4052fd 28 API calls 48437->48471 48439->48437 48440->48437 48442->48437 48445 401f09 11 API calls 48443->48445 48444->48437 48445->48431 48446->48437 48447->48437 48449->48437 48450->48437 48451 40905c 28 API calls 48450->48451 48468 40b164 31 API calls new 48450->48468 48451->48450 48455->48437 48456->48437 48457->48437 48458->48437 48459->48437 48462 401f8e 48461->48462 48463 402252 11 API calls 48462->48463 48464 401f99 48463->48464 48464->48437 48465->48437 48466->48437 48467->48437 48468->48450 48469->48437 48470->48437 48474 40322e 48473->48474 48483 403618 48474->48483 48476 40323b 48476->48294 48478 40326e 48477->48478 48479 402252 11 API calls 48478->48479 48480 403288 48479->48480 48481 402336 11 API calls 48480->48481 48482 403031 48481->48482 48482->47821 48484 403626 48483->48484 48485 403644 48484->48485 48486 40362c 48484->48486 48488 40365c 48485->48488 48489 40369e 48485->48489 48494 4036a6 28 API calls 48486->48494 48491 4027e6 28 API calls 48488->48491 48493 403642 48488->48493 48495 4028a4 22 API calls 48489->48495 48491->48493 48493->48476 48494->48493 48497 404186 48496->48497 48498 402252 11 API calls 48497->48498 48499 404191 48498->48499 48507 4041bc 48499->48507 48502 4042fc 48518 404353 48502->48518 48504 40430a 48505 403262 11 API calls 48504->48505 48506 404319 48505->48506 48506->47830 48508 4041c8 48507->48508 48511 4041d9 48508->48511 48510 40419c 48510->48502 48512 4041e9 48511->48512 48513 404206 48512->48513 48514 4041ef 48512->48514 48515 4027e6 28 API calls 48513->48515 48516 404267 28 API calls 48514->48516 48517 404204 48515->48517 48516->48517 48517->48510 48519 40435f 48518->48519 48522 404371 48519->48522 48521 40436d 48521->48504 48523 40437f 48522->48523 48524 404385 48523->48524 48525 40439e 48523->48525 48586 4034e6 28 API calls 48524->48586 48526 402888 22 API calls 48525->48526 48527 4043a6 48526->48527 48529 404419 48527->48529 48530 4043bf 48527->48530 48587 4028a4 22 API calls 48529->48587 48532 4027e6 28 API calls 48530->48532 48541 40439c 48530->48541 48532->48541 48541->48521 48586->48541 48594 43aa9a 48588->48594 48592 41388f RegSetValueExA RegCloseKey 48591->48592 48593 4138b9 48591->48593 48592->48593 48593->47849 48597 43aa1b 48594->48597 48596 40170d 48596->47847 48598 43aa2a 48597->48598 48599 43aa3e 48597->48599 48603 4405dd 20 API calls __dosmaperr 48598->48603 48602 43aa2f __alldvrm __cftof 48599->48602 48604 448957 11 API calls 2 library calls 48599->48604 48602->48596 48603->48602 48604->48602 48608 41b8f9 ctype ___scrt_get_show_window_mode 48605->48608 48606 402093 28 API calls 48607 414f49 48606->48607 48607->47855 48608->48606 48609->47872 48611 414f02 getaddrinfo WSASetLastError 48610->48611 48612 414ef8 48610->48612 48611->47901 48778 414d86 29 API calls ___std_exception_copy 48612->48778 48614 414efd 48614->48611 48616 404846 socket 48615->48616 48617 404839 48615->48617 48619 404860 CreateEventW 48616->48619 48620 404842 48616->48620 48779 40489e WSAStartup 48617->48779 48619->47901 48620->47901 48621 40483e 48621->48616 48621->48620 48623 404f65 48622->48623 48624 404fea 48622->48624 48625 404f6e 48623->48625 48626 404fc0 CreateEventA CreateThread 48623->48626 48627 404f7d GetLocalTime 48623->48627 48624->47901 48625->48626 48626->48624 48781 405150 48626->48781 48628 41bb8e 28 API calls 48627->48628 48629 404f91 48628->48629 48780 4052fd 28 API calls 48629->48780 48638 404a1b 48637->48638 48639 4048ee 48637->48639 48640 40497e 48638->48640 48641 404a21 WSAGetLastError 48638->48641 48639->48640 48642 404923 48639->48642 48645 40531e 28 API calls 48639->48645 48640->47901 48641->48640 48643 404a31 48641->48643 48785 420c60 27 API calls 48642->48785 48646 404932 48643->48646 48647 404a36 48643->48647 48650 40490f 48645->48650 48653 402093 28 API calls 48646->48653 48790 41cae1 30 API calls 48647->48790 48649 40492b 48649->48646 48652 404941 48649->48652 48654 402093 28 API calls 48650->48654 48651 404a40 48791 4052fd 28 API calls 48651->48791 48662 404950 48652->48662 48663 404987 48652->48663 48657 404a80 48653->48657 48655 40491e 48654->48655 48658 41b4ef 80 API calls 48655->48658 48660 402093 28 API calls 48657->48660 48658->48642 48664 404a8f 48660->48664 48668 402093 28 API calls 48662->48668 48787 421a40 54 API calls 48663->48787 48665 41b4ef 80 API calls 48664->48665 48665->48640 48671 40495f 48668->48671 48670 40498f 48673 4049c4 48670->48673 48674 404994 48670->48674 48675 402093 28 API calls 48671->48675 48789 420e06 28 API calls 48673->48789 48678 402093 28 API calls 48674->48678 48679 40496e 48675->48679 48681 4049a3 48678->48681 48682 41b4ef 80 API calls 48679->48682 48680 4049cc 48684 4049f9 CreateEventW CreateEventW 48680->48684 48686 402093 28 API calls 48680->48686 48685 402093 28 API calls 48681->48685 48683 404973 48682->48683 48786 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48683->48786 48684->48640 48687 4049b2 48685->48687 48689 4049e2 48686->48689 48690 41b4ef 80 API calls 48687->48690 48691 402093 28 API calls 48689->48691 48692 4049b7 48690->48692 48693 4049f1 48691->48693 48788 4210b2 52 API calls 48692->48788 48695 41b4ef 80 API calls 48693->48695 48696 4049f6 48695->48696 48696->48684 48792 41b7b6 GlobalMemoryStatusEx 48697->48792 48699 41b7f5 48699->47901 48793 414580 48700->48793 48704 40dda5 48703->48704 48705 4134ff 3 API calls 48704->48705 48707 40ddac 48705->48707 48706 40ddc4 48706->47901 48707->48706 48708 413549 3 API calls 48707->48708 48708->48706 48710 4020b7 28 API calls 48709->48710 48711 41bc57 48710->48711 48711->47901 48713 41bafc GetTickCount 48712->48713 48713->47901 48715 436e90 ___scrt_get_show_window_mode 48714->48715 48716 41bab5 GetForegroundWindow GetWindowTextW 48715->48716 48717 40417e 28 API calls 48716->48717 48718 41badf 48717->48718 48718->47901 48720 402093 28 API calls 48719->48720 48721 40f8f6 48720->48721 48721->47901 48723 4020df 11 API calls 48722->48723 48724 402f3d 48723->48724 48725 4032a0 28 API calls 48724->48725 48726 402f59 48725->48726 48726->47901 48728 404ab4 48727->48728 48823 40520c 48728->48823 48730 404ac9 ctype 48731 404b40 WaitForSingleObject 48730->48731 48732 404b20 48730->48732 48734 404b56 48731->48734 48733 404b32 send 48732->48733 48735 404b7b 48733->48735 48829 42103a 54 API calls 48734->48829 48738 401fd8 11 API calls 48735->48738 48737 404b69 SetEvent 48737->48735 48739 404b83 48738->48739 48740 401fd8 11 API calls 48739->48740 48741 404b8b 48740->48741 48741->47901 48743 4020df 11 API calls 48742->48743 48744 404c27 48743->48744 48745 4020df 11 API calls 48744->48745 48748 404c30 48745->48748 48746 43bd51 new 21 API calls 48746->48748 48748->48746 48749 4020b7 28 API calls 48748->48749 48750 404ca1 48748->48750 48751 401fe2 28 API calls 48748->48751 48754 401fd8 11 API calls 48748->48754 48758 404c84 48748->48758 48847 404b96 48748->48847 48749->48748 48752 404e26 99 API calls 48750->48752 48751->48748 48753 404ca8 48752->48753 48755 401fd8 11 API calls 48753->48755 48754->48748 48756 404cb1 48755->48756 48757 401fd8 11 API calls 48756->48757 48759 404cba 48757->48759 48853 404cc3 32 API calls 48758->48853 48759->47901 48762 404e40 SetEvent FindCloseChangeNotification 48761->48762 48763 404e57 closesocket 48761->48763 48764 404ed8 48762->48764 48765 404e64 48763->48765 48764->47901 48766 404e7a 48765->48766 48855 4050e4 84 API calls 48765->48855 48768 404e8c WaitForSingleObject 48766->48768 48769 404ece SetEvent CloseHandle 48766->48769 48856 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48768->48856 48769->48764 48771 404e9b SetEvent WaitForSingleObject 48857 41e711 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48771->48857 48773 404eb3 SetEvent CloseHandle CloseHandle 48773->48769 48774->47901 48775->47901 48777->47901 48778->48614 48779->48621 48784 40515c 102 API calls 48781->48784 48783 405159 48784->48783 48785->48649 48786->48640 48787->48670 48788->48683 48789->48680 48790->48651 48792->48699 48796 414553 48793->48796 48797 414568 ___scrt_initialize_default_local_stdio_options 48796->48797 48800 43f79d 48797->48800 48803 43c4f0 48800->48803 48804 43c530 48803->48804 48805 43c518 48803->48805 48804->48805 48807 43c538 48804->48807 48818 4405dd 20 API calls __dosmaperr 48805->48818 48819 43a7b7 36 API calls 2 library calls 48807->48819 48809 43c548 48820 43cc76 20 API calls 2 library calls 48809->48820 48810 43c51d __cftof 48812 434fcb CatchGuardHandler 5 API calls 48810->48812 48814 414576 48812->48814 48813 43c5c0 48821 43d2e4 51 API calls 3 library calls 48813->48821 48814->47901 48817 43c5cb 48822 43cce0 20 API calls _free 48817->48822 48818->48810 48819->48809 48820->48813 48821->48817 48822->48810 48824 405214 48823->48824 48825 4023ce 11 API calls 48824->48825 48826 40521f 48825->48826 48830 405234 48826->48830 48828 40522e 48828->48730 48829->48737 48831 405240 48830->48831 48832 40526e 48830->48832 48834 4028e8 28 API calls 48831->48834 48846 4028a4 22 API calls 48832->48846 48836 40524a 48834->48836 48836->48828 48848 404ba0 WaitForSingleObject 48847->48848 48849 404bcd recv 48847->48849 48854 421076 54 API calls 48848->48854 48851 404be0 48849->48851 48851->48748 48852 404bbc SetEvent 48852->48851 48853->48748 48854->48852 48855->48766 48856->48771 48857->48773 48859->47962 48860->47990 48861->47989 48862->47978 48863->47982 48864->47988 48865->48021 48870 40f7c2 48868->48870 48869 413549 3 API calls 48869->48870 48870->48869 48872 40f866 48870->48872 48874 40f856 Sleep 48870->48874 48890 40f7f4 48870->48890 48871 40905c 28 API calls 48871->48890 48873 40905c 28 API calls 48872->48873 48877 40f871 48873->48877 48874->48870 48876 41bc5e 28 API calls 48876->48890 48878 41bc5e 28 API calls 48877->48878 48879 40f87d 48878->48879 48903 413814 14 API calls 48879->48903 48882 401f09 11 API calls 48882->48890 48883 40f890 48884 401f09 11 API calls 48883->48884 48886 40f89c 48884->48886 48885 402093 28 API calls 48885->48890 48887 402093 28 API calls 48886->48887 48888 40f8ad 48887->48888 48891 41376f 14 API calls 48888->48891 48889 41376f 14 API calls 48889->48890 48890->48871 48890->48874 48890->48876 48890->48882 48890->48885 48890->48889 48901 40d096 112 API calls ___scrt_get_show_window_mode 48890->48901 48902 413814 14 API calls 48890->48902 48892 40f8c0 48891->48892 48904 412850 TerminateProcess WaitForSingleObject 48892->48904 48894 40f8c8 ExitProcess 48905 4127ee 62 API calls 48896->48905 48902->48890 48903->48883 48904->48894 48906 44375d 48907 443766 48906->48907 48908 44377f 48906->48908 48909 44376e 48907->48909 48913 4437e5 48907->48913 48911 443776 48911->48909 48924 443ab2 22 API calls 2 library calls 48911->48924 48914 4437f1 48913->48914 48915 4437ee 48913->48915 48925 44f3dd GetEnvironmentStringsW 48914->48925 48915->48911 48919 443809 48933 446782 20 API calls __dosmaperr 48919->48933 48921 443833 48921->48911 48923 4437fe 48934 446782 20 API calls __dosmaperr 48923->48934 48924->48908 48926 4437f8 48925->48926 48927 44f3f1 48925->48927 48926->48923 48932 44390a 26 API calls 3 library calls 48926->48932 48935 446137 48927->48935 48929 44f405 ctype 48942 446782 20 API calls __dosmaperr 48929->48942 48931 44f41f FreeEnvironmentStringsW 48931->48926 48932->48919 48933->48923 48934->48921 48936 446175 48935->48936 48940 446145 ___crtLCMapStringA 48935->48940 48944 4405dd 20 API calls __dosmaperr 48936->48944 48937 446160 RtlAllocateHeap 48939 446173 48937->48939 48937->48940 48939->48929 48940->48936 48940->48937 48943 442f80 7 API calls 2 library calls 48940->48943 48942->48931 48943->48940 48944->48939 48945 43be58 48948 43be64 _swprintf ___DestructExceptionObject 48945->48948 48946 43be72 48961 4405dd 20 API calls __dosmaperr 48946->48961 48948->48946 48950 43be9c 48948->48950 48949 43be77 ___DestructExceptionObject __cftof 48956 445888 EnterCriticalSection 48950->48956 48952 43bea7 48957 43bf48 48952->48957 48956->48952 48959 43bf56 48957->48959 48958 43beb2 48962 43becf LeaveCriticalSection std::_Lockit::~_Lockit 48958->48962 48959->48958 48963 44976c 37 API calls 2 library calls 48959->48963 48961->48949 48962->48949 48963->48959 48964 448299 GetLastError 48965 4482b2 48964->48965 48966 4482b8 48964->48966 48990 4487bc 11 API calls 2 library calls 48965->48990 48970 44830f SetLastError 48966->48970 48983 445af3 48966->48983 48972 448318 48970->48972 48971 4482d2 48991 446782 20 API calls __dosmaperr 48971->48991 48975 4482e7 48975->48971 48977 4482ee 48975->48977 48976 4482d8 48978 448306 SetLastError 48976->48978 48993 448087 20 API calls __Toupper 48977->48993 48978->48972 48980 4482f9 48994 446782 20 API calls __dosmaperr 48980->48994 48982 4482ff 48982->48970 48982->48978 48988 445b00 ___crtLCMapStringA 48983->48988 48984 445b40 48996 4405dd 20 API calls __dosmaperr 48984->48996 48985 445b2b RtlAllocateHeap 48987 445b3e 48985->48987 48985->48988 48987->48971 48992 448812 11 API calls 2 library calls 48987->48992 48988->48984 48988->48985 48995 442f80 7 API calls 2 library calls 48988->48995 48990->48966 48991->48976 48992->48975 48993->48980 48994->48982 48995->48988 48996->48987 48997 40165e 48998 401666 48997->48998 48999 401669 48997->48999 49000 4016a8 48999->49000 49002 401696 48999->49002 49001 4344ea new 22 API calls 49000->49001 49003 40169c 49001->49003 49004 4344ea new 22 API calls 49002->49004 49004->49003

                                              Executed Functions

                                              Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC86
                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040E9E1), ref: 0041CC97
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CC9A
                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCAA
                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCBA
                                              • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040E9E1), ref: 0041CCCC
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCCF
                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040E9E1), ref: 0041CCDC
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCDF
                                              • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CCF3
                                              • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD07
                                              • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,?,0040E9E1), ref: 0041CD19
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD1C
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,?,0040E9E1), ref: 0041CD29
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD2C
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,?,0040E9E1), ref: 0041CD39
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD3C
                                              • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,?,0040E9E1), ref: 0041CD49
                                              • GetProcAddress.KERNEL32(00000000), ref: 0041CD4C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$LibraryLoad$HandleModule
                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                              • API String ID: 4236061018-3687161714
                                              • Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                              • Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
                                              • Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
                                              • Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE
                                              Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1277 40a2b8-40a2cf 1278 40a2d1-40a2eb GetModuleHandleA SetWindowsHookExA 1277->1278 1279 40a333-40a343 GetMessageA 1277->1279 1278->1279 1282 40a2ed-40a331 GetLastError call 41bb8e call 4052fd call 402093 call 41b4ef call 401fd8 1278->1282 1280 40a345-40a35d TranslateMessage DispatchMessageA 1279->1280 1281 40a35f 1279->1281 1280->1279 1280->1281 1283 40a361-40a366 1281->1283 1282->1283
                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
                                              • SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
                                              • GetLastError.KERNEL32 ref: 0040A2ED
                                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040A33B
                                              • TranslateMessage.USER32(?), ref: 0040A34A
                                              • DispatchMessageA.USER32(?), ref: 0040A355
                                              Strings
                                              • Keylogger initialization failure: error , xrefs: 0040A301
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                              • String ID: Keylogger initialization failure: error
                                              • API String ID: 3219506041-952744263
                                              • Opcode ID: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                              • Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
                                              • Opcode Fuzzy Hash: 24ad775559425fbf79376f518a65b03612fe455b391ecaf03d99fa65814271bc
                                              • Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA
                                              Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00413549: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                                • Part of subcall function 00413549: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                                • Part of subcall function 00413549: RegCloseKey.KERNELBASE(?), ref: 00413592
                                              • Sleep.KERNELBASE(00000BB8), ref: 0040F85B
                                              • ExitProcess.KERNEL32 ref: 0040F8CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                              • String ID: 5.1.0 Pro$override$pth_unenc
                                              • API String ID: 2281282204-182549033
                                              • Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                              • Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
                                              • Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
                                              • Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF
                                              Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00404F81
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0
                                              Strings
                                              • KeepAlive | Enabled | Timeout: , xrefs: 00404F94
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$EventLocalThreadTime
                                              • String ID: KeepAlive | Enabled | Timeout:
                                              • API String ID: 2532271599-1507639952
                                              • Opcode ID: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                              • Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
                                              • Opcode Fuzzy Hash: 560c203c767acd10f1bafe677f0d9cbc016093e56ac0604e807a07335adf4d88
                                              • Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA
                                              Function 00404B96 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3
                                              • recv.WS2_32(?,?,?,00000000), ref: 00404BDA
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventObjectSingleWaitrecv
                                              • String ID:
                                              • API String ID: 311754179-0
                                              • Opcode ID: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                              • Instruction ID: 1d69a7fd2e689c68354a0251ffa64299bfe08f5f9c70e8df09ea9ad7bb005133
                                              • Opcode Fuzzy Hash: 027f0035fd30dc323b2ad7daf66a247a767f4e031cde928d6a9ffdf935cc617f
                                              • Instruction Fuzzy Hash: 00F08236108213FFD7059F10EC09E4AFB62FB84721F10862AF510522B08771FC21DBA5
                                              Function 0041B60D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,004750E4), ref: 0041B62A
                                              • GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Name$ComputerUser
                                              • String ID:
                                              • API String ID: 4229901323-0
                                              • Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                              • Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
                                              • Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
                                              • Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8
                                              Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,5.1.0 Pro), ref: 0040F8E5
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                              • Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
                                              • Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
                                              • Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1
                                              Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5 40e9c5-40ea47 call 41cb50 GetModuleFileNameW call 40f3c3 call 4020f6 * 2 call 41be1b call 40fb17 call 401e8d call 43fd00 22 40ea93-40eb5b call 401e65 call 401fab call 401e65 call 40531e call 406383 call 401fe2 call 401fd8 * 2 call 401e65 call 401fc0 call 405aa6 call 401e65 call 4051e3 call 401e65 call 4051e3 5->22 23 40ea49-40ea8e call 40fbb3 call 401e65 call 401fab call 410f37 call 40fb64 call 40f3b0 5->23 69 40eb5d-40eba8 call 406c1e call 401fe2 call 401fd8 call 401fab call 413549 22->69 70 40ebae-40ebc9 call 401e65 call 40b9bd 22->70 49 40eef2-40ef03 call 401fd8 23->49 69->70 101 40f34f-40f36a call 401fab call 4139a9 call 412475 69->101 79 40ec03-40ec0a call 40d069 70->79 80 40ebcb-40ebea call 401fab call 413549 70->80 89 40ec13-40ec1a 79->89 90 40ec0c-40ec0e 79->90 80->79 99 40ebec-40ec02 call 401fab call 4139a9 80->99 94 40ec1c 89->94 95 40ec1e-40ec2a call 41b2c3 89->95 93 40eef1 90->93 93->49 94->95 105 40ec33-40ec37 95->105 106 40ec2c-40ec2e 95->106 99->79 126 40f36f-40f3a0 call 41bc5e call 401f04 call 413a23 call 401f09 * 2 101->126 108 40ec76-40ec89 call 401e65 call 401fab 105->108 109 40ec39 call 407716 105->109 106->105 127 40ec90-40ed18 call 401e65 call 41bc5e call 401f13 call 401f09 call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab 108->127 128 40ec8b call 407755 108->128 117 40ec3e-40ec40 109->117 120 40ec42-40ec47 call 407738 call 407260 117->120 121 40ec4c-40ec5f call 401e65 call 401fab 117->121 120->121 121->108 141 40ec61-40ec67 121->141 157 40f3a5-40f3af call 40dd42 call 414f2a 126->157 177 40ed80-40ed84 127->177 178 40ed1a-40ed33 call 401e65 call 401fab call 43bad6 127->178 128->127 141->108 145 40ec69-40ec6f 141->145 145->108 146 40ec71 call 407260 145->146 146->108 180 40ef06-40ef66 call 436e90 call 40247c call 401fab * 2 call 4136f8 call 409057 177->180 181 40ed8a-40ed91 177->181 178->177 204 40ed35-40ed7b call 401e65 call 401fab call 401e65 call 401fab call 40da34 call 401f13 call 401f09 178->204 236 40ef6b-40efbf call 401e65 call 401fab call 402093 call 401fab call 41376f call 401e65 call 401fab call 43baac 180->236 183 40ed93-40ee0d call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 40cdf9 181->183 184 40ee0f-40ee19 call 409057 181->184 191 40ee1e-40ee42 call 40247c call 434798 183->191 184->191 212 40ee51 191->212 213 40ee44-40ee4f call 436e90 191->213 204->177 218 40ee53-40ee9e call 401f04 call 43f809 call 40247c call 401fab call 40247c call 401fab call 413947 212->218 213->218 273 40eea3-40eec8 call 4347a1 call 401e65 call 40b9bd 218->273 287 40efc1 236->287 288 40efdc-40efde 236->288 273->236 286 40eece-40eeed call 401e65 call 41bc5e call 40f474 273->286 286->236 306 40eeef 286->306 292 40efc3-40efda call 41cd9b CreateThread 287->292 289 40efe0-40efe2 288->289 290 40efe4 288->290 289->292 293 40efea-40f0c6 call 402093 * 2 call 41b4ef call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 43baac call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab call 401e65 call 401fab StrToIntA call 409de4 call 401e65 call 401fab 290->293 292->293 344 40f101 293->344 345 40f0c8-40f0ff call 4344ea call 401e65 call 401fab CreateThread 293->345 306->93 346 40f103-40f11b call 401e65 call 401fab 344->346 345->346 357 40f159-40f16c call 401e65 call 401fab 346->357 358 40f11d-40f154 call 4344ea call 401e65 call 401fab CreateThread 346->358 367 40f1cc-40f1df call 401e65 call 401fab 357->367 368 40f16e-40f1c7 call 401e65 call 401fab call 401e65 call 401fab call 40d9e8 call 401f13 call 401f09 CreateThread 357->368 358->357 379 40f1e1-40f215 call 401e65 call 401fab call 401e65 call 401fab call 43baac call 40c162 367->379 380 40f21a-40f23e call 41b60d call 401f13 call 401f09 367->380 368->367 379->380 402 40f240-40f241 SetProcessDEPPolicy 380->402 403 40f243-40f256 CreateThread 380->403 402->403 406 40f264-40f26b 403->406 407 40f258-40f262 CreateThread 403->407 408 40f279-40f280 406->408 409 40f26d-40f277 CreateThread 406->409 407->406 412 40f282-40f285 408->412 413 40f28e 408->413 409->408 415 40f287-40f28c 412->415 416 40f2cc-40f2df call 401fab call 4134ff 412->416 418 40f293-40f2c7 call 402093 call 4052fd call 402093 call 41b4ef call 401fd8 413->418 415->418 425 40f2e4-40f2e7 416->425 418->416 425->157 427 40f2ed-40f32d call 41bc5e call 401f04 call 41361b call 401f09 call 401f04 425->427 443 40f346-40f34b DeleteFileW 427->443 444 40f34d 443->444 445 40f32f-40f332 443->445 444->126 445->126 446 40f334-40f341 Sleep call 401f04 445->446 446->443
                                              APIs
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB65
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB6E
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB88
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CB9A
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CB9D
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040E9E1), ref: 0041CBAE
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBB1
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040E9E1), ref: 0041CBC3
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBC6
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040E9E1), ref: 0041CBD2
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBD5
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBE9
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CBFD
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040E9E1), ref: 0041CC0E
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC11
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC25
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC39
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC4D
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC61
                                                • Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
                                                • Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000), ref: 0041CC75
                                                • Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040E9E1), ref: 0041CC83
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe,00000104), ref: 0040E9EE
                                                • Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                              • String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
                                              • API String ID: 2830904901-2501106381
                                              • Opcode ID: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                              • Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
                                              • Opcode Fuzzy Hash: 9dbae48a280d3333a9d77f8d0747098945c713f3f6b336d54fdc187ddd26b95e
                                              • Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E
                                              Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809sleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 448 414f2a-414f72 call 4020df call 41b8b3 call 4020df call 401e65 call 401fab call 43baac 461 414f81-414fcd call 402093 call 401e65 call 4020f6 call 41be1b call 40489e call 401e65 call 40b9bd 448->461 462 414f74-414f7b Sleep 448->462 477 415041-4150dc call 402093 call 401e65 call 4020f6 call 41be1b call 401e65 * 2 call 406c1e call 402f10 call 401fe2 call 401fd8 * 2 call 401e65 call 405b05 461->477 478 414fcf-41503e call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 401e65 call 40247c call 401e65 call 401fab call 40473d 461->478 462->461 531 4150ec-4150f3 477->531 532 4150de-4150ea 477->532 478->477 533 4150f8-41518a call 405aa6 call 40531e call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 2 call 401e65 call 401fab call 401e65 call 401fab call 414ee9 531->533 532->533 560 4151d5-4151e3 call 40482d 533->560 561 41518c-4151d0 WSAGetLastError call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 533->561 567 415210-415225 call 404f51 call 4048c8 560->567 568 4151e5-41520b call 402093 * 2 call 41b4ef 560->568 583 415aa3-415ab5 call 404e26 call 4021fa 561->583 567->583 584 41522b-41537e call 401e65 * 2 call 40531e call 406383 call 402f10 call 406383 call 402f10 call 402093 call 41b4ef call 401fd8 * 4 call 41b7e0 call 4145bd call 40905c call 441e81 call 401e65 call 4020f6 call 40247c call 401fab * 2 call 4136f8 567->584 568->583 596 415ab7-415ad7 call 401e65 call 401fab call 43baac Sleep 583->596 597 415add-415ae5 call 401e8d 583->597 648 415380-41538d call 405aa6 584->648 649 415392-4153b9 call 401fab call 4135a6 584->649 596->597 597->477 648->649 655 4153c0-415a0a call 40417e call 40dd89 call 41bc42 call 41bd1e call 41bb8e call 401e65 GetTickCount call 41bb8e call 41bae6 call 41bb8e * 2 call 41ba96 call 41bd1e * 5 call 40f8d1 call 41bd1e call 402f31 call 402ea1 call 402f10 call 402ea1 call 402f10 * 3 call 402ea1 call 402f10 call 406383 call 402f10 call 406383 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 402ea1 call 402f10 call 406383 call 402f10 * 5 call 402ea1 call 402f10 call 402ea1 call 402f10 * 7 call 402ea1 call 404aa1 call 401fd8 * 50 call 401f09 call 401fd8 * 6 call 401f09 call 404c10 649->655 656 4153bb-4153bd 649->656 901 415a0f-415a16 655->901 656->655 902 415a18-415a1f 901->902 903 415a2a-415a31 901->903 902->903 904 415a21-415a23 902->904 905 415a33-415a38 call 40b051 903->905 906 415a3d-415a6f call 405a6b call 402093 * 2 call 41b4ef 903->906 904->903 905->906 917 415a71-415a7d CreateThread 906->917 918 415a83-415a9e call 401fd8 * 2 call 401f09 906->918 917->918 918->583
                                              APIs
                                              • Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
                                              • WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
                                              • Sleep.KERNELBASE(00000000,00000002), ref: 00415AD7
                                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$ErrorLastLocalTime
                                              • String ID: | $%I64u$5.1.0 Pro$8SG$C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
                                              • API String ID: 524882891-2069600463
                                              • Opcode ID: f4111c23b239b6d85035ded5f92305a41a10f59157bc3492b68ec566434726fd
                                              • Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
                                              • Opcode Fuzzy Hash: f4111c23b239b6d85035ded5f92305a41a10f59157bc3492b68ec566434726fd
                                              • Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D
                                              Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNELBASE(00001388), ref: 0040A740
                                                • Part of subcall function 0040A675: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                                • Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                                • Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                                • Part of subcall function 0040A675: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                              • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 0040A77C
                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 0040A78D
                                              • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 0040A7A4
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 0040A81E
                                                • Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040A843), ref: 0041C49E
                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$AttributesCreate$Sleep$ChangeCloseDirectoryExistsFindNotificationPathSize
                                              • String ID: 8SG$8SG$pQG$pQG$PG$PG
                                              • API String ID: 110482706-1152054767
                                              • Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                              • Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
                                              • Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
                                              • Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E
                                              Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1023 4048c8-4048e8 connect 1024 404a1b-404a1f 1023->1024 1025 4048ee-4048f1 1023->1025 1028 404a21-404a2f WSAGetLastError 1024->1028 1029 404a97 1024->1029 1026 404a17-404a19 1025->1026 1027 4048f7-4048fa 1025->1027 1030 404a99-404a9e 1026->1030 1031 404926-404930 call 420c60 1027->1031 1032 4048fc-404923 call 40531e call 402093 call 41b4ef 1027->1032 1028->1029 1033 404a31-404a34 1028->1033 1029->1030 1043 404941-40494e call 420e8f 1031->1043 1044 404932-40493c 1031->1044 1032->1031 1036 404a71-404a76 1033->1036 1037 404a36-404a6f call 41cae1 call 4052fd call 402093 call 41b4ef call 401fd8 1033->1037 1040 404a7b-404a94 call 402093 * 2 call 41b4ef 1036->1040 1037->1029 1040->1029 1057 404950-404973 call 402093 * 2 call 41b4ef 1043->1057 1058 404987-404992 call 421a40 1043->1058 1044->1040 1084 404976-404982 call 420ca0 1057->1084 1069 4049c4-4049d1 call 420e06 1058->1069 1070 404994-4049c2 call 402093 * 2 call 41b4ef call 4210b2 1058->1070 1081 4049d3-4049f6 call 402093 * 2 call 41b4ef 1069->1081 1082 4049f9-404a14 CreateEventW * 2 1069->1082 1070->1084 1081->1082 1082->1026 1084->1029
                                              APIs
                                              • connect.WS2_32(?,?,?), ref: 004048E0
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
                                              • WSAGetLastError.WS2_32 ref: 00404A21
                                                • Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                              • API String ID: 994465650-2151626615
                                              • Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                              • Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
                                              • Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
                                              • Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF
                                              Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E4C
                                              • closesocket.WS2_32(000000FF), ref: 00404E5A
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBF
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EC4
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED6
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
                                              • String ID:
                                              • API String ID: 2403171778-0
                                              • Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                              • Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
                                              • Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
                                              • Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58
                                              Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 0040AD38
                                              • Sleep.KERNELBASE(000001F4), ref: 0040AD43
                                              • GetForegroundWindow.USER32 ref: 0040AD49
                                              • GetWindowTextLengthW.USER32(00000000), ref: 0040AD52
                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040AD86
                                              • Sleep.KERNEL32(000003E8), ref: 0040AE54
                                                • Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,?,0040B82F,?,?,?,?,?,00000000), ref: 0040A662
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                              • String ID: [${ User has been idle for $ minutes }$]
                                              • API String ID: 911427763-3954389425
                                              • Opcode ID: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                              • Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
                                              • Opcode Fuzzy Hash: af3cf2329a29d0ead1f6790201367748a0b563353980fa9fd476e2dccae2fe78
                                              • Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F
                                              Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1195 40da34-40da59 call 401f86 1198 40db83-40dba9 call 401f04 GetLongPathNameW call 40417e 1195->1198 1199 40da5f 1195->1199 1223 40dbae-40dc1b call 40417e call 40ddd1 call 402fa5 * 2 call 401f09 * 5 1198->1223 1201 40da70-40da7e call 41b5b4 call 401f13 1199->1201 1202 40da91-40da96 1199->1202 1203 40db51-40db56 1199->1203 1204 40daa5-40daac call 41bfb7 1199->1204 1205 40da66-40da6b 1199->1205 1206 40db58-40db5d 1199->1206 1207 40da9b-40daa0 1199->1207 1208 40db6e 1199->1208 1209 40db5f-40db64 call 43c0cf 1199->1209 1226 40da83 1201->1226 1210 40db73-40db78 call 43c0cf 1202->1210 1203->1210 1224 40db00-40db4c call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1204->1224 1225 40daae-40dafe call 40417e call 43c0cf call 40417e call 402fa5 call 401f13 call 401f09 * 2 1204->1225 1205->1210 1206->1210 1207->1210 1208->1210 1219 40db69-40db6c 1209->1219 1220 40db79-40db7e call 409057 1210->1220 1219->1208 1219->1220 1220->1198 1224->1226 1231 40da87-40da8c call 401f09 1225->1231 1226->1231 1231->1198
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040DB9A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LongNamePath
                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                              • API String ID: 82841172-425784914
                                              • Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                              • Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
                                              • Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
                                              • Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F
                                              Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1294 41c3f1-41c402 1295 41c404-41c407 1294->1295 1296 41c41a-41c421 1294->1296 1297 41c410-41c418 1295->1297 1298 41c409-41c40e 1295->1298 1299 41c422-41c43b CreateFileW 1296->1299 1297->1299 1298->1299 1300 41c441-41c446 1299->1300 1301 41c43d-41c43f 1299->1301 1303 41c461-41c472 WriteFile 1300->1303 1304 41c448-41c456 SetFilePointer 1300->1304 1302 41c47f-41c484 1301->1302 1305 41c474 1303->1305 1306 41c476-41c47d FindCloseChangeNotification 1303->1306 1304->1303 1307 41c458-41c45f CloseHandle 1304->1307 1305->1306 1306->1302 1307->1301
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00466468,00000000,00000000,0040D3F9,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041C430
                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 0041C44D
                                              • CloseHandle.KERNEL32(00000000), ref: 0041C459
                                              • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0041C46A
                                              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0041C477
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
                                              • String ID: hpF
                                              • API String ID: 1087594267-151379673
                                              • Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                              • Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
                                              • Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
                                              • Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A
                                              Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1308 41b2c3-41b31a call 41bfb7 call 4135a6 call 401fe2 call 401fd8 call 406ae1 1319 41b35d-41b366 1308->1319 1320 41b31c-41b32b call 4135a6 1308->1320 1322 41b368-41b36d 1319->1322 1323 41b36f 1319->1323 1325 41b330-41b347 call 401fab StrToIntA 1320->1325 1324 41b374-41b37f call 40537d 1322->1324 1323->1324 1330 41b355-41b358 call 401fd8 1325->1330 1331 41b349-41b352 call 41cf69 1325->1331 1330->1319 1331->1330
                                              APIs
                                                • Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8
                                                • Part of subcall function 004135A6: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                                • Part of subcall function 004135A6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                                • Part of subcall function 004135A6: RegCloseKey.KERNELBASE(?), ref: 004135F2
                                              • StrToIntA.SHLWAPI(00000000,0046C9F8,00000000,00000000,00000000,004750E4,00000003,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0041B33C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCurrentOpenProcessQueryValue
                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 1866151309-2070987746
                                              • Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                              • Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
                                              • Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
                                              • Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE
                                              Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1382 40a675-40a685 1383 40a722-40a725 1382->1383 1384 40a68b-40a68d 1382->1384 1385 40a690-40a6b6 call 401f04 CreateFileW 1384->1385 1388 40a6f6 1385->1388 1389 40a6b8-40a6c6 GetFileSize 1385->1389 1390 40a6f9-40a6fd 1388->1390 1391 40a6c8 1389->1391 1392 40a6ed-40a6f4 FindCloseChangeNotification 1389->1392 1390->1385 1393 40a6ff-40a702 1390->1393 1394 40a6d2-40a6d9 1391->1394 1395 40a6ca-40a6d0 1391->1395 1392->1390 1393->1383 1396 40a704-40a70b 1393->1396 1397 40a6e2-40a6e7 Sleep 1394->1397 1398 40a6db-40a6dd call 40b0dc 1394->1398 1395->1392 1395->1394 1396->1383 1400 40a70d-40a71d call 40905c call 40a179 1396->1400 1397->1392 1398->1397 1400->1383
                                              APIs
                                              • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0040A74D), ref: 0040A6AB
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
                                              • Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,0040A74D), ref: 0040A6EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$ChangeCloseCreateFindNotificationSizeSleep
                                              • String ID: XQG
                                              • API String ID: 4068920109-3606453820
                                              • Opcode ID: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                              • Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
                                              • Opcode Fuzzy Hash: ed692bf81f71d99d64d0e48405d0f3cb823898ebec9c5078a7592842c921da17
                                              • Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E
                                              Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1404 448299-4482b0 GetLastError 1405 4482b2-4482bc call 4487bc 1404->1405 1406 4482be-4482c5 call 445af3 1404->1406 1405->1406 1411 44830f-448316 SetLastError 1405->1411 1409 4482ca-4482d0 1406->1409 1412 4482d2 1409->1412 1413 4482db-4482e9 call 448812 1409->1413 1414 448318-44831d 1411->1414 1415 4482d3-4482d9 call 446782 1412->1415 1420 4482ee-448304 call 448087 call 446782 1413->1420 1421 4482eb-4482ec 1413->1421 1422 448306-44830d SetLastError 1415->1422 1420->1411 1420->1422 1421->1415 1422->1414
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
                                              • _free.LIBCMT ref: 004482D3
                                              • _free.LIBCMT ref: 004482FA
                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
                                              • SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                              • Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
                                              • Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
                                              • Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D
                                              Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateThread.KERNELBASE(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040A20E
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040A21A
                                                • Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040B172
                                                • Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTimewsprintf
                                              • String ID: Offline Keylogger Started
                                              • API String ID: 465354869-4114347211
                                              • Opcode ID: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                              • Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
                                              • Opcode Fuzzy Hash: e8215c935415644a741e178cef246bea46bfec4a592ac60f75e4063261735619
                                              • Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB
                                              Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
                                              • RegSetValueExA.KERNELBASE(?,004674B8,00000000,?,00000000,00000000,004752F0,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137A6
                                              • RegCloseKey.KERNELBASE(?,?,?,0040F853,004674B8,5.1.0 Pro), ref: 004137B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: pth_unenc
                                              • API String ID: 1818849710-4028850238
                                              • Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                              • Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
                                              • Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
                                              • Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54
                                              Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
                                              • GetLastError.KERNEL32 ref: 0040D083
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateErrorLastMutex
                                              • String ID: SG
                                              • API String ID: 1925916568-3189917014
                                              • Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                              • Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
                                              • Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
                                              • Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519
                                              Function 00404AA1 Relevance: 4.6, APIs: 3, Instructions: 93synchronizationnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36
                                              • WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
                                              • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventObjectSingleWaitsend
                                              • String ID:
                                              • API String ID: 3963590051-0
                                              • Opcode ID: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                              • Instruction ID: 83b425c638d75041f18e819343fb0b0c123ba7f8272f9a3a5816098776915250
                                              • Opcode Fuzzy Hash: a00f43e109d8a5bcbea84027ff4f42fb49a7104e756b4714260ac134e081549c
                                              • Instruction Fuzzy Hash: A52126B2900119BBCB04ABA1DC95DEE773CFF14314B00452BF515B21E2EE79AA15C6A4
                                              Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004135CA
                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004135E7
                                              • RegCloseKey.KERNELBASE(?), ref: 004135F2
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                              • Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
                                              • Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
                                              • Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4
                                              Function 004136F8 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,004752F0), ref: 00413714
                                              • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 0041372D
                                              • RegCloseKey.KERNELBASE(00000000), ref: 00413738
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                              • Instruction ID: 3f277cad741e4f631881634228dfc272d65c1146f3ef4f3c344e6cfa7cb73972
                                              • Opcode Fuzzy Hash: 16fdc48d36bb649990d7f6d81c9afeb312c2f40a16629baa57fa9ba92c9a975a
                                              • Instruction Fuzzy Hash: 1C018BB1400229FBDF216FA1DC04DEB3F38EF05751F004065BE08621A1D6358AA5DBA4
                                              Function 0044F3DD Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0044F3E1
                                              • _free.LIBCMT ref: 0044F41A
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F421
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnvironmentStrings$Free_free
                                              • String ID:
                                              • API String ID: 2716640707-0
                                              • Opcode ID: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                                              • Instruction ID: a95b0472bde791e81118f5b212bf6f07b4125f005b99c6aef0626ee370485fe8
                                              • Opcode Fuzzy Hash: f3c2c49517413e8eabdba28df60095274e0f4285ab7e88089faf331cb05c3344
                                              • Instruction Fuzzy Hash: 50E06577144A216BB211362A7C49D6F2A18DFD67BA727013BF45486143DE288D0641FA
                                              Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00413569
                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004752F0), ref: 00413587
                                              • RegCloseKey.KERNELBASE(?), ref: 00413592
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                              • Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
                                              • Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
                                              • Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94
                                              Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040C19C,00466C48), ref: 00413516
                                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040C19C,00466C48), ref: 0041352A
                                              • RegCloseKey.KERNELBASE(?,?,?,0040C19C,00466C48), ref: 00413535
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                              • Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
                                              • Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
                                              • Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4
                                              Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
                                              • RegSetValueExA.KERNELBASE(004660A4,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138A0
                                              • RegCloseKey.ADVAPI32(004660A4,?,?,?,0040C152,00466C48,00000001,000000AF,004660A4), ref: 004138AB
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID:
                                              • API String ID: 1818849710-0
                                              • Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                              • Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
                                              • Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
                                              • Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798
                                              Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID: pQG
                                              • API String ID: 176396367-3769108836
                                              • Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                              • Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
                                              • Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
                                              • Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98
                                              Function 0041B7B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041B7CA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID: @
                                              • API String ID: 1890195054-2766056989
                                              • Opcode ID: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                              • Instruction ID: 2d2b64c70bc766df394076410504e3f9c8f669937c614d63c6700d8895b1c70c
                                              • Opcode Fuzzy Hash: 2ff32e62116e468e6d8a54eb6c0bfd9d688f6c12eac0596ef65494206548ed21
                                              • Instruction Fuzzy Hash: E6D017B58023189FC720DFA8E804A8DBBFCFB08210F00456AEC49E3700E770E8008B94
                                              Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(?,00000001,00000006), ref: 00404852
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E
                                                • Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEventStartupsocket
                                              • String ID:
                                              • API String ID: 1953588214-0
                                              • Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                              • Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
                                              • Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
                                              • Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18
                                              Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                              • Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
                                              • Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
                                              • Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D
                                              Function 0041BA96 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 0041BAB8
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041BACB
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$ForegroundText
                                              • String ID:
                                              • API String ID: 29597999-0
                                              • Opcode ID: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                              • Instruction ID: 4615795adb372a642f3ed3ff298372a60f443b3219566b47796808df054d69ed
                                              • Opcode Fuzzy Hash: 3324f64634fda987d6d57ad9b9c1a74d02492aa66b07baf7772615d4eb65d97a
                                              • Instruction Fuzzy Hash: CCE0D875A00328A7E720A7A49C4EFE5776CEB08701F0000EEBA18D71C2EAB4AD04C7E4
                                              Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
                                              • WSASetLastError.WS2_32(00000000), ref: 00414F10
                                                • Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
                                                • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
                                                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
                                                • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
                                                • Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
                                                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
                                                • Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
                                                • Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                              • String ID:
                                              • API String ID: 1170566393-0
                                              • Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                              • Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
                                              • Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
                                              • Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8
                                              Function 00445AF3 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004482CA,00000001,00000364,?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000), ref: 00445B34
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                              • Instruction ID: e1e4bc9e3ed5bc60ab2f969cc6486aa84e060793a1580145f61584a75d3ee698
                                              • Opcode Fuzzy Hash: c045d3e2a3584f06f9c551ababd1bb43ae743c3abb802e5b049e03d8e1594b29
                                              • Instruction Fuzzy Hash: 9DF09031600D6967BF316A229C06B5BB749EB42760B548027BD08AA297CA38F80186BC
                                              Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                              • Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
                                              • Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
                                              • Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF
                                              Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000202,00000000), ref: 004048B3
                                              Memory Dump Source
                                              • Source File: 0000000D.00000002.3360399590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_13_2_400000_vbc.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Startup
                                              • String ID:
                                              • API String ID: 724789610-0
                                              • Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                              • Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
                                              • Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
                                              • Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA